PowerShell Checking for disabled accounts.

Hi all,

if there is anybody here that can help me I would be greatly appreciative, i have wrote a very basic script to look for disabled accounts etc, and account lock outs.

adding the 512 (normal account) to the 16 for lockout. Example below:

$search.Filter = “(&(objectClass=user)(userAccountControl=528))

but this is not working :( if I do 512 instead of the 528 i get a list of accounts, can anyone see what I am doing wrong?

Regards

Daniel
LVL 1
EastThamesAsked:
Who is Participating?
 
AkhaterConnect With a Mentor Commented:
Here you go for a more "native" approach

$searcher = new-object DirectoryServices.DirectorySearcher([ADSI]“”)
$searcher.filter = “(&(objectClass=user)(userAccountControl=514))
$users = $searcher.findall()
0
 
Dale HarrisConnect With a Mentor Professional Services EngineerCommented:
If you use the Quest CMDlets, you can do a command a little easier:

get-qaduser -disabled

I think 514 is the number you're looking for though.

http://social.technet.microsoft.com/Forums/en/winserverDS/thread/7ff0fb2f-0cd1-44a9-b172-7abd196ee617

HTH,

Dale Harris
0
 
KenMcFConnect With a Mentor Commented:
I agree with Dale, the Quest tools would be the best to use here. But if you want to use what you have an LDAP query for 514 is not the right way to do this. You need to get the UserAccoutnControl attribute and a Value of 2 (Account Disabled) and a value of 512 (Normal User) may get most of your disbaled account, it will not get an accurate could. You will want to modify your search filter like this

“(&(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))"

You want to see if Bit 2 has been enabled.


http://support.microsoft.com/kb/305144

0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.