In Windows Active Directory environment,domain users can either be enabled or disabled.
A disabled user can’t access any network resources because he/she can’t login or get authenticated by domain controller in first place.
A script that comes in handy for regular auditing of users can be used to cut down time for such housekeeping tasks.
Here it is :
‘ This script will find all disabled user accounts in a domain.
‘ —— SCRIPT CONFIGURATION ——
strDomainDN = “” ‘ e.g. dc=avp,dc=net
‘ —— END CONFIGURATION ———
strBase = “;”
strFilter = “(&(objectclass=user)(objectcategory=person)” & _
“(useraccountcontrol:1.2.840.113556.1.4.803:=2));”
strAttrs = “name;”
strScope = “subtree”
set objConn = CreateObject(“ADODB.Connection”)
objConn.Provider = “ADsDSOObject”
objConn.Open “Active Directory Provider”
set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope)
objRS.MoveFirst
while Not objRS.EOF
Wscript.Echo objRS.Fields(0).Value
objRS.MoveNext
wend
It might look complex but is simple in what it does.By default,all disabled user objects have their attribute userAccountControl set to 2,the bit flag for this in case of a disabled user is 0010 (that’s binary for numeral 2).
The script will establish a connection to LDAP/AD provider,a domain controller in this case,will parse for object class user and object category person and check if the attribute of userAccountControl is equalling 0010.
Once it does that,it will list the objects that have this condition set and you will see all the disabled users in your domain.
Peace.