Lets start with the script and move on to the explanation:
On Error Resume Next
Set objConnection = CreateObject(“ADODB.Connection”)
Set objCommand = CreateObject(“ADODB.Command”)
objConnection.Provider = “ADsDSOObject”
objConnection.Open “Active Directory Provider”
Set objCommand.ActiveConnection = objConnection
objCommand.Properties(“Page Size”) = 1000
objCommand.CommandText = _
“<LDAP://dc=fabrikam,dc=com>;(&(objectCategory=User)” & _
Set objRecordSet = objCommand.Execute
Do Until objRecordSet.EOF
The problem we have here is that account status (enabled or disabled) is part of the userAccountControl attribute. This happens to be an example of a bitmask attribute: a single attribute that actually houses numerous property values. In fact, all of the following property values are stored in this single attribute:
•The user account is disabled.
•The account is currently locked out.
•No password is required.
•The user cannot change the password.
•This is a default account type that represents a typical user.
•When set, the password will not expire on this account.
•When set, this flag will force the user to log on using a smart card.
•The user password has expired.
Bitmask attributes can be a bit confusing, but, for the most part, they aren’t too hard to work with. The one exception occurs when you need to search Active Directory, which is exactly what we need to do here. Typically when you search Active Directory you use a SQL query similar to this:
Select Name from ‘LDAP://dc=fabrikam,dc=com’ Where Department = ‘Finance’
That works fine for most Active Directory attributes; it doesn’t work so fine – in fact, it doesn’t work at all – for bitmask attributes. Therefore we have to rely on Plan B, and use the LDAP query syntax instead:
<LDAP://dc=fabrikam,dc=com>;(&(objectCategory=User)” & _
Yes, we know; we don’t like it any better than you do. But, really, after you know what the individual parts represent this isn’t as bad as it first looks:
•<LDAP://dc=fabrikam,dc=com>. This is just simply the starting point for our search: the root of the fabrikam.com domain. Other than the angle brackets that surround the ADsPath this should be pretty familiar to you.
•(&(objectCategory=User). This is part of our “Where” clause (note that we don’t actually use the word Where anywhere in the query). The objectCategory=User portion should be fairly straightforward; we’re interested only in user objects. The & is equivalent to the AND operator in a SQL clause: it just means we’re combining objectCategory=User with something else.
•(userAccountControl:1.2.840.113522.214.171.1243:=2)). And this just happens to be that something else. It might look like gibberish, but this actually tells our script to search for objects (in this case, users) where bit 2 in the userAccountControl attribute has been enabled. We won’t spend any time discussing bitmask attributes here; for a brief discussion see the Reading User Account Password Attributes section of the Microsoft Windows 2000 Scripting Guide. For now all we have to know is that if bit 2 is enabled then the user account is disabled.
So what about the 1.2.840.11135126.96.36.1993? That happens to be the LDAP bit matching rule and is equivalent to the Boolean AND operator (we know, we know). In other words, this crazy-looking concoction is basically equal to this:
If objUser.userAccountControl AND 2 Then
If you’re familiar with bitmasks this might make some sense to you. If not, well, don’t worry too much about it. Go ahead and use the script as-is and save the understanding for later.
•Name. This is the just attribute we want returned.
•Subtree. This is our search scope; it simply means we want to search the entire Active Directory tree.