List Disabled Accounts In Active Directory

By | August 8, 2006
0 Comment

Searching through Active Directory for disabled accounts can be tedious.
This is why I created a script to shorten this process.
It will search through an OU and write all disabled accounts to a file.

———-COPY EVERYTHING BELOW THIS LINE———-

‘Created July 21 2006 By Chey Harden

Const ADS_UF_ACCOUNTDISABLE = 2
Const OPEN_FILE_FOR_WRITING = 2
strFile = “disabled.txt”
strWritePath = “\\SERVER\files\Scripts\” & strFile
strDirectory = “\\SERVER\files\Scripts\”

‘#########
Set objFSO1 = CreateObject(“Scripting.FileSystemObject”)

If objFSO1.FileExists(“\\SERVER\files\Scripts\” & strFile) Then
Set objFolder = objFSO1.GetFile(“\\SERVER\files\Scripts\” & strFile)

Else
Set objFile = objFSO1.CreateTextFile(strDirectory & strFile)
‘Wscript.Echo “Just created ” & objFolder & “\” & strFile
objFile = “”

End If
‘#########
Set fso = CreateObject(“Scripting.FileSystemObject”)
Set textFile = fso.OpenTextFile(strWritePath, OPEN_FILE_FOR_WRITING)

Set objConnection = CreateObject(“ADODB.Connection”)
objConnection.Open “Provider=ADsDSOObject;”
Set objCommand = CreateObject(“ADODB.Command”)
objCommand.ActiveConnection = objConnection
objCommand.CommandText = “<GC://dc=MY_DOMAIN,dc=com>;(objectCategory=User)” & _
“;userAccountControl,distinguishedName;subtree”
‘Put AD info Here, should be dc=DOMAIN, dc=”com” or “org”, or “local”
Set objRecordSet = objCommand.Execute

intCounter = 0
While Not objRecordset.EOF
intUAC=objRecordset.Fields(“userAccountControl”)
If intUAC AND ADS_UF_ACCOUNTDISABLE Then
‘WScript.echo objRecordset.Fields(“distinguishedName”) & ” is disabled”
textFile.WriteLine(objRecordset.Fields(“distinguishedName”))
intCounter = intCounter + 1
End If
objRecordset.MoveNext
Wend

WScript.Echo VbCrLf & “A total of ” & intCounter & ” accounts are disabled.”

objConnection.Close

WScript.Echo “Done…”
WScript.Quit

———-COPY EVERYTHING ABOVE THIS LINE———-

PLEASE MAKE SURE NO WORD WRAPPING IS HAPPENING IN YOUR NOTEPAD!!!

*Make sure you replace all instances of \\SERVER\files\Scripts\ with your UNC Server path that you want to log to.
*Make sure that you have write ability to the file path.

*Make sure you also change <GC://dc=MY_DOMAIN,dc=com> with your domain information.
Example: Domain.local would mean <GC://dc=Domain,dc=local>

This information is provided “AS IS” with no warranties expressed or implied.

Leave a Reply

Your email address will not be published. Required fields are marked *