Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win

x
?
Solved

PowerShell Checking for disabled accounts.

Posted on 2011-02-26
3
Medium Priority
?
961 Views
Last Modified: 2012-05-11
Hi all,

if there is anybody here that can help me I would be greatly appreciative, i have wrote a very basic script to look for disabled accounts etc, and account lock outs.

adding the 512 (normal account) to the 16 for lockout. Example below:

$search.Filter = “(&(objectClass=user)(userAccountControl=528))

but this is not working :( if I do 512 instead of the 528 i get a list of accounts, can anyone see what I am doing wrong?

Regards

Daniel
0
Comment
Question by:EastThames
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
3 Comments
 
LVL 16

Assisted Solution

by:Dale Harris
Dale Harris earned 664 total points
ID: 34988852
If you use the Quest CMDlets, you can do a command a little easier:

get-qaduser -disabled

I think 514 is the number you're looking for though.

http://social.technet.microsoft.com/Forums/en/winserverDS/thread/7ff0fb2f-0cd1-44a9-b172-7abd196ee617

HTH,

Dale Harris
0
 
LVL 49

Accepted Solution

by:
Akhater earned 668 total points
ID: 34989396
Here you go for a more "native" approach

$searcher = new-object DirectoryServices.DirectorySearcher([ADSI]“”)
$searcher.filter = “(&(objectClass=user)(userAccountControl=514))
$users = $searcher.findall()
0
 
LVL 27

Assisted Solution

by:KenMcF
KenMcF earned 668 total points
ID: 34989505
I agree with Dale, the Quest tools would be the best to use here. But if you want to use what you have an LDAP query for 514 is not the right way to do this. You need to get the UserAccoutnControl attribute and a Value of 2 (Account Disabled) and a value of 512 (Normal User) may get most of your disbaled account, it will not get an accurate could. You will want to modify your search filter like this

“(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))"

You want to see if Bit 2 has been enabled.


http://support.microsoft.com/kb/305144

0

Featured Post

Get your Conversational Ransomware Defense e‑book

This e-book gives you an insight into the ransomware threat and reviews the fundamentals of top-notch ransomware preparedness and recovery. To help you protect yourself and your organization. The initial infection may be inevitable, so the best protection is to be fully prepared.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Nano Server Image Builder helps you create a custom Nano Server image and bootable USB media with the aid of a graphical interface. Based on the inputs you provide, it generates images for deployment and creates reusable PowerShell scripts that …
A walk-through example of how to obtain and apply new DID phone numbers to your cloud PBX enabled users that are configured in Office 365. Whether you have 1, 10 or 100+ users in your tenant, it's quite easy to get them phone-enabled and making/rece…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question