Solved

PowerShell Checking for disabled accounts.

Posted on 2011-02-26
3
954 Views
Last Modified: 2012-05-11
Hi all,

if there is anybody here that can help me I would be greatly appreciative, i have wrote a very basic script to look for disabled accounts etc, and account lock outs.

adding the 512 (normal account) to the 16 for lockout. Example below:

$search.Filter = “(&(objectClass=user)(userAccountControl=528))

but this is not working :( if I do 512 instead of the 528 i get a list of accounts, can anyone see what I am doing wrong?

Regards

Daniel
0
Comment
Question by:EastThames
3 Comments
 
LVL 16

Assisted Solution

by:Dale Harris
Dale Harris earned 166 total points
ID: 34988852
If you use the Quest CMDlets, you can do a command a little easier:

get-qaduser -disabled

I think 514 is the number you're looking for though.

http://social.technet.microsoft.com/Forums/en/winserverDS/thread/7ff0fb2f-0cd1-44a9-b172-7abd196ee617

HTH,

Dale Harris
0
 
LVL 49

Accepted Solution

by:
Akhater earned 167 total points
ID: 34989396
Here you go for a more "native" approach

$searcher = new-object DirectoryServices.DirectorySearcher([ADSI]“”)
$searcher.filter = “(&(objectClass=user)(userAccountControl=514))
$users = $searcher.findall()
0
 
LVL 27

Assisted Solution

by:KenMcF
KenMcF earned 167 total points
ID: 34989505
I agree with Dale, the Quest tools would be the best to use here. But if you want to use what you have an LDAP query for 514 is not the right way to do this. You need to get the UserAccoutnControl attribute and a Value of 2 (Account Disabled) and a value of 512 (Normal User) may get most of your disbaled account, it will not get an accurate could. You will want to modify your search filter like this

“(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))"

You want to see if Bit 2 has been enabled.


http://support.microsoft.com/kb/305144

0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
A brief introduction to what I consider to be the best editor for PowerShell.
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
With the power of JIRA, there's an unlimited number of ways you can customize it, use it and benefit from it. With that in mind, there's bound to be things that I wasn't able to cover in this course. With this summary we'll look at some places to go…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

28 Experts available now in Live!

Get 1:1 Help Now