Using LDAP syntax to find disabled user account

Hi Experts.  I am using the saved queries option in ADUC (AD Users and Computers) and wasn't sure what the ldap syntax is for finding the disabled user accounts in my OU.  I have been looking around the web for an hour or so and see some examples but I can't seem to make one work.  Thanks for the help.
LVL 9
samiam41Asked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
PberConnect With a Mentor Solutions ArchitectCommented:
Try this:

(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))
0
 
PberSolutions ArchitectCommented:
There is also a built in query within Saved Queries.  Just select Define Query and on the User TAB just check Disabled accounts.  Or you can use the custom query above.
0
 
samiam41Author Commented:
smart@ss for making it look so easy.  : )

Awesome job!  Thanks for the help.  

0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
samiam41Author Commented:
I was trying to combine two searches at once and I guess that wasn't such a good idea.  I will resort to doing one at a time.  I like your LDAP entry.
0
 
PberSolutions ArchitectCommented:
Heh Heh,

Glad to help.
0
 
samiam41Author Commented:
Take care!

-Aaron
0
 
PberSolutions ArchitectCommented:
What two queries are you trying to join?
0
 
samiam41Author Commented:
Good question!

Query 1) The pre-Windows 2000 logon name <this is for the user accounts we had before merging> and 2) trying to find out which accounts were disabled.  I figured I would try to get the list of user accounts and the ones that were disabled would be included.  I'm sure I dorked something up in the process.
0
 
samiam41Author Commented:
If you know how, I will create a new question and have you answer.
0
 
PberSolutions ArchitectCommented:
The Pre-Windows 2000 logon name attribute is "sAMAccountName".
All accounts will have one, even non migrated accounts.

Thus to find disabled accounts with a prefix of "ADC_" the query would be:

(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)(sAMAccountName=ADC_*)
0
 
PberSolutions ArchitectCommented:
Don't worry about a new questions.  
0
 
PberSolutions ArchitectCommented:
woops, that was missing a trailing bracket:

Try this:

(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)(sAMAccountName=ADC_*))
0
 
samiam41Author Commented:
You're awesome!  Wish I would have posted that sooner and saved the frustration.  You sure about the points for a new question?  As I get more involved with the AD management (everyone that was doing it is gone, so I have a little learning curve), I am sure I will be asking more questions.  

I will try out the query you posted.
0
 
PberSolutions ArchitectCommented:
Once again.  Glad to help.  

I never mind posting follow ups to a question.  
Don't worry about a new question, I don't need the points.
(:
0
 
samiam41Author Commented:
I tried out the query and it produced "no results".  It didn't even list the people with the pre-Windows 2000 login.  I was hoping it would list all the users in the OU and include the accounts that were disabled but nothing showed up.
0
 
PberSolutions ArchitectCommented:
This will list all disabled users that the Pre Windows 2000 logon name starts with ADC_

&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)(sAMAccountName=ADC_*))

This will list all enabled users that the Pre Windows 2000 logon name starts with ADC_

&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2)(sAMAccountName=ADC_*))

What do you want to list?  Just all users within an OU?


0
All Courses

From novice to tech pro — start learning today.