Using LDAP syntax to find disabled user account

Hi Experts.  I am using the saved queries option in ADUC (AD Users and Computers) and wasn't sure what the ldap syntax is for finding the disabled user accounts in my OU.  I have been looking around the web for an hour or so and see some examples but I can't seem to make one work.  Thanks for the help.
LVL 9
samiam41Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

PberSolutions ArchitectCommented:
Try this:

(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
PberSolutions ArchitectCommented:
There is also a built in query within Saved Queries.  Just select Define Query and on the User TAB just check Disabled accounts.  Or you can use the custom query above.
0
samiam41Author Commented:
smart@ss for making it look so easy.  : )

Awesome job!  Thanks for the help.  

0
Making Bulk Changes to Active Directory

Watch this video to see how easy it is to make mass changes to Active Directory from an external text file without using complicated scripts.

samiam41Author Commented:
I was trying to combine two searches at once and I guess that wasn't such a good idea.  I will resort to doing one at a time.  I like your LDAP entry.
0
PberSolutions ArchitectCommented:
Heh Heh,

Glad to help.
0
samiam41Author Commented:
Take care!

-Aaron
0
PberSolutions ArchitectCommented:
What two queries are you trying to join?
0
samiam41Author Commented:
Good question!

Query 1) The pre-Windows 2000 logon name <this is for the user accounts we had before merging> and 2) trying to find out which accounts were disabled.  I figured I would try to get the list of user accounts and the ones that were disabled would be included.  I'm sure I dorked something up in the process.
0
samiam41Author Commented:
If you know how, I will create a new question and have you answer.
0
PberSolutions ArchitectCommented:
The Pre-Windows 2000 logon name attribute is "sAMAccountName".
All accounts will have one, even non migrated accounts.

Thus to find disabled accounts with a prefix of "ADC_" the query would be:

(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)(sAMAccountName=ADC_*)
0
PberSolutions ArchitectCommented:
Don't worry about a new questions.  
0
PberSolutions ArchitectCommented:
woops, that was missing a trailing bracket:

Try this:

(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)(sAMAccountName=ADC_*))
0
samiam41Author Commented:
You're awesome!  Wish I would have posted that sooner and saved the frustration.  You sure about the points for a new question?  As I get more involved with the AD management (everyone that was doing it is gone, so I have a little learning curve), I am sure I will be asking more questions.  

I will try out the query you posted.
0
PberSolutions ArchitectCommented:
Once again.  Glad to help.  

I never mind posting follow ups to a question.  
Don't worry about a new question, I don't need the points.
(:
0
samiam41Author Commented:
I tried out the query and it produced "no results".  It didn't even list the people with the pre-Windows 2000 login.  I was hoping it would list all the users in the OU and include the accounts that were disabled but nothing showed up.
0
PberSolutions ArchitectCommented:
This will list all disabled users that the Pre Windows 2000 logon name starts with ADC_

&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)(sAMAccountName=ADC_*))

This will list all enabled users that the Pre Windows 2000 logon name starts with ADC_

&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(sAMAccountName=ADC_*))

What do you want to list?  Just all users within an OU?


0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.