How Can I Get a List of All the Disabled User Accounts in Active Directory?

Hey, Scripting Guy! Question

Hey, Scripting Guy! How can I get a list of all the disabled user accounts in Active Directory?

-- RT

SpacerHey, Scripting Guy! AnswerScript Center

Hey, RT. Now, just remember, you asked for this. We have a script that returns a list of disabled user accounts in Active Directory; the only problem is that part of the script is a little cryptic (to say the least), and we won’t be able to fully explain how it all works in this column. But if you’re fine with that then read on.

Oh, what the heck: you might as well read on anyway. After all, you never can tell what you might find in one of these columns.

The problem we have here is that account status (enabled or disabled) is part of the userAccountControl attribute. This happens to be an example of a bitmask attribute: a single attribute that actually houses numerous property values. In fact, all of the following property values are stored in this single attribute:

The user account is disabled.

The account is currently locked out.

No password is required.

The user cannot change the password.

This is a default account type that represents a typical user.

When set, the password will not expire on this account.

When set, this flag will force the user to log on using a smart card.

The user password has expired.

Bitmask attributes can be a bit confusing, but, for the most part, they aren’t too hard to work with. The one exception occurs when you need to search Active Directory, which is exactly what we need to do here. Typically when you search Active Directory you use a SQL query similar to this:

Select Name from 'LDAP://dc=fabrikam,dc=com' Where Department = 'Finance'

That works fine for most Active Directory attributes; it doesn’t work so fine - in fact, it doesn’t work at all - for bitmask attributes. Therefore we have to rely on Plan B, and use the LDAP query syntax instead:

<LDAP://dc=fabrikam,dc=com>;(&(objectCategory=User)" & _

Yes, we know; we don’t like it any better than you do. But, really, after you know what the individual parts represent this isn’t as bad as it first looks:

<LDAP://dc=fabrikam,dc=com>. This is just simply the starting point for our search: the root of the domain. Other than the angle brackets that surround the ADsPath this should be pretty familiar to you.

(&(objectCategory=User). This is part of our “Where” clause (note that we don’t actually use the word Where anywhere in the query). The objectCategory=User portion should be fairly straightforward; we’re interested only in user objects. The & is equivalent to the AND operator in a SQL clause: it just means we’re combining objectCategory=User with something else.

(userAccountControl:1.2.840.113556.1.4.803:=2)). And this just happens to be that something else. It might look like gibberish, but this actually tells our script to search for objects (in this case, users) where bit 2 in the userAccountControl attribute has been enabled. We won’t spend any time discussing bitmask attributes here; for a brief discussion see the Reading User Account Password Attributes section of the Microsoft Windows 2000 Scripting Guide. For now all we have to know is that if bit 2 is enabled then the user account is disabled.

So what about the 1.2.840.1113556.1.4.803? That happens to be the LDAP bit matching rule and is equivalent to the Boolean AND operator (we know, we know). In other words, this crazy-looking concoction is basically equal to this:

If objUser.userAccountControl AND 2 Then

If you’re familiar with bitmasks this might make some sense to you. If not, well, don’t worry too much about it. Go ahead and use the script as-is and save the understanding for later.

Name. This is the just attribute we want returned.

Subtree. This is our search scope; it simply means we want to search the entire Active Directory tree.

Clear as the proverbial mud, right? You might take a look at the April 2005 Tales from the Script column, which offers an introduction to searching Active Directory. (And stay tuned for Part 2, due in May 2005). And if you’re really interested in searching Active Directory (as you should be; it’s a very powerful tool) you might take a look at this Scripting Guys webcast as well.

Oh, right: you might also want to take a look at the completed script that returns a list of all the disabled user accounts in Active Directory. Well, why didn’t you say so?

On Error Resume Next

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
Set objCommand.ActiveConnection = objConnection

objCommand.Properties("Page Size") = 1000

objCommand.CommandText = _
"<LDAP://dc=fabrikam,dc=com>;(&(objectCategory=User)" & _
Set objRecordSet = objCommand.Execute

Do Until objRecordSet.EOF
Wscript.Echo objRecordSet.Fields("Name").Value

Comments (28)

Cancel reply

  1. mredwilson says:

    Using the Microsoft PowerShell Active Directory cmdlets: Get-ADUser -filter 'enabled -eq $false'

  2. mredwilson says:

    @Joe — this is a VBScript, not a Windows PowerShell script.

  3. jrv says:

    Actually – PowerShell, the only thing we need to do is this"


    $searcher.FindAll() | %{$_.Properties['cn']}

    It works without an other settings because that is how ADSI searcher works in Net.  It is NOT VBScript and we should not try to convert VBScript code to PowerShell when PowerShell methods work better.

    1. Michael Liben says:

      ADSI? Really? In 2017?

  4. mredwilson says:

    @Marc that is true, assuming that one has PowerGUI installed, and has installed the AD pack. Not all environments allow for this.

  5. CorySeaman says:

    How can I make this script search all of my active directory? It finds some disabled accounts but not all.

  6. EDDIE says:

    I have a small alteration on the topic: I want to have a script that will provide me with all the users that have an account which is to expire in i.e 5 or 10 days prior to running the script. That is, I want to see which users I have made to expire in the following 5 to 10 days (depending on the time placed in the script)?

  7. BobC says:

    I'd like to display the value, similar to Name.

  8. Rico says:

    Nice article, useful script. Well done Scripting Monkeys 🙂

  9. Akhenrah says:

    What if we wanted to write the output to a text or CSV file? How difficult would it be to alter the script in that way?

  10. jv says:

    ' get the domain

    set obj = GetObject("LDAP://rootDSE")

    sLDAP = obj.Get("DefaultNamingContext")

    ' create and open the connection

    Set conn = CreateObject("ADODB.Connection")

    conn.Provider = "ADsDSOObject" "Active Directory Provider"

    ' retrieve the recordset.

    set rs =conn.Execute( "<LDAP://" & sLDAP & ">;(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=2));Name;Subtree")

    ' format output as CSV

    WScript.Echo "Name"

    Do Until rs.EOF

       Wscript.Echo """" & rs.Fields("Name").Value & """"



  11. Taniya Mehta says:

    I want to open my disabled account.

    I'm trying all of things but nothing happening

  12. Jayson says:

    NetWrix inactive users tracker is what we use to monitor old AD user accounts—we originally downloaded the freeware version and have since upgraded, but it sends us reports of all inactive user accounts and can disable them automatically. Download it from

  13. Joe says:

    Does this script no longer work in later versions of PowerShell?

  14. Marc says:

    there is a disabled users view in powergui AD pack

  15. best saving ideas says:

    I want to have a script that will provide me with all the users that have an account which is to expire in i.e 5 or 10 days prior to running the script

  16. wtf says:

    I have no idea how to get this script working. Can anybody advise, please? Would like the results in a csv, and would like to know Active accounts rather than disabled accounts. Thanks

  17. abid qaimkhani says:

    dsquery user domain name with  limit option can also work you can replace user with computer as well

  18. Jeff25 says:

    # Here is Powershell version of the same script:

    $objADDomain = New-Object System.DirectoryServices.DirectoryEntry("LDAP://DC=fabrikam,DC=com")

    $objADSearcher = New-Object System.DirectoryServices.DirectorySearcher

    $objADSearcher.SearchRoot = $objADDomain

    # Search scope type is either "Base", "OneLevel", or "Subtree"

    # We want to search all of AD

    $objADSearcher.SearchScope = "Subtree"

    $strADFilter = "(&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=2))"

    $objADSearcher.Filter = $strADFilter

     # Next line executes the search

     $colResults = $objADSearcher.FindAll()

      foreach ($user in $colResults) {



  19. saurabh pandit says:

    I want to open my disabled account.

    I'm trying all of things but nothing happening.

    plz help me sir

  20. AnotherNetUser says:

    What about checking status from a list of user?

    Ie:  Use this list listofuser.txt and check AD to make sure they're disabled?

    Have it return True or False.

  21. moon says:

    How do you exclude the script from searching certain OU’s? for example: I have a OU called NLE which has an OU for each site, and within each site OU are the disabled users. how do I tell it not to search the NLE folder?

  22. #mez says:

    Thanks for that column, very helpful. However, the information I’m looking for seems to not work with that syntax.

    I need to find out the status of PASSWD_CANT_CHANGE but when I alter the query to userAccountControl:1.2.840.113556.1.4.803:=64, it does not return any values at all, thus make the script to fail.

    Are there any ways to get that information using LDAP query? I have a way to make it with using a WinNT query and UserFlags, but would rather use current LDAP one instead.


  23. Poppers says:

    When running the command, it simply filters all accounts from viewing and leaves nothing to see pertaining to the user accounts (none where disabled I assume), thus resulting no view on the user accounts at all! How do I reverse the command? it only did
    this with the logged in account used while running the command….!?

  24. KurtLearn says:

    I am not good at the internet passwords that I was given did not work i woke up in the morning lost my facebookwaspassword please put me back online Thank you my gmail Kurt

Skip to main content