Export (0) Print
Expand All

Determining Whether an Account Is Enabled or Disabled

Microsoft® Windows® 2000 Scripting Guide

If a user is having trouble logging on to the network, it might be because his or her user account has been disabled. Because of this, checking the status of the disabled flag (ADS_UF_ACCOUNTDISABLE) in the userAccountControl attribute is an important preliminary troubleshooting step. If the account is disabled, you can be reasonably sure that the users trouble logging on is associated with the disabled status of the user account. It is also a useful security precaution to periodically check that user accounts that should be disabled are in fact disabled.

Scripting Steps

Listing 7.11 contains a script that reads the userAccountControl attribute to determine whether a user account is enabled or disabled. To carry out this task, the script performs the following steps:

  1. Set the ADS_UF_ACCOUNTDISABLE constant equal to the disabled flag in the userAccountControl attribute.

  2. Bind to the user account object by using the GetObject function and the LDAP provider.

  3. Create a variable and initialize it to the integer value of the userAccountControl attribute.

  4. Use the bitwise AND operator to determine whether the flag is enabled.

  5. Display a message indicating whether the account is enabled or disabled.

Listing 7.11 Checking the Value of the ADS_UF_ACCOUNTDISABLE Flag

  
1
2
3
4
5
6
7
8
9
10
11


Const ADS_UF_ACCOUNTDISABLE = 2

Set objUser = GetObject _
 ("LDAP://cn=MyerKen,ou=Management,dc=NA,dc=fabrikam,dc=com")
intUAC = objUser.Get("userAccountControl")

If intUAC AND ADS_UF_ACCOUNTDISABLE Then
 Wscript.Echo "The account is disabled"
Else
 Wscript.Echo "The account is enabled"
End If

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft