I need to find out disabled users from ldap
10,495
You can use this filter:
(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))
To find all users with the User-Account-Control value of 0x00000002
Author by
user2631587
Updated on June 05, 2022Comments
-
user2631587 almost 2 years
I am trying to find out whether a user is disabled in ldap using ldapsearch utility but I have been unsuccessful so far. This is what i have got so far
ldapsearch -h hostname -D 'Service Account' -b 'basedn' sAMAccountName='disabled user' -w 'password' # extended LDIF # # LDAPv3 # base <basedn> with scope subtree # filter: sAMAccountName=disabled user # requesting: ALL # # search result search: 2 result: 0 Success # numResponses: 1
I have even tried with -LLL nsaccountlock it give me nothing. Its the same with a random string for user as well. I need to find out that the user that I am specifying whether its an active or disabled user or not a user at all. Am I doing something wrong? is there another utility I can use to determine if the user is disabled
-
user2631587 over 6 yearsI tried ldapsearch -h hostname -D 'Service Account' -b 'basedn' sAMAccountName='disabled user' -w 'password' (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)) but it gave me an error -bash: syntax error near unexpected token `('
-
jwilleke over 6 yearsThat is something to do with bash escaping. Try using quotes (or double quotes) something like ldapsearch -h hostname -D 'Service Account' -b 'basedn' sAMAccountName='disabled user' -w 'password' '(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))'
-
user2631587 over 6 yearsok single quotes did work, Thank You, but all I get is this information # extended LDIF # # LDAPv3 # base <ou=Employees,ou=Accounts,ou=Fidelis,DC=ads,DC=fideliscare,DC=org> with scope subtree # filter: sAMAccountName=disabled user # requesting: (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)) # # search result search: 2 result: 0 Success
-
mgutt about 2 yearsI tried the userAccountControl value and it returns some disabled accounts, but one specific is not returned. I tried to find any differences through the Windows AD Tools, but was not able to find any. Strange.
-
jwilleke about 2 yearsIt is a disabled account or a "locked out" account? Do you have permissions to read the account?