PowerShell.com
Forums » Using PowerShell » Active Directory » how do I display the msDS-UserAccountDisabled attribute

how do I display the msDS-UserAccountDisabled attribute

rated by 0 users
This post has 1 Reply | 2 Followers

Top 500 Contributor
Posts 3
Reply
BRUCE001 Posted: 03-03-2010 1:15 AM

I have written the following Powershell script and it appears to work with ADAM.

$dn = "OU=Organizational_Unit_01,O=Microsoft,C=US"
$domain = LDAP://localhost:389/$dn

$root = New-Object DirectoryServices.DirectoryEntry $domain

$search = New-Object DirectoryServices.DirectorySearcher
$search.SearchRoot = $root
$Search.SearchScope = "subtree"

$objectList = $search.findall() | where {$_.properties.objectcategory -match "CN=Person"}

Write-Host " "
Write-Host "There are $($objectList.count) users in the $($root.name) domain ,,,"
Write-Host " "

foreach ($object in $objectList)
{
   $properties = $object.properties 
 
   Write-Host "Name              : $($properties.name)"
   Write-Host "User ID           : $($properties.uid)"
   Write-Host "Company           : $($properties.company)"
   Write-Host "Class             : $($properties.objectclass)"
   Write-Host "Distinguished Name: $($properties.distinguishedname)"
   Write-Host "Path              : $($properties.adspath)"
   Write-Host "Category          : $($properties.objectcategory)"
   Write-Host " "
}

How do I extend the above script to ...

(1) display the msDS-UserAccountDisabled attribute - for example, the following code does not work ...

      Write-Host "Account Disabled         : $($properties.msDS-UserAccountDisabled)" 

(2) display all object attributes [without having to identify each one]

Thanks for your recommendation ...

Bruce

 

 

 

Top 10 Contributor
Posts 244
Microsoft MVP
Top Contributor
Reply
Aleksandar replied on 03-04-2010 5:37 AM

As far as I know domain user accounts don't have the msDS-UserAccountDisabled property.

If your goal is too find disabled users you can use this snippet of code:

 

$dn = "OU=Organizational_Unit_01,O=Microsoft,C=US"

# it's much faster to use LDAP filter than to look for all users and then pipe to Where-Object

$filter = "(&(objectCategory=Person)(objectClass=User)(userAccountControl:1.2.840.113556.1.4.803:=2))" 

$root= New-Object System.DirectoryServices.DirectoryEntry("LDAP://RootDSE") 

 

$searcher = New-Object System.DirectoryServices.DirectorySearcher $filter 

$searcher.SearchRoot = "LDAP://$dn" 

$searcher.SearchScope = "SubTree" 

$searcher.SizeLimit = 0 

$searcher.PageSize = 1000 

 

$disabledusers = $searcher.FindAll() | Foreach-Object { $_.GetDirectoryEntry() }

 

Then you can use

$disabledusers.count      # to get their number

or 

$disabledusers[<index_number>] | format-list *    # to output properties of individual disabled users 

 

You might find this function interesting as well - http://powershell.com/cs/media/p/3128.aspx

 

-aleksandar

http://powershellers.blogspot.com

 

Page 1 of 1 (2 items) | RSS
Concentrated Tech NSoftware Dell Compellent Sponsored by Idera and Concentrated Tech and NSoftware and Dell Compellent
Copyright 2011 PowerShell.com. All rights reserved.