لطفا منتظر باشید ...
Hack 27 Get a List of Disabled Accounts
Here's a fast way to determine
any disabled user accounts in your Active Directory forest.
Disabled accounts are accounts that still
exist in Active Directory but cannot be used to log on to the
network. For example, when an employee moves on to a different
company, a common practice is to disable the
individual's user account instead of deleting it.
That way, the account can be reassigned to the
individual's replacement, renamed, and used to
access all the resources the previous employee had permission to
access. Sometimes, though, you might forget which accounts have been
disabled on your network, and it would be nice to have a way to find
all disabled accounts.
You can use this VBScript to do just thatlocate all of the
disabled accounts in Active Directory. This is useful for inventory
purpose but also for securityfor example, to verify that the
Guest account and other vulnerable accounts are in fact still
disabled on your network.
The Code
Simply type the script into Notepad (with Word Wrap turned off) and
save it with a .vbs extension as
DisabledAccounts.vbs:
Const ADS_UF_ACCOUNTDISABLE = 2
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Open "Provider=ADsDSOObject;"
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.CommandText = _
"<GC://dc=rootdomain,dc=com>;(objectCategory=User)" & _
";userAccountControl,distinguishedName;subtree"
Set objRecordSet = objCommand.Execute
intCounter = 0
While Not objRecordset.EOF
intUAC=objRecordset.Fields("userAccountControl")
If intUAC AND ADS_UF_ACCOUNTDISABLE Then
WScript.echo objRecordset.Fields("distinguishedName") & " is disabled"
intCounter = intCounter + 1
End If
objRecordset.MoveNext
Wend
WScript.Echo VbCrLf & "A total of " & intCounter & " accounts are disabled."
objConnection.Close
Make sure you have the latest scripting engines on the workstation
you run this script from. You can download the latest scripting
engines from the Microsoft Scripting home page (http://msdn.microsoft.com/library/default.asp?url=/nhp/Default.asp?contentid=28001169).
Also, when working with the Active Directory Services Interface
(ADSI), you must have the same applicable rights you need to use the
built-in administrative tools.
Running the Hack
To use the script, simply change this line to specify your own forest
root domain:
"<GC://dc=fabrikam,dc=com>;(objectCategory=User)" & _
For example, if your forest root domain is
mtit.com, then the line should read:
"<GC://dc=mtit,dc=com>;(objectCategory=User)" & _
Then, run the script by creating a shortcut to it and double-clicking
on the shortcut. The output of the script is a series of dialog boxes,
an example of which is shown in Figure 3-2.
Figure 3-2. Displaying disabled domain user accounts
Rod Trent
