#user management

We'll start off with Inactive accounts first, and then work on the disabled accounts after that. Active Directory in Server 2003 has a nice user/computer attribute called lastLogonTimeStamp that can help us keep track of inactive accounts. If you have ever tried to use that attribute, however, you might have come up with something like this…

Part I demonstrated how to find aged or inactive accounts, and in Part II we will look at another lingering account type: disabled accounts. Like inactive accounts, Directory Searchers also come in handy for disabled accounts. We can also, however, read an Active Directory account's status directly from a hidden attribute on the ADSI object. Let's start with the Directory Searcher method. This entry also draws from Bahram’s Blog. The code: $adobjroot = [adsi]'' $objdisabsearcher = New-Object System.DirectoryServices.DirectorySearcher($adobjroot) $objdisabsearcher.filter = "(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))" $resultdisabaccn = $objdisabsearcher.findall() | sort path…