SQL query for locked Active Directory accounts

Question

SQL query for locked Active Directory accounts

I need to query AD to determine if the user account is disabled.

Using a similar query used in answers here

SELECT *
FROM OPENQUERY(ADSI, 'SELECT sAMAccountName
FROM ''LDAP://DC=MyDC,DC=com,DC=uk''
WHERE objectCategory = ''Person''
AND objectClass = ''user'')

I believe that to determine if the account is disabled, I need to somehow use the userAccountControl field. I tried a few things, but they don't seem to work:

WHERE userAccountControl & 2 <> 0

+3

sql active-directory

Chris klepeis Aug 24 '09 at 19:48

source share

3 answers

Inside OPENQUERY ():

And `` userAccountControl: 1.2.840.113556.1.4.803: '' <> 2

SELECT *
FROM OPENQUERY(ADSI, 'SELECT sAMAccountName
FROM ''LDAP://DC=MyDC,DC=com,DC=uk''
WHERE objectCategory = ''Person''
AND objectClass = ''user''
AND ''userAccountControl:1.2.840.113556.1.4.803:''<>2)

+6

youhieng May 15, '13 at 14:09

source share

:

SELECT sAMAccountName
FROM OPENQUERY(ADSI, 'SELECT sAMAccountName, userAccountControl 
FROM ''LDAP://DC=MyDC,DC=com,DC=uk'' 
WHERE objectCategory = ''Person'' 
AND objectClass = ''user''') 
WHERE userAccountControl & 2 <> 0; -- disabled

+5

brejk 26 . '10 9:39

Chris klepeis · Accepted Answer · 2009-08-24T20:24:02+0000

Apparently this worked ... it will be ID-10-T: p

SQL query for locked Active Directory accounts

More articles: