Information of Users in an Intranet

5 pts.
Tags:
Active Directory
Intranet
how can I check the disabled users in active directory of my Intranet.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Lets start with the script and move on to the explanation:

On Error Resume Next

Set objConnection = CreateObject(“ADODB.Connection”)
Set objCommand = CreateObject(“ADODB.Command”)
objConnection.Provider = “ADsDSOObject”
objConnection.Open “Active Directory Provider”
Set objCommand.ActiveConnection = objConnection

objCommand.Properties(“Page Size”) = 1000

objCommand.CommandText = _
“<LDAP://dc=fabrikam,dc=com>;(&(objectCategory=User)” & _
“(userAccountControl:1.2.840.113556.1.4.803:=2));Name;Subtree”
Set objRecordSet = objCommand.Execute

objRecordSet.MoveFirst
Do Until objRecordSet.EOF
Wscript.Echo objRecordSet.Fields(“Name”).Value
objRecordSet.MoveNext
Loop

The problem we have here is that account status (enabled or disabled) is part of the userAccountControl attribute. This happens to be an example of a bitmask attribute: a single attribute that actually houses numerous property values. In fact, all of the following property values are stored in this single attribute:
•The user account is disabled.
•The account is currently locked out.
•No password is required.
•The user cannot change the password.
•This is a default account type that represents a typical user.
•When set, the password will not expire on this account.
•When set, this flag will force the user to log on using a smart card.
•The user password has expired.

Bitmask attributes can be a bit confusing, but, for the most part, they aren’t too hard to work with. The one exception occurs when you need to search Active Directory, which is exactly what we need to do here. Typically when you search Active Directory you use a SQL query similar to this:

Select Name from ‘LDAP://dc=fabrikam,dc=com’ Where Department = ‘Finance’

That works fine for most Active Directory attributes; it doesn’t work so fine – in fact, it doesn’t work at all – for bitmask attributes. Therefore we have to rely on Plan B, and use the LDAP query syntax instead:

<LDAP://dc=fabrikam,dc=com>;(&(objectCategory=User)” & _
“(userAccountControl:1.2.840.113556.1.4.803:=2));Name;Subtree

Yes, we know; we don’t like it any better than you do. But, really, after you know what the individual parts represent this isn’t as bad as it first looks:
•<LDAP://dc=fabrikam,dc=com>. This is just simply the starting point for our search: the root of the fabrikam.com domain. Other than the angle brackets that surround the ADsPath this should be pretty familiar to you.
•(&(objectCategory=User). This is part of our “Where” clause (note that we don’t actually use the word Where anywhere in the query). The objectCategory=User portion should be fairly straightforward; we’re interested only in user objects. The & is equivalent to the AND operator in a SQL clause: it just means we’re combining objectCategory=User with something else.
•(userAccountControl:1.2.840.113556.1.4.803:=2)). And this just happens to be that something else. It might look like gibberish, but this actually tells our script to search for objects (in this case, users) where bit 2 in the userAccountControl attribute has been enabled. We won’t spend any time discussing bitmask attributes here; for a brief discussion see the Reading User Account Password Attributes section of the Microsoft Windows 2000 Scripting Guide. For now all we have to know is that if bit 2 is enabled then the user account is disabled.

So what about the 1.2.840.1113556.1.4.803? That happens to be the LDAP bit matching rule and is equivalent to the Boolean AND operator (we know, we know). In other words, this crazy-looking concoction is basically equal to this:

If objUser.userAccountControl AND 2 Then

If you’re familiar with bitmasks this might make some sense to you. If not, well, don’t worry too much about it. Go ahead and use the script as-is and save the understanding for later.

•Name. This is the just attribute we want returned.
•Subtree. This is our search scope; it simply means we want to search the entire Active Directory tree.

Discuss This Question:  

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following