Local Tech Repair: Find Disabled Users In a Active Directory Group.

Saturday, January 24, 2015

Find Disabled Users In a Active Directory Group.

Here is another small powershell script that uses LDAP to pull a group and then also pull all the group members. the script will then pull all the disabled members in that group.

so with out further ado here is the code.

<# Created by LocalTechRepair
Website: http://localtechrepair.blogsplot.com
Date: version: .01 
requires the activedirectory modele please run 
import-module ActiveDirectory -WarningAction silentlyContinue 

 takes a group name and finds all the disabled users in the group. #>

#gather input and assing varable.
param (
[Parameter( Mandatory=$true)]
#start timeer
$date1 = Get-Date -Date "01/01/1970"
$date2 = Get-Date
$start = (New-TimeSpan -Start $date1 -End $date2).TotalSeconds
#creates blank file
Write-Output "" | out-file .\users.csv -Append
#pulls the group distinguishedname
$server = "domaincontroleraddress"
$root = [ADSI]"LDAP://DC=local,DC=com"
$search = [adsisearcher]$root
$Search.Filter = "(&(objectCategory=group)(cn=$Mailbox))"
$colResults = $Search.FindAll()

#this part is very poorly designed but it works.
foreach ($i in $colResults)
$distinguishedname = [string]$i.Properties.Item('distinguishedName')
write-output $distinguishedname
write-output $distinguishedname | out-file .\users.csv -append
Write-Output "first_name,last_name,email_address,Employee #" | out-file .\users.csv -Append
#pulls the disabled users
$root = [ADSI]"LDAP://DC=local,DC=com"
$search = [adsisearcher]$root
$Search.Filter = "(&(sAMAccountType=805306368)(userAccountControl:1.2.840.113556.1.4.803:=2)(memberOf:1.2.840.113556.1.4.1941:=$distinguishedname))"
$colResults = $Search.FindAll()

#outputs to a common formated csv file.
foreach ($i in $colResults)
[string]$i.Properties.Item('givenName'),[string]$i.Properties.Item('sn'),[string]$i.Properties.Item('mail'),[string]$i.Properties.Item('samaccountname') -join "," | out-file .\users.csv -append


#cleanup code
$date1 = Get-Date -Date "01/01/1970"
$date2 = Get-Date
$end = (New-TimeSpan -Start $date1 -End $date2).TotalSeconds
$completed = $end - $start
Write-Output "Done in seconds" $completed

The main parts of this script that do the work are the 2 different LDAP queries. 

the First one is (&(objectCategory=group)(cn=$Mailbox))
this finds the objects that are groups and with the configurationName of the group your searching for.

the second query is

this finds object type person  though i use sAMAccountType=805306368 since its faster. then i query the user account control to find the disabled status and then check if they are a member of the group.

Hope that helps you guys clean your AD groups out there of all those disabled members.

I will later add a way to search for users who have not logged on to a computer in a year. which could be modified to this script though probably less useful than running it in its own script.

share if you find this useful.

Local Tech Repair Admin