?
Solved

Query Active Directory for Date an account is Disabled

Posted on 2007-07-26
3
Medium Priority
?
14,611 Views
Last Modified: 2011-08-18
Hello Experts,

I am trying to find out a way to query AD using the ADU&C interface in a way that will show me the disabled accounts that were disabled before a specific date.
Basically i need to know what the field or userAccountControl code is, if there is one at all.

I curentlly have a saved query to gather all my disabled users which looks like this:
   (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))

I also played around with a query that would give me all my disabled users created before a specific date which looks like this:
   (&(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)
   (whenCreated>=20050801000000.0Z)))
   This query does not quite meet my needs but gets me closer to the end goal.

Any help would be great.
Dingo
0
Comment
Question by:kendingo
  • 2
3 Comments
 
LVL 71

Accepted Solution

by:
Chris Dent earned 2000 total points
ID: 19578442

Hi Dingo,

When an account was disabled isn't stored within AD (only whether it is or not).

This isn't going to be too helpful, you would have to start auditing administrative actions and sorting through Security logs for right usage to discover when something happened. Not at all helpful for discovering previous actions.

Chris
0
 
LVL 1

Author Comment

by:kendingo
ID: 19581467
Thanks Chris,

I was thinking that was the situation but needed some outside confirmation to support my thought process.

Sometimes our account team puts the disabled date in the description field but that is few and far between most of the time.

Thanks again for the insight.
0
 
LVL 71

Expert Comment

by:Chris Dent
ID: 19581476

No problem, sorry it wasn't more useful.

Chris
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
It’s time for spooky stories and consuming way too much sugar, including the many treats we’ve whipped for you in the world of tech. Check it out!
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question