Identifying Enabled and Disabled Accounts in Active Directory

Update

Man how time flies. This post was pulled from the archives and reposted here when I resurrected my blog.

The LDAP queries in the original post can be useful in determining LDAP structure for a wide variety of reasons (e.g.: configuring 3rd party software), but the simple matter is that PowerShell makes this a shit ton easier if all you want to do is grab a list of users who are enabled, disabled, or locked out.

Get-ADUser -Filter 'enabled -eq $true'
Get-ADUser -Filter 'enabled -eq $false'
Search-ADAccount -LockedOut

Original Post

I’m often asked how to generate a list of Enabled and Disabled Accounts without having to go through Active Directory and count up each user that is disabled and each user that is enabled. There are a multitude of ways to accomplish this without manually counting, and depending on your version of Windows some ways will or will not be available to you. If you’ve read my other posts, you know that I don’t necessarily just write about the latest iteration of Operating System and what is available on them, but try to take a real-world approach to things: people will be searching for how to perform functions on legacy software. That is a fact.

One of my favorite things in Active Directory is the ability to have Saved Custom queries. A saved query is just that — it allows you to create custom search queries for active directory, save them, and then go back and easily re-run them at a later time. And fortunately, custom queries are able to be used in any version of Windows that has the Active Directory Users and Computers Snap-In, and is not tied to the availability of certain powershell cmdlets that newer functionality is.

The following will result in a list of Disabled Users and Enabled Users. After the text, I will show you step by step how to add a custom query to Active Directory.

LDAP Query to Find Disabled Users

(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))

Alternatively, Microsoft provides a nice checkbox for this, see the Creating a Custom LDAP Saved Query for Disabled Users Section below.

LDAP Query to Find Enabled Users

(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

Now, it might sound silly, but the use case is there for finding Enabled users as well as disabled users. For example, I have a set of test forests with thousands of test users, most of which are administratively disabled. We have various administrators in my test forests from time to time, and I wanted to make sure that I had a grasp on what other Administrators were enabling/disabling for their various testing purposes, both for tracking and security sake.

Creating a Custom LDAP Saved Query for Disabled Users

NOTE: Saved Queries are per-Machine, and not stored in Active Directory. If you make a saved-query on your Active Directory Management Machine and then remote into a domain controller, you will not see the queries within the Saved Queries section of the domain controller. Just FYI in case you are not seeing a saved query.
  • Open Active Directory Users and Computers
  • Right-Click “Saved Queries” > New > Query
  • Type a name: eg “Disabled Users”
  • Click “Define Query”

customldap1

  • Choose the “Common Queries” section if it isn’t already chosen
  • Click the “Disabled Accounts” button and click OK.

customldap2

  • Click OK on the Edit Query Window
  • Now, underneath the “Saved Queries” section in ADUC you will see the query you just made. Click it to see the disabled users at the moment.

customldap3

NOTE: Saved queries are finicky. You may have to refresh by right-clicking in the results window or on the saved query itself and hitting refresh. Always make it a habit of doing this to get the most up-to-date information.

 Creating a Custom LDAP Saved Query for Enabled Users

Now the cool part of saved queries, actually adding your own custom LDAP query. I’ve had to go this route for many data requests: finding a subset of users with X, Y, and Z attributes, but negating users that a member of a group, etc, etc, the possibilities are endless. The steps are similar to making a query for disabled users, but unfortunately Microsoft hasn’t added the checkbox to show “Enabled users”. Fortunately for us though, they do give us the option of making a custom search query.

  • Open Active Directory Users and Computers
  • Right-Click “Saved Queries” > New > Query
  • Type a name: eg “Enabled Users”
  • Click “Define Query”

customldap4

  • Choose the “Custom Search”
  • Choose the “Advanced” Tab

customldap5

  • Enter the following text:

(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))

  • Click OK on the Find Custom Search Window
  • Click OK again on the Edit Query Window
  • Now, underneath the “Saved Queries” section in ADUC you wil see the query you just made. Click it to see the enabled users at the moment.

customldap6

NOTE: Saved queries are finicky. You may have to refresh by right-clicking in the results window or on the saved query itself and hitting refresh. Always make it a habit of doing this to get the most up-to-date information.

Extending this Functionality

Now that you know the basic way to create custom ldap queries within Active Directory Users and Computers snap-in, I’ve included some of helpful ldap queries I could think of and scour from the Internet. I have not yet checked all of these so there may be syntax errors. Feel free to submit your own via the comments or directly to me via email.

 Users who have never logged into the domain:

(&(objectCategory=person)(objectClass=user))(|(lastLogon=0)(!(lastLogon=*)))

Users created after a Date

(objectCategory=user)(whenCreated>=20050407000000.0Z)

Users that must change password at next logon

(objectCategory=user)(pwdLastSet=0)

Users whose password never expires

(objectcategory=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)

Users whose first name starts with letter A

(objectcategory=user)((cn=A*))

List all groups that start with DL or GL

(objectCategory=group)(|(cn=DL*)(cn=GL*))

Find Mac OSX Computers on Domain

(&(operatingSystem=*OS\20X))

Note: Between different versions, Apple likes to tweak the way OSX is presented in the OS String: Recent versions have been shown as “Apple OS X” or just “OS X”. So, I wouldn’t put it past them to change it to something like “Apple OSX”, in which case the above query wouldn’t work as its looking for “OS X”. Always do a sanity and verification check – you want to make sure you are actually retrieving the results that you should be getting.

Many, many more are available from Google, with a nice repository here: http://www.lazywinadmin.com/2010/09/active-directory-saved-queries-aduc-mmc.html

 

Leave a Comment

Your email address will not be published. Required fields are marked *