Hey, Scripting Guy! How can I get a list of all the disabled user accounts in Active Directory?
Hey, RT. Now, just remember, you asked for this. We have a script that returns a list of disabled user accounts in Active Directory; the only problem is that part of the script is a little cryptic (to say the least), and we won’t be able to fully explain how it all works in this column. But if you’re fine with that then read on.
Oh, what the heck: you might as well read on anyway. After all, you never can tell what you might find in one of these columns.
The problem we have here is that account status (enabled or disabled) is part of the userAccountControl attribute. This happens to be an example of a bitmask attribute: a single attribute that actually houses numerous property values. In fact, all of the following property values are stored in this single attribute:
The user account is disabled.
The account is currently locked out.
No password is required.
The user cannot change the password.
This is a default account type that represents a typical user.
When set, the password will not expire on this account.
When set, this flag will force the user to log on using a smart card.
The user password has expired.
Bitmask attributes can be a bit confusing, but, for the most part, they aren’t too hard to work with. The one exception occurs when you need to search Active Directory, which is exactly what we need to do here. Typically when you search Active Directory you use a SQL query similar to this:
Select Name from 'LDAP://dc=fabrikam,dc=com' Where Department = 'Finance'
That works fine for most Active Directory attributes; it doesn’t work so fine - in fact, it doesn’t work at all - for bitmask attributes. Therefore we have to rely on Plan B, and use the LDAP query syntax instead:
<LDAP://dc=fabrikam,dc=com>;(&(objectCategory=User)" & _
Yes, we know; we don’t like it any better than you do. But, really, after you know what the individual parts represent this isn’t as bad as it first looks:
<LDAP://dc=fabrikam,dc=com>. This is just simply the starting point for our search: the root of the fabrikam.com domain. Other than the angle brackets that surround the ADsPath this should be pretty familiar to you.
(&(objectCategory=User). This is part of our “Where” clause (note that we don’t actually use the word Where anywhere in the query). The objectCategory=User portion should be fairly straightforward; we’re interested only in user objects. The & is equivalent to the AND operator in a SQL clause: it just means we’re combining objectCategory=User with something else.
(userAccountControl:1.2.840.1135188.8.131.523:=2)). And this just happens to be that something else. It might look like gibberish, but this actually tells our script to search for objects (in this case, users) where bit 2 in the userAccountControl attribute has been enabled. We won’t spend any time discussing bitmask attributes here; for a brief discussion see the Reading User Account Password Attributes section of the Microsoft Windows 2000 Scripting Guide. For now all we have to know is that if bit 2 is enabled then the user account is disabled.
So what about the 1.2.840.11135184.108.40.2063? That happens to be the LDAP bit matching rule and is equivalent to the Boolean AND operator (we know, we know). In other words, this crazy-looking concoction is basically equal to this:
If objUser.userAccountControl AND 2 Then
If you’re familiar with bitmasks this might make some sense to you. If not, well, don’t worry too much about it. Go ahead and use the script as-is and save the understanding for later.
Name. This is the just attribute we want returned.
Subtree. This is our search scope; it simply means we want to search the entire Active Directory tree.
Clear as the proverbial mud, right? You might take a look at the April 2005 Tales from the Script column, which offers an introduction to searching Active Directory. (And stay tuned for Part 2, due in May 2005). And if you’re really interested in searching Active Directory (as you should be; it’s a very powerful tool) you might take a look at this Scripting Guys webcast as well.
Oh, right: you might also want to take a look at the completed script that returns a list of all the disabled user accounts in Active Directory. Well, why didn’t you say so?
On Error Resume Next
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.CommandText = _
"<LDAP://dc=fabrikam,dc=com>;(&(objectCategory=User)" & _
Set objRecordSet = objCommand.Execute
Do Until objRecordSet.EOF