2

I have a Debian Samba file server bound to Active Directory as a member server.

We create a staff folder for each employee matching their username on this server.

When employees quit, their Active Directory user account gets deactivated and moved to a deactivated users OU.

I would like to programatically remove staff folders for employees who have left, but can't find a tool that will distinguish between active and deactivated employees. I have tried: "wbinfo --verbose -i" and "id" commands.

Does anyone know a Linux command that I can use to determine whether an employee is active or deactivated, or alternative state the OU a user account is located in.

user122992
  • 150
  • 1
  • 8

3 Answers3

1

Suggestion 1

Using LDAP, you can check the userAccountControl property to verify the AD account status.

This flag is binary data expressed as decimals, so you need to ensure the correct decimal value is calculated and checked

For example:

UF_NORMAL_ACCOUNT =  512
UF_ACCOUNT_DISABLE =   2 +
                     ---
                     514

Therefore, a disabled user account will have userAccountControl = 514.

All user accounts are "normal" accounts (512) - non-normal accounts are things like accounts for domain trusts (2048) etc.

There are a number of other flags in relation to this property, but some are not valid despite appearances otherwise. 512 = active and 514 = disabled is reliable for a standard user account, however.

A useful list of these flags is compiled at SelfADSI.org:http://www.selfadsi.org/ads-attributes/user-userAccountControl.htm

Suggestion 2

Alternatively, in your situation, a simpler LDAP method may be to see if the account path is in the "inactive" OU. If you set your search root to the Inactive OU and then grab the list of accounts present in there, you'd be able to compare those to the list of existing user home drives you'd have.

LeeM
  • 1,388
  • 9
  • 14
  • A mini-rant: on general principles, I dislike leaving AD accounts lying around past clean-up time for no good reason - sure, keep them disabled for 30 days to ensure no "boomerang" employees have to be recreated at short notice. But there's no good reason to keep them otherwise, and plenty of reasons not to. – LeeM Mar 22 '17 at 13:40
1

You can parse the 'Account Flags' output of pdbedit to retrieve this information.

This example will show you the mechanism how to do it:

root@dc:~# { pdbedit -v -u Disabled.UserName | \
             grep '^Account Flags.*D' >/dev/null; } && echo disabled
disabled
Alex Stragies
  • 409
  • 4
  • 12
0

You should stick to the openldap ldapsearch utility, which will give you the information you want. The switches that you launch it with and the additional parameters depend on your AD configuration, like the domain name, OU coordinates inside the LDAP root, and so on.

drookie
  • 8,625
  • 1
  • 19
  • 29