Hack 27 Get a List of Disabled Accounts

 < Day Day Up > 

figs/moderate.gif figs/hack27.gif

Here's a fast way to determine any disabled user accounts in your Active Directory forest .

Disabled accounts are accounts that still exist in Active Directory but cannot be used to log on to the network. For example, when an employee moves on to a different company, a common practice is to disable the individual's user account instead of deleting it. That way, the account can be reassigned to the individual's replacement, renamed , and used to access all the resources the previous employee had permission to access. Sometimes, though, you might forget which accounts have been disabled on your network, and it would be nice to have a way to find all disabled accounts.

You can use this VBScript to do just thatlocate all of the disabled accounts in Active Directory. This is useful for inventory purpose but also for securityfor example, to verify that the Guest account and other vulnerable accounts are in fact still disabled on your network.

The Code

Simply type the script into Notepad (with Word Wrap turned off) and save it with a .vbs extension as DisabledAccounts.vbs :

 Const ADS_UF_ACCOUNTDISABLE = 2 Set objConnection = CreateObject("ADODB.Connection") objConnection.Open "Provider=ADsDSOObject;" Set objCommand = CreateObject("ADODB.Command") objCommand.ActiveConnection = objConnection objCommand.CommandText = _ "<GC://dc=   rootdomain   ,dc=com>;(objectCategory=User)" & _ ";userAccountControl,distinguishedName;subtree"  Set objRecordSet = objCommand.Execute intCounter = 0 While Not objRecordset.EOF intUAC=objRecordset.Fields("userAccountControl") If intUAC AND ADS_UF_ACCOUNTDISABLE Then WScript.echo objRecordset.Fields("distinguishedName") & " is disabled" intCounter = intCounter + 1 End If objRecordset.MoveNext Wend WScript.Echo VbCrLf & "A total of " & intCounter & " accounts are disabled." objConnection.Close 

Make sure you have the latest scripting engines on the workstation you run this script from. You can download the latest scripting engines from the Microsoft Scripting home page (http://msdn.microsoft.com/library/default.asp?url=/nhp/Default.asp?contentid=28001169). Also, when working with the Active Directory Services Interface (ADSI), you must have the same applicable rights you need to use the built-in administrative tools.

Running the Hack

To use the script, simply change this line to specify your own forest root domain:

 "<GC://dc=   fabrikam   ,dc=com>;(objectCategory=User)" & _ 

For example, if your forest root domain is mtit.com , then the line should read:

 "<GC://dc=mtit,dc=com>;(objectCategory=User)" & _ 

Then, run the script by creating a shortcut to it and double-clicking on the shortcut. The output of the script is a series of dialog boxes, an example of which is shown in Figure 3-2.

Figure 3-2. Displaying disabled domain user accounts
figs/wsh_0302.gif

Rod Trent

 < Day Day Up > 


Windows Server Hacks
Windows Server Hacks
ISBN: 0596006470
EAN: 2147483647
Year: 2004
Pages: 163
Authors: Mitch Tulloch

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net