Get user status (disabled or active) in Active Directory with ldap3 Python

Question 1

Get user status (disabled or active) in Active Directory with ldap3 Python

python active-directory ldap3

kiryha · Jun 22, 2018 · Viewed 8.2k times · Source

Answer

Answer

According to userAccountControl flags:

512 - Normal account (512),

514 - Disable account (2 + 512),

66048 - Normal account + dont expire password (65536 + 512).

Question 2

I am getting a list of all users in Active Directory and I need to check their status — if the user is active or disabled. I expect that userAccountControl should return user status, but I get only 512 for all users but one (who returns 66048) and this is not correlated with user status (as far as I know).

from ldap3 import Server, Connection

serverName = 'LDAP://server'
domainName = 'name'
userName = 'superuser'
password = 'password'
base = 'longString'

server = Server(serverName)
conn = Connection(server, read_only=True, user='{0}\\{1}'.format(domainName, userName), password=password, auto_bind=True)

conn.search(base, '(objectclass=person)', attributes=['displayName', 'mail', 'userAccountControl','sAMAccountName'])

for i in conn.entries:
    print 'USER = {0} : {1} : {2}'.format(i.sAMAccountName.values[0], i.displayName.values[0], i.userAccountControl.values[0])

USER = ABC : John Smith : 512 USER = DEF : Sarah Connor : 514 USER = GHI : Thomas Anderson : 66048

Is it a correct way to get user status? Is there any other way to check AD user status with some application with UI?

Get user status (disabled or active) in Active Directory with ldap3 Python

Answer

Related questions