?
Solved

Find all disabled users who are greater than 3 months

Posted on 2007-10-07
11
Medium Priority
?
489 Views
Last Modified: 2010-05-18
Hi,
Find all disabled users who are greater than 3 months.Is there a way to find only the names of users with there OU path who have been disabled since 3 months.

Regards
Sharath
0
Comment
Question by:bsharath
  • 6
  • 5
11 Comments
 
LVL 65

Expert Comment

by:RobSampson
ID: 20032155
Wow, two very similar questions within 10 minutes.....

This will give you a bit of a start, but it's a 60 day value instead.  Modify the strOU path (specifiying the path in reverse order), and then run it.  You should be able to make strOUPath emtpy to work over the whole domain.

'=====================
If LCase(Right(Wscript.FullName, 11)) = "wscript.exe" Then
    strPath = Wscript.ScriptFullName
    strCommand = "%comspec% /k cscript  """ & strPath & """"
    Set objShell = CreateObject("Wscript.Shell")
    objShell.Run(strCommand), 1, True
    Wscript.Quit
End If

Const ADS_UF_ACCOUNTDISABLE = 2

strOUPath = "ou=users,ou=Civic Centre,ou=Sites,"

Set objRootDSE = GetObject("LDAP://RootDSE")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.CommandText = _
    "<GC://" & strOUPath & objRootDSE.Get("defaultNamingContext") & ">;(objectCategory=User)" & _
        ";userAccountControl,distinguishedName;subtree"  
Set objRecordSet = objCommand.Execute
 
intCounterDisabled = 0
intCounterEnabled = 0
intAlreadyExpired = 0
intExpiredWithin60Days = 0
intDisabledWithin60Days = 0
intNeverExpire = 0

Do Until objRecordset.EOF
    intUAC=objRecordset.Fields("userAccountControl")
    Set objUser = GetObject("LDAP://" & objRecordset.Fields("distinguishedName"))
    accountExpires = objUser.AccountExpirationDate
      If accountExpires = "1/1/1970" Or accountExpires = "1/01/1601 10:00:00 AM" Or Err.Number = -2147467259 Then
            intNeverExpire = intNeverExpire + 1
      ElseIf CDate(accountExpires) < Now Then
            If DateDiff("d",CDate(accountExpires),Now) < 60 Then
                  intExpiredWithin60Days = intExpiredWithin60Days + 1
            Else
                intAlreadyExpired = intAlreadyExpired + 1
            End IF
      End If
    If intUAC And ADS_UF_ACCOUNTDISABLE Then
        WScript.echo objRecordset.Fields("distinguishedName") & " is disabled"
            On Error Resume Next
            whenChanged = objUser.whenChanged
            If Err.Number = 0 Then
                  On Error GoTo 0
              If DateDiff("d",CDate(whenChanged),Now) < 60 Then
                  intDisabledWithin60Days = intDisabledWithin60Days + 1
              Else
                    intCounterDisabled = intCounterDisabled + 1
              End If
          Else
                Err.Clear
                On Error GoTo 0
                intCounterDisabled = intCounterDisabled + 1
          End If
      Else
      WScript.echo objRecordset.Fields("distinguishedName") & " is enabled"
       intCounterEnabled = intCounterEnabled + 1              
    End If
    objRecordset.MoveNext
Loop

 
WScript.Echo VbCrLf & "A total of " & intCounterDisabled + intDisabledWithin60Days & " accounts are disabled."
WScript.Echo VbCrLf & "A total of " & intDisabledWithin60Days & " accounts have been disabled within the last 60 days."
WScript.Echo VbCrLf & "A total of " & intCounterDisabled & " accounts were disabled over 60 days ago."
WScript.Echo VbCrLf & "A total of " & intCounterEnabled & " accounts are enabled."
WScript.Echo VbCrLf & "A total of " & intAlreadyExpired & " accounts have already expired."
WScript.Echo VbCrLf & "A total of " & intExpiredWithin60Days & " accounts have expired within the last 60 days."
WScript.Echo VbCrLf & "A total of " & intNeverExpire & " accounts are not set to expire."
'=====================

Regards,

Rob.
0
 
LVL 11

Author Comment

by:bsharath
ID: 20032186
Rob i get this...

A total of 109 accounts are disabled.

A total of 109 accounts have been disabled within the last 60 days.

A total of 0 accounts were disabled over 60 days ago.

A total of 891 accounts are enabled.

A total of 78 accounts have already expired.

A total of 0 accounts have expired within the last 60 days.

A total of 922 accounts are not set to expire.

+++++++++++++++++++++++++

I get this..

A total of 109 accounts have been disabled within the last 60 days.

Hiow can i find the 109 usernames and it shows as within but there are many that i have disabled 4 or 5 months ago also...
0
 
LVL 65

Accepted Solution

by:
RobSampson earned 2000 total points
ID: 20038285
Sharath, try this, it outputs to CSV:

'=====================
If LCase(Right(Wscript.FullName, 11)) = "wscript.exe" Then
    strPath = Wscript.ScriptFullName
    strCommand = "%comspec% /k cscript  """ & strPath & """"
    Set objShell = CreateObject("Wscript.Shell")
    objShell.Run(strCommand), 1, True
    Wscript.Quit
End If

Const ADS_UF_ACCOUNTDISABLE = 2
strOutputFile = "User_Disabled_Status.csv"

strOUPath = "ou=users,ou=Civic Centre,ou=Sites,"

Set objRootDSE = GetObject("LDAP://RootDSE")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.CommandText = _
    "<GC://" & strOUPath & objRootDSE.Get("defaultNamingContext") & ">;(objectCategory=User)" & _
        ";userAccountControl,distinguishedName;subtree"  
Set objRecordSet = objCommand.Execute
 
intCounterDisabled = 0
intCounterEnabled = 0
intAlreadyExpired = 0
intExpiredWithin60Days = 0
intDisabledWithin60Days = 0
intNeverExpire = 0

strDetails = """User Name"",""Expired <= 60 Days Ago"",""Expired > 60 Days Ago"",""Will Never Expire"",""Enabled"",""Disabled"",""Disabled <= 60 Days Ago"",""Disabled > 60 Days Ago"""
Do Until objRecordset.EOF
    intUAC=objRecordset.Fields("userAccountControl")
    Set objUser = GetObject("LDAP://" & objRecordset.Fields("distinguishedName"))
    strDetails = strDetails & VbCrLf & """" & objUser.DisplayName & ""","
    accountExpires = objUser.AccountExpirationDate
      If accountExpires = "1/1/1970" Or accountExpires = "1/01/1601 10:00:00 AM" Or Err.Number = -2147467259 Then
            intNeverExpire = intNeverExpire + 1
            strDetails = strDetails & """"","""",""YES"","
      ElseIf CDate(accountExpires) < Now Then
            If DateDiff("d",CDate(accountExpires),Now) < 60 Then
                        intExpiredWithin60Days = intExpiredWithin60Days + 1
                        strDetails = strDetails & """YES"","""","""","
            Else
                        intAlreadyExpired = intAlreadyExpired + 1
                        strDetails = strDetails & """"",""YES"","""","
            End IF
      End If
    If intUAC And ADS_UF_ACCOUNTDISABLE Then
        WScript.echo objRecordset.Fields("distinguishedName") & " is disabled"
        strDetails = strDetails & """"",""YES"","
            On Error Resume Next
            whenChanged = objUser.whenChanged
            If Err.Number = 0 Then
                  On Error GoTo 0
              If DateDiff("d",CDate(whenChanged),Now) < 60 Then
                  intDisabledWithin60Days = intDisabledWithin60Days + 1
                  strDetails = strDetails & """YES"","""""
              Else
                    intCounterDisabled = intCounterDisabled + 1
                    strDetails = strDetails & """"",""YES"""
              End If
          Else
                Err.Clear
                On Error GoTo 0
                intCounterDisabled = intCounterDisabled + 1
                strDetails = strDetails & """"",""YES"""
          End If
      Else
      WScript.echo objRecordset.Fields("distinguishedName") & " is enabled"
       intCounterEnabled = intCounterEnabled + 1
       strDetails = strDetails & """YES"","""","""","""""
    End If
    objRecordset.MoveNext
Loop

 
WScript.Echo VbCrLf & "A total of " & intCounterDisabled + intDisabledWithin60Days & " accounts are disabled."
WScript.Echo VbCrLf & "A total of " & intDisabledWithin60Days & " accounts have been disabled within the last 60 days."
WScript.Echo VbCrLf & "A total of " & intCounterDisabled & " accounts were disabled over 60 days ago."
WScript.Echo VbCrLf & "A total of " & intCounterEnabled & " accounts are enabled."
WScript.Echo VbCrLf & "A total of " & intAlreadyExpired & " accounts have already expired."
WScript.Echo VbCrLf & "A total of " & intExpiredWithin60Days & " accounts have expired within the last 60 days."
WScript.Echo VbCrLf & "A total of " & intNeverExpire & " accounts are not set to expire."

Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objOutputFile = objFSO.CreateTextFile(strOutputFile, True)
objOutputFile.Write strDetails
objOutputFile.Close
Set objOutputFile = Nothing
Set objFSO = Nothing
'=====================

Regards,

Rob.
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 11

Author Comment

by:bsharath
ID: 20038309
Rob i get the details to a csv and very help ful for many reasons to me but its showing me  0 disabled < 60 days.
How does it take the disabled dates is it the modified date that you calculate to get the results.?
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 20038321
Unfortunately there is no "when Disabled" attribute or date.  The only way I could calculate this was by the "whenChanged" attribute of the whole account, like a "dirty" flag.  This is not accurate however, if any change is made to the account a few days after disabling it.....

Does that answer your question?  I am not aware of any other property on the user account that we can check?  Can you find such an attribute?

Regards,

Rob.
0
 
LVL 11

Author Comment

by:bsharath
ID: 20038327
Thanks a lot Rob...
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 20038333
No problem.  You could try the "lastLogon" attribute instead, if you believe that would be more accurate.....

Regards,

Rob.
0
 
LVL 11

Author Comment

by:bsharath
ID: 20038337
Rob do you remember last week we were talking about a script to fetch data from messages (Outlook) you told me that it is tough but will give it a go.
Can i raise a Q today...
0
 
LVL 11

Author Comment

by:bsharath
ID: 20038339
You tell me Rob which is best...
0
 
LVL 65

Expert Comment

by:RobSampson
ID: 20038380
Regarding
whenChanged vs lastLogon

this would depend on how things work in your environment, and / or what you'd be happy using....

As I mentioned, the whenChanged will be inaccurate if the account was modified or moved long after it was disabled, but the lastLogon will be inaccurate if the account was not used for a while before it was disabled......

Maybe it's best to leave it as is, but change the headers from:
strDetails = """User Name"",""Expired <= 60 Days Ago"",""Expired > 60 Days Ago"",""Will Never Expire"",""Enabled"",""Disabled"",""Disabled <= 60 Days Ago"",""Disabled > 60 Days Ago"""

to
strDetails = """User Name"",""Expired <= 60 Days Ago"",""Expired > 60 Days Ago"",""Will Never Expire"",""Enabled"",""Disabled"",""Last Changed <= 60 Days Ago"",""Last Changed > 60 Days Ago"""

Also, you could raise that new question, post a link to it in the "create users mailbox from excel file" question, so Chandru will see it too.....

Regards,

Rob.
0
 
LVL 11

Author Comment

by:bsharath
ID: 20038397
Ok rob thanks...
0

Featured Post

Important Lessons on Recovering from Petya

In their most recent webinar, Skyport Systems explores ways to isolate and protect critical databases to keep the core of your company safe from harm.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Recently I finished a vbscript that I thought I'd share.  It uses a text file with a list of server names to loop through and get various status reports, then writes them all into an Excel file.  Originally it was put together for our Altiris server…
Well hello again!  Glad to see you've made it this far without giving up.  In this, the fourth installment of my popular series, I'm going to cover functions and subroutines, what they are, and why they are useful.  Just in case you stumbled onto th…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
Look below the covers at a subform control , and the form that is inside it. Explore properties and see how easy it is to aggregate, get statistics, and synchronize results for your data. A Microsoft Access subform is used to show relevant calcul…
Suggested Courses

850 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question