I need to find out disabled users from ldap

Question

I am trying to find out whether a user is disabled in ldap using ldapsearch utility but I have been unsuccessful so far. This is what i have got so far

ldapsearch -h hostname -D 'Service Account' -b 'basedn' sAMAccountName='disabled user' -w 'password'
# extended LDIF
#
# LDAPv3
# base <basedn> with scope subtree
# filter: sAMAccountName=disabled user
# requesting: ALL
#

# search result
search: 2
result: 0 Success

# numResponses: 1

I have even tried with -LLL nsaccountlock it give me nothing. Its the same with a random string for user as well. I need to find out that the user that I am specifying whether its an active or disabled user or not a user at all. Am I doing something wrong? is there another utility I can use to determine if the user is disabled

You need to specify the attribute that contains the lockout information, whatever it is. It isn't returned by default. — user207421, Oct 05 '17 at 00:33

score 4 · Answer 1 · answered Oct 05 '17 at 08:01

4

You can use this filter:

(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))

To find all users with the User-Account-Control value of 0x00000002

answered Oct 05 '17 at 08:01

jwilleke

10,467
1
30
51

I tried ldapsearch -h hostname -D 'Service Account' -b 'basedn' sAMAccountName='disabled user' -w 'password' (&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2)) but it gave me an error -bash: syntax error near unexpected token `(' – user2631587 Oct 06 '17 at 20:24
That is something to do with bash escaping. Try using quotes (or double quotes) something like ldapsearch -h hostname -D 'Service Account' -b 'basedn' sAMAccountName='disabled user' -w 'password' '(&(objectCategory=person)(objectClass=user)(userAccountContr‌ol:1.2.840.113556.1.‌4.803:=2))' – jwilleke Oct 07 '17 at 10:49
ok single quotes did work, Thank You, but all I get is this information # extended LDIF # # LDAPv3 # base with scope subtree # filter: sAMAccountName=disabled user # requesting: (&(objectCategory=person)(objectClass=user)(userAccountCont‌r‌ol:1.2.840.113556‌.1.‌4.803:=2)) # # search result search: 2 result: 0 Success – user2631587 Oct 09 '17 at 20:57
I tried the userAccountControl value and it returns some disabled accounts, but one specific is not returned. I tried to find any differences through the Windows AD Tools, but was not able to find any. Strange. – mgutt Feb 09 '22 at 00:41
It is a disabled account or a "locked out" account? Do you have permissions to read the account? – jwilleke Feb 09 '22 at 09:51
If anyone is confused like me, that horrible long number 1.2.840.113556.1.4.803 is the LDAP Rule OID for "Bitwise AND" - see https://learn.microsoft.com/en-us/windows/win32/adsi/search-filter-syntax – codeulike Feb 16 '23 at 11:52

I need to find out disabled users from ldap

1 Answers1

Linked