ldapsearch find disabled users in Active Directory
If you want to find the disabled users in your AD environment, you can use a specific filter. Additionally, due to the number of records returned, I had to turn on paging (pr = some arbitrarily high value) so I could actually retrieve more than just the first 1000 entries.
echo '' | ldapsearch -E 'pr=4500' -z max -b 'dc=prod1,dc=example,dc=com' -s 'sub' -x -D 'CN=B Stack15,OU=Users,DC=prod1,DC=example,DC=com' -W -H 'ldaps://dc4.prod1.example.com:636' '(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))' dn
The userAccountControl item in the search filter stores various useful information. The := operator is a bitmask.
References
Weblinks
- https://www.petri.com/find-disabled-and-inactive-active-directory-users-accounts-with-powershell-revisited
- Found from web search string "userAccountControl:1.2.840.113556.1.4.803" https://blogs.technet.microsoft.com/mempson/2011/08/24/useraccountcontrol-flags/
- https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro
Comments