AD - Query to find disabled users

I need a query to use in AD to find only disabled users.  I am using the query below but it pulls alot of other stuff that I know is not disabled like conference rooms and other user accounts for some reason.

 (&(objectCategory=User)(userAccountControl:1.2.840.113556.1.4.803:=2))
Twhite0909Asked:
Who is Participating?
 
Will SzymkowskiConnect With a Mentor Senior Solution ArchitectCommented:
You are gettting other search results probably due to Exchange accounts that are created. Example, if you create a Room Resource mailbox in Exchange, it will create the associating account in AD but it will be disabled. These are the types of things you are probably picking up when you run the script above. I have modified it below...

get-aduser -Filter 'objectclass -eq "user"' -Properties * | Where-Object {$_.Enabled -eq $False -and -not $_.msExchResourceSearchProperties -like "*"} | ft name, sAMAccountName, Enable

Open in new window


Anything that has an Exchange Resource property will not be part of this query.


Will.
0
 
Will SzymkowskiSenior Solution ArchitectCommented:
You can use powershell to accomplish this..Use the below command...

Import-Module activedirectory

Then run the below command...

get-aduser -Filter * | Where-Object {$_.enabled -eq $false} | select Name, sAMAccountName, Enabled

Will.
0
 
Mike KlineCommented:
Odd, your query worked for me, can you try refining it a bit

(&(objectCategory=person)(objectclass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))

Powershell above is also great,  Adfind is a free lightweight tool that has a great shortcut

http://www.joeware.net/freetools/tools/adfind/

adfind -sc users_disabled

Thanks

Mike
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
Twhite0909Author Commented:
The query worked me I was just saying that it pulled back alot of accounts that are NOT disabled as well as accounts that are.  Im looking to take out the accounts that are active from the list.
0
 
Twhite0909Author Commented:
The Powershell command does the same.

 I need to get only DISABLED accounts.  I am getting back all of My conference rooms, accountspayable, exec accounts et... all of these are ACTIVE and these commands and queries are pulling them in with this disabled user account list
0
 
Mike KlineCommented:
When I ran it it only returned disabled accounts,   You are seeing enabled accounts too?  Do those accounts have anything else set on the account options.
0
 
Mike KlineCommented:
Can you download adfind and run

adfind -sc users_disabled name

Thanks


Mike
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.