PowerShell Checking for disabled accounts.

Posted on 2011-02-26
Medium Priority
Last Modified: 2012-05-11
Hi all,

if there is anybody here that can help me I would be greatly appreciative, i have wrote a very basic script to look for disabled accounts etc, and account lock outs.

adding the 512 (normal account) to the 16 for lockout. Example below:

$search.Filter = “(&(objectClass=user)(userAccountControl=528))

but this is not working :( if I do 512 instead of the 528 i get a list of accounts, can anyone see what I am doing wrong?


Question by:EastThames
LVL 16

Assisted Solution

by:Dale Harris
Dale Harris earned 664 total points
ID: 34988852
If you use the Quest CMDlets, you can do a command a little easier:

get-qaduser -disabled

I think 514 is the number you're looking for though.



Dale Harris
LVL 49

Accepted Solution

Akhater earned 668 total points
ID: 34989396
Here you go for a more "native" approach

$searcher = new-object DirectoryServices.DirectorySearcher([ADSI]“”)
$searcher.filter = “(&(objectClass=user)(userAccountControl=514))
$users = $searcher.findall()
LVL 27

Assisted Solution

KenMcF earned 668 total points
ID: 34989505
I agree with Dale, the Quest tools would be the best to use here. But if you want to use what you have an LDAP query for 514 is not the right way to do this. You need to get the UserAccoutnControl attribute and a Value of 2 (Account Disabled) and a value of 512 (Normal User) may get most of your disbaled account, it will not get an accurate could. You will want to modify your search filter like this


You want to see if Bit 2 has been enabled.



Featured Post

SMB Security Just Got a Layer Stronger

WatchGuard acquires Percipient Networks to extend protection to the DNS layer, further increasing the value of Total Security Suite.  Learn more about what this means for you and how you can improve your security with WatchGuard today!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

A recent project that involved parsing Tableau Desktop and Server log files to extract reusable user queries for use in other systems. I chose to use PowerShell to gather the data, and SharePoint to present it...
Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an anti-spam), the admin…
Loops Section Overview

597 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question