none
How to check if a specific list of user accounts are disabled in AD, using powershell v2.0 or CMD RRS feed

  • Question

  • Hi guys, I have a list of user accounts in txt format.

    I need to check every user by the sAMAccountName and determine if their account is disabled or not.

    The catch is that I cannot use a powershell version higher than 2.0, also the Active Directory module is not installed on the DC in question. 

    Can anyone help me to accomplish this from CMD or VBSCRIPT / Powershell v2.0?

    Much appreciated.

    Monday, September 5, 2016 1:40 PM

Answers

  • If you don't have the Active Directory module, then Get-ADUser is not available. But you can use the dsquery * command line utility, as follows:

    dsquery * -Filter "(userAccountControl:1.2.840.113556.1.4.803:=2)"

    This will return the DN of all disabled users. You can use the -Attr parameter to retrieve other attributes.

    I would add that as long as you have at least one Windows Server 2008 R2 DC (or above), you should be able to use the AD module cmdlets. The client would need RSAT.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    • Edited by Richard MuellerMVP, Moderator Monday, September 5, 2016 2:31 PM adding closing quote in code, and the * character
    • Marked as answer by ThaNa70s Monday, September 5, 2016 3:01 PM
    Monday, September 5, 2016 2:14 PM
    Moderator
  • Sorry, I need my morning coffee. I missed the closing quote character you spotted, but I also missed the "*" character. The command is "dsquery *". I corrected my code snippet above.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by ThaNa70s Monday, September 5, 2016 3:01 PM
    Monday, September 5, 2016 2:32 PM
    Moderator

All replies

  • Hi Thanatos,

    well, you can use Get-ADUser for that. Here's an example:

    Get-ADUser -Filter { samaccountname -eq "FWN" -and enabled -eq $false }

    This will only return an object, when the user is disabled. So if it doesn't return an object, that would be bad ...

    Cheers,
    Fred


    There's no place like 127.0.0.1

    Monday, September 5, 2016 2:02 PM
  • If you don't have the Active Directory module, then Get-ADUser is not available. But you can use the dsquery * command line utility, as follows:

    dsquery * -Filter "(userAccountControl:1.2.840.113556.1.4.803:=2)"

    This will return the DN of all disabled users. You can use the -Attr parameter to retrieve other attributes.

    I would add that as long as you have at least one Windows Server 2008 R2 DC (or above), you should be able to use the AD module cmdlets. The client would need RSAT.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)


    • Edited by Richard MuellerMVP, Moderator Monday, September 5, 2016 2:31 PM adding closing quote in code, and the * character
    • Marked as answer by ThaNa70s Monday, September 5, 2016 3:01 PM
    Monday, September 5, 2016 2:14 PM
    Moderator
  • Hi Richard,

    Thanks for your answer, I have tried that command and got the following erorr: 

    dsquery failed:The parameter is incorrect.:Incorrect object type specified. type dsquery /? for help.

    Tried both 

    dsquery -Filter "(userAccountControl:1.2.840.113556.1.4.803:=2) and 
    dsquery -Filter "(userAccountControl:1.2.840.113556.1.4.803:=2)" (" at the end)

    What I'm trying to achieve is this:

    1) i have a txt list with sAMAaccountNames

    2) i need to query each account name and verify whether it is disabled

    3) if the account is disabled, delete it from AD

    I have only asked about the first part, I'll just delete them manually if there isn't another way, but first I need to check all the accounts in my list to see if they are disabled or not.

    • Edited by ThaNa70s Monday, September 5, 2016 2:30 PM
    Monday, September 5, 2016 2:29 PM
  • Sorry, I need my morning coffee. I missed the closing quote character you spotted, but I also missed the "*" character. The command is "dsquery *". I corrected my code snippet above.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by ThaNa70s Monday, September 5, 2016 3:01 PM
    Monday, September 5, 2016 2:32 PM
    Moderator
  • Yup, this worked. Thanks again Richard :)

    I'll filter the text file by hand and compare it with my initial list.

    Any idea how to delete the AD accounts that are in my list?

    I have a VBS script that I used before to disable accounts from a list, maybe this can be modified to delete them, let me know if you want to see it? Or should I post a separate question?

    EDIT: I'll just raise another question, thanks again Richard :)

    • Edited by ThaNa70s Monday, September 5, 2016 3:01 PM
    Monday, September 5, 2016 2:47 PM