Im trying to find more information about checking to see if a user account has been disabled. I have a php script that will connect to Active Directory using php_ldap. I can pull all the attributes I need, but how do I find out if the account has been disabled? I cant find a attribute for this.

thank you in advanced
D.P.

    The 'userAccountControl' attribute is a bitmask field, and one of the bitmasks is whether or not the account is diabled.

    Here is the MSDN page that discusses this attribute. As you can see in the table on that page, the 'account is disabled' bitmask is 0x2.

      thank you very much.

      Looks like if useraccountcontrol = 66050 then the account is disabled. All my accounts with that number I verified and are disabled. This is on a win 2003 server

        $name = IMPORTUSER;
$pass = IMPORTPASSWORD;

 $adServer = ADSERVER;
 $ldapconn = ldap_connect($adServer) or die("Could not connect to LDAP server.");
 ldap_set_option($ad, LDAP_OPT_PROTOCOL_VERSION, 3) or die ("Could not set ldap protocol");
 ldap_set_option($ad, LDAP_OPT_REFERRALS, 0) or die ("Could not set option referrals");

 $account = $name;
 $password = $pass;
 $ldaprdn = $account.USERDOMAIN;
 $ldappass = $password;

 if ($ldapconn) {
  $ldapbind = ldap_bind($ldapconn, $ldaprdn, $ldappass)  or die("Couldn't bind to AD!");
 }

 $dn = ADDN;
 $filter="(|(sn=*))";
 $justthese = array("displayname", "mail", "company", "department", "physicaldeliveryofficename", "mobile", "ipphone", "telephonenumber", "facsimiletelephonenumber", "streetaddress", "l", "st", "postalcode", "c", "title", "samaccountname", "useraccountcontrol");
 $sr=ldap_search($ldapconn, $dn, $filter, $justthese);
 $info = ldap_get_entries($ldapconn, $sr);

 for ($i=0; $i < $info["count"]; $i++) {
  if ($info[$i]["useraccountcontrol"][0] == "66050") {
  echo "Name: ".$info[$i]["displayname"][0]."<br>\n";
   echo "Email: ".$info[$i]["mail"][0]."<br>\n";
   echo "Company: ".$info[$i]["company"][0]."<br>\n";
   echo "Department: ".$info[$i]["department"][0]."<br>\n";
   echo "Location: ".$info[$i]["physicaldeliveryofficename"][0]."<br>\n";
   echo "Mobile: ".$info[$i]["mobile"][0]."<br>\n";
   echo "Extenstion: ".$info[$i]["ipphone"][0]."<br>\n";
   echo "Office: ".$info[$i]["telephonenumber"][0]."<br>\n";
   echo "Fax: ".$info[$i]["facsimiletelephonenumber"][0]."<br>\n";
   echo "Street: ".str_replace(",","",$info[$i]["streetaddress"][0])."<br>\n";
   echo "City: ".$info[$i]["l"][0]."<br>\n";
   echo "State: ".$info[$i]["st"][0]."<br>\n";
   echo "Postal Code: ".$info[$i]["postalcode"][0]."<br>\n";
   echo "Country: ".$info[$i]["c"][0]."<br>\n";
   echo "Title: ".$info[$i]["title"][0]."<br>\n";
   echo "Username: ".$info[$i]["samaccountname"][0]."<br>\n";
   echo "Account Status: ".$info[$i]["useraccountcontrol"][0]."<br>\n";
   echo "<hr>";
  }
 }

 ldap_free_result($sr);
 ldap_unbind($ldapconn);
          DaemonProjects;10946512 wrote:

          Looks like if useraccountcontrol = 66050 then the account is disabled.

          More generally...

          $acctDisabled = (bool)($userAccountControl & 0x2);

          EDIT: In other words, this:

          if ($info[$i]["useraccountcontrol"][0] == "66050") {

          might not always be accurate. Instead, you should use the bitwise logic I showed above.

            bradgrafelman;10946515 wrote:

            More generally...

            $acctDisabled = (bool)($userAccountControl & 0x2);

            EDIT: In other words, this:

            if ($info[$i]["useraccountcontrol"][0] == "66050") {

            might not always be accurate. Instead, you should use the bitwise logic I showed above.

            ok thank you for your help

              Write a Reply...