Finding disabled user accounts

To start off, if you’ve never used LDAP filters it would be very useful to familiarize yourself with them (they are very handy in any Directory implementations of significant size). Some resources on LDAP filters can be found here:

and for a comprehensive coverage of the subject:


And now to the actual LDAP filter we’ll be using:


Breaking it up


the & (AND) operator so both statements must be true


will return only user accounts


Will return only accounts that have the UserAccountControl attribute flagged as disabled.

The weird number we see here (1.2.840.113556.1.4.803) represents the LDAP_MATCHING_RULE_BIT_AND rule

Info regarding bitwise filter:

2 is the decimal value for ACCOUNTDISABLE

Note:  Pay special attention to this attribute (UserAccountControl) and its flags:


And now to put the filter to work:

Option 1 using the dsquery command

dsquery * -filter "(&(objectCategory=Person)(UserAccountControl:1.2.840.113556.1.4.803:=2))" -limit 3

Note: Use the limit switch to control the number of objects returned. For unlimited use 0

Option 2 PowerShell

Import-Module ActiveDirectory
Get-ADObject -LDAPFilter {(&(objectCategory=Person)(UserAccountControl:1.2.840.113556.1.4.803:=2))}

Option 3 PowerShell using a .net object (useful in old domains where you cannot use the PowerShell AD module)

$ADSearch = New-Object DirectoryServices.DirectorySearcher
$ADSearch.Filter = '(&(objectCategory=Person)(UserAccountControl:1.2.840.113556.1.4.803:=2))'
$ADSearch.SearchRoot = 'LDAP://DC=Contoso,DC=com'

Option 4 use ldp.exe

A tutorial on the usage of ldp.exe will be provided in another post.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s