Query OU for disabled computers

Discussion:

(too old to reply)

rushtosri

2009-03-19 12:03:51 UTC

Hi Guys,

I'm working on a script to enumerate OUs for disabled computer
objects. Any idea how the query should look like? The following script
can lookup for disabled user accounts. Any thoughts on how to modify
this script to lookup for disabled computer accounts??

Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.CommandText = _
"<GC://dc=fabrikam,dc=com>;(objectCategory=User)" & _
";userAccountControl,distinguishedName;subtree"
Set objRecordSet = objCommand.Execute

intCounter = 0
Do Until objRecordset.EOF
intUAC=objRecordset.Fields("userAccountControl")
If intUAC AND ADS_UF_ACCOUNTDISABLE Then
WScript.echo objRecordset.Fields("distinguishedName") & " is
disabled"
intCounter = intCounter + 1
End If
objRecordset.MoveNext
Loop

Thanks in advance.

Masterplan

2009-03-19 14:30:08 UTC

Permalink

Hi,
It's easier to use dsquery like this:
dsquery computer "OU=your_ou,DC=your_domain,DC=xxx" -disabled
--
Have a nice day!
MCSE, MCITP-EA
winmasterplan.blogspot.com

Post by rushtosri
Hi Guys,
I'm working on a script to enumerate OUs for disabled computer
objects. Any idea how the query should look like? The following script
can lookup for disabled user accounts. Any thoughts on how to modify
this script to lookup for disabled computer accounts??
Set objCommand = CreateObject("ADODB.Command")
objCommand.ActiveConnection = objConnection
objCommand.CommandText = _
"<GC://dc=fabrikam,dc=com>;(objectCategory=User)" & _
";userAccountControl,distinguishedName;subtree"
Set objRecordSet = objCommand.Execute
intCounter = 0
Do Until objRecordset.EOF
intUAC=objRecordset.Fields("userAccountControl")
If intUAC AND ADS_UF_ACCOUNTDISABLE Then
WScript.echo objRecordset.Fields("distinguishedName") & " is
disabled"
intCounter = intCounter + 1
End If
objRecordset.MoveNext
Loop
Thanks in advance.

Lanwench [MVP - Exchange]

2009-03-20 00:00:37 UTC

Permalink

Why reinvent the wheel? Check out OldCmp at www.joeware.net.

<snip>

John Fullbright

2009-03-20 01:20:37 UTC

Permalink

Because it's fun (if that's what you call it). Sort of like Karaoke with a
live band in front of 1500 people I suppose ....
;-)

Brendan Enrick says he'll post the video; I'm still waiting...

John

"Lanwench [MVP - Exchange]"

Post by Lanwench [MVP - Exchange]

Why reinvent the wheel? Check out OldCmp at www.joeware.net.
<snip>

Lanwench [MVP - Exchange]

2009-03-20 01:39:27 UTC

Permalink

Post by John Fullbright
Because it's fun (if that's what you call it). Sort of like Karaoke
with a live band in front of 1500 people I suppose ....
;-)
Brendan Enrick says he'll post the video; I'm still waiting...
John

Youtube, baby. :)

Post by John Fullbright
"Lanwench [MVP - Exchange]"

Post by Lanwench [MVP - Exchange]

Why reinvent the wheel? Check out OldCmp at www.joeware.net.
<snip>

Richard Mueller [MVP]

2009-03-20 02:49:15 UTC

Permalink

Besides oldcomp and dsquery, you can revise your VBScript solution. The
filter for computer objects is (objectCategory=computer). Rather than
returning all computer objects and testing the ADS_UF_ACCOUNTDISABLE bit of
userAccountControl, you can query for just the computer objects where that
bit is set. See below:
===========
Option Explicit

Dim adoCommand, adoConnection, strBase, strFilter, strAttributes

Dim objRootDSE, strDNSDomain, strQuery, adoRecordset, strDN

Dim intCounter

' Setup ADO objects.

Set adoCommand = CreateObject("ADODB.Command")
Set adoConnection = CreateObject("ADODB.Connection")
adoConnection.Provider = "ADsDSOObject"
adoConnection.Open "Active Directory Provider"
adoCommand.ActiveConnection = adoConnection

' Search entire Active Directory domain.

Set objRootDSE = GetObject("LDAP://RootDSE")

strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBase = "<LDAP://" & strDNSDomain & ">"

' Filter on disabled computer objects.
strFilter = "(&(objectCategory=computer)" _

& "(userAccountControl:1.2.840.113556.1.4.803:=2))"

' Comma delimited list of attribute values to retrieve.
strAttributes = "distinguishedName"

' Construct the LDAP syntax query.
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
adoCommand.CommandText = strQuery
adoCommand.Properties("Page Size") = 100
adoCommand.Properties("Timeout") = 30
adoCommand.Properties("Cache Results") = False

' Run the query.
Set adoRecordset = adoCommand.Execute

' Enumerate the resulting recordset.

intCount = 0
Do Until adoRecordset.EOF

' Retrieve values and display.
strDN = adoRecordset.Fields("distinguishedName").Value

Wscript.Echo strDN & " is disabled"

intCount = intCount + 1

' Move to the next record in the recordset.
adoRecordset.MoveNext
Loop

' Clean up.

adoRecordset.Close

adoConnection.Close

Wscript.Echo CStr(intCounter) & " computers are disabled.

--
Richard Mueller
MVP Directory Services
Hilltop Lab - http://www.rlmueller.net
--