JSI Tip 6425. How can I tell if an account is expired, disabled, locked, etc...?

Joe Richards brings us SecData, which among other things, will semi-translate an Active Directory object's userAccountControl attribute.

When you type SecData /?, you receive:

Secdata V02.03.00cpp Joe Richards ([email protected]) August 2002

 SecData server filter \[OPTIONS\]

   server       Server to run against.
                Specified in NetBIOS or FQDN Format.
   filter       Filter to compare against sAMAccountName.
                * specifies 1 or more wildcard characters.

   /computers   Enumerate computers instead of users
   /b base      Base to start search from
   /f filter    RFC 1960 search filter

  Ex1: SecData w2kasdc1 admin*
         Gets SecData for all users who are admin*
  Ex2: SecData w2kasdc1 *
         Gets SecData for all users.
  Ex2: SecData joehome.com * /b ou=testusers,dc=joehome,dc=com
         Gets SecData for all users in testusers OU.

 This software is Freeware. Use it as you wish at your own risk.
 If you have improvement ideas, bugs, or just wish to say Hi, I
 receive email 24x7 and read it in a semi-regular timeframe.
 You can usually find me at [email protected]
When you type SecData PDCemulator Guest, you receive a display similar to:
Secdata V02.03.00cpp Joe Richards ([email protected]) August 2002

Processed at jsi001.JSIINC.COM
Default Naming Context: DC=JSIINC,DC=COM
Search base  : DC=JSIINC,DC=COM
Search filter: (&(objectCategory=person)(objectClass=user)(sAMAccountName=Guest))
0000-00:00:00;00/00/0000-00:00:00;03/21/2002-20:51;353;03/21/2002-20:51;353;PWD_NOT_REQ NO_PWD_EXPIRE DISABLED ;
I have scripted GETuAC.bat to returned the semi-translated userAccountControl attribute. The syntax for using GETuAC.bat is:

GETuAC pdc user uACvar


pdc is the computer name of the PDC emulator.

user is the User Name you wish to interrogate.

uACvar is a call directed environment variable that will be set to the semi-translated userAccountControl attribute. If no attributes are set, nul is returned.

GETuAC.bat contains:

@echo off
if \{%3\}==\{\} goto syntax
set pdc=%1
set user=%2
set pdc=%pdc:"=%
if not exist "\\%pdc%\c$" goto syntax
call :parse>nul 2>&1
endlocal&set %3=%uAC%
for /f "Tokens=16 Delims=;" %%a in ('secdata "%pdc%" %user%') do set uAC=%%a##
set uAC=%uac: ##=%
set uAC=%uac:##=%
if "%uAC%" EQU "userAccountControl" set uAC=nul
@echo Syntax: GETuAC pdc user uACvar
NOTE: See How do I unlock a user account in a script?

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.