Exporting Disabled AD Accounts

Version 1

    Note:  This is a topic brought over from DameWare Forums which has been closed.  If you wish to engage in this discussion, just comment on this document.


    Original Post

    by blackpool6 on Fri Apr 08, 2011 8:36 am

    I want to start using NT Utlities and the exporter here at work. I have a need to export the user account information on a quarterly basis. This is for SOX auditing purposes.
    Overall I have no problems with the software, except one:

    How do you export the
    accounts and show which accounts are disabled? I know this is some sort of shared attribute field but I am wondering if the exporter has a way to handle it?

    Thank you.

     


    Re:
    AD Disabled Accounts

    by blackpool6 on Thu Apr 14, 2011 2:09 pm

    No hints at all? I notice that if I explore the domain that it indicates which users are locked out and which ones are disabled.
    Is there a way I can export that view?

     

    Re: AD Disabled Accounts

    by blackpool6 on Mon Apr 25, 2011 6:52 am

    Tap Tap Tap
    Is this thing on????

    No one else needs or would use this? Is it posted somewhere else? I tried to search but found nothing.

    I see Bryan constantly updating posts but nothing here.

     


    Re:
    AD Disabled Accounts

    by DawgBone on Tue Apr 26, 2011 4:22 pm

    My experience with Exporter is pretty...well.....non-existent...buuuuutttttt

    I just did one on my
    AD DC, and I used the standard properties... It tells me some good stuff 

    like...


    <User>
    <UserName>dividingbyzero</UserName>
    <FullName>dividingbyzero</FullName>
    <Comment/>
    <UserComment/>
    <HomeDir/>
    <HomeDirDrive/>
    <ScriptPath/>
    <Profile/>
    <LogonTo>\\*</LogonTo>
    <LastLogon>9/12/2008 3:23:14 PM</LastLogon>
    <LastLogoff>-1</LastLogoff>
    <BadPwCount>0</BadPwCount>
    <NumLogons>434</NumLogons>
    <PwExpires>-1</PwExpires>
    <PwExpired>No</PwExpired>
    <NoExpirePwd>Yes</NoExpirePwd>
    <Disabled>Yes</Disabled>
    <LockedOut>No</LockedOut>
    <NoPwRequired>No</NoPwRequired>
    <UserCantChgPw>Yes</UserCantChgPw>
    <RAS>No</RAS>
    <RASCallback/>
    <SetByCaller/>
    <CallbackNo/>
    <PwAgeInDays>1463</PwAgeInDays>
    <PwLastChg>4/24/2007 2:25:34 PM</PwLastChg>
    </User>

     

    Re: AD Disabled Accounts

    by blackpool6 on Tue Apr 26, 2011 8:48 pm

    Thank you!!!
    I used the standard properties instead of the
    AD export and I see all that I will ever need. Last logon, locked out, disabled, etc.

    Perfect!!

    Thanks Dawg Bone

     

    Re: AD Disabled Accounts

    by auley on Mon Jan 30, 2012 2:28 am

    I haven't seen or noticed such behavior, it might be some scripts set in the background to do this based on the criteria.It can be the behavior of script cell phone spy software to disable and enable the account

     

    Re: AD Disabled Accounts

    by Lisa098 on Fri Feb 03, 2012 2:02 am

    You can use any valid LDAP filter. Other option is to select an unused attribute and stamp them with “DoNotSync” value and exclude them based on this attribute value.

    Usually AdminDisplayName and AdminDescription attributes are not in use.