Findind unactivated accounts

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

I'm sure this has been asked before but what indicates an ad user
account is not enabled, specifically when using something like adfind.

adfinds faq states

<snip>
How do I search for disabled user accounts across the entire forest?

adfind -gc -b -bit -f
"&(objectcategory=person)(samaccountname=*)(useraccountcontrol:AND:=2)"
-dn

</snip>

However I don't understand how this works

TIA Paul

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

Hmmm I know a little about adfind....

Basically, the -bit combined with the :AND:= creates a bitwise comparison for
the search. You look at specific bits in the useraccountcontrol value, not the
entire value. This is because this information in userAccountControl is a DWORD
value where the bits individually mean different things. See

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adsi/adsi/ads_user_flag_enum.asp

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
www.joeware.net


Paul Johnston wrote:
> I'm sure this has been asked before but what indicates an ad user
> account is not enabled, specifically when using something like adfind.
>
> adfinds faq states
>
> <snip>
> How do I search for disabled user accounts across the entire forest?
>
> adfind -gc -b -bit -f
> "&(objectcategory=person)(samaccountname=*)(useraccountcontrol:AND:=2)"
> -dn
>
> </snip>
>
> However I don't understand how this works
>
> TIA Paul
>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

On Fri, 28 Jan 2005 12:38:59 +0000, Paul Johnston
<paul.johnston_nospam@umist.ac.uk> wrote:

>I'm sure this has been asked before but what indicates an ad user
>account is not enabled, specifically when using something like adfind.
>
>adfinds faq states
>
><snip>
>How do I search for disabled user accounts across the entire forest?
>
>adfind -gc -b -bit -f
>"&(objectcategory=person)(samaccountname=*)(useraccountcontrol:AND:=2)"
>-dn
>
> </snip>
>
>However I don't understand how this works
>
>TIA Paul
>
>

Oops !
Specifically I meant to ask what is it with these 66048 66050 66082
and 66080 useraccountcontrols
:-(
paul

 

[Guest]

Archived from groups: microsoft.public.win2000.active_directory (More info?)

On Fri, 28 Jan 2005 13:02:02 +0000, Paul Johnston <paul.johnston_nospam@umist.ac.uk> wrote:

>On Fri, 28 Jan 2005 12:38:59 +0000, Paul Johnston
><paul.johnston_nospam@umist.ac.uk> wrote:
>
>>I'm sure this has been asked before but what indicates an ad user
>>account is not enabled, specifically when using something like adfind.
>>
>>adfinds faq states
>>
>><snip>
>>How do I search for disabled user accounts across the entire forest?
>>
>>adfind -gc -b -bit -f
>>"&(objectcategory=person)(samaccountname=*)(useraccountcontrol:AND:=2)"
>>-dn
>>
>> </snip>
>>
>>However I don't understand how this works
>>
>>TIA Paul
>>
>>
>
>Oops !
>Specifically I meant to ask what is it with these 66048 66050 66082
>and 66080 useraccountcontrols
>:-(
>paul

See tip 8071 in the 'Tips & Tricks' at http://www.jsiinc.com


Jerold Schulman
Windows Server MVP
JSI, Inc.
http://www.jsiinc.com