This discussion has been locked. The information referenced herein may be inaccurate due to age, software updates, or external references.
You can no longer post new replies to this discussion. If you have a similar question you can start a new discussion in this forum.

Exporting Disabled AD Accounts

Note:  This is a topic brought over from DameWare Forums which has been closed.  If you wish to engage in this discussion, just comment on this document.


Original Post

by blackpool6 on Fri Apr 08, 2011 8:36 am

I want to start using NT Utlities and the exporter here at work. I have a need to export the user account information on a quarterly basis. This is for SOX auditing purposes.
Overall I have no problems with the software, except one:

How do you export the
accounts and show which accounts are disabled? I know this is some sort of shared attribute field but I am wondering if the exporter has a way to handle it?

Thank you.


Re:
AD Disabled Accounts

by blackpool6 on Thu Apr 14, 2011 2:09 pm

No hints at all? I notice that if I explore the domain that it indicates which users are locked out and which ones are disabled.
Is there a way I can export that view?

Re: AD Disabled Accounts

by blackpool6 on Mon Apr 25, 2011 6:52 am

Tap Tap Tap
Is this thing on????

No one else needs or would use this? Is it posted somewhere else? I tried to search but found nothing.

I see Bryan constantly updating posts but nothing here.


Re:
AD Disabled Accounts

by DawgBone on Tue Apr 26, 2011 4:22 pm

My experience with Exporter is pretty...well.....non-existent...buuuuutttttt

I just did one on my
AD DC, and I used the standard properties... It tells me some good stuff 

like...


<User>
<UserName>dividingbyzero</UserName>
<FullName>dividingbyzero</FullName>
<Comment/>
<UserComment/>
<HomeDir/>
<HomeDirDrive/>
<ScriptPath/>
<Profile/>
<LogonTo>\\*</LogonTo>
<LastLogon>9/12/2008 3:23:14 PM</LastLogon>
<LastLogoff>-1</LastLogoff>
<BadPwCount>0</BadPwCount>
<NumLogons>434</NumLogons>
<PwExpires>-1</PwExpires>
<PwExpired>No</PwExpired>
<NoExpirePwd>Yes</NoExpirePwd>
<Disabled>Yes</Disabled>
<LockedOut>No</LockedOut>
<NoPwRequired>No</NoPwRequired>
<UserCantChgPw>Yes</UserCantChgPw>
<RAS>No</RAS>
<RASCallback/>
<SetByCaller/>
<CallbackNo/>
<PwAgeInDays>1463</PwAgeInDays>
<PwLastChg>4/24/2007 2:25:34 PM</PwLastChg>
</User>

Re: AD Disabled Accounts

by blackpool6 on Tue Apr 26, 2011 8:48 pm

Thank you!!!
I used the standard properties instead of the
AD export and I see all that I will ever need. Last logon, locked out, disabled, etc.

Perfect!!

Thanks Dawg Bone

Re: AD Disabled Accounts

by auley on Mon Jan 30, 2012 2:28 am

I haven't seen or noticed such behavior, it might be some scripts set in the background to do this based on the criteria.It can be the behavior of script cell phone spy software to disable and enable the account

Re: AD Disabled Accounts

by Lisa098 on Fri Feb 03, 2012 2:02 am

You can use any valid LDAP filter. Other option is to select an unused attribute and stamp them with “DoNotSync” value and exclude them based on this attribute value.

Usually AdminDisplayName and AdminDescription attributes are not in use.