Enabled – The Data Queen

After importing users from Active Directory into a data warehouse for a client, there was a need to filter the list based only on Enabled users. The functionality in Active Directory to indicate Enabled or Disabled is to right click on the user and select Disable Account.

This information does not get stored as a simple ‘Enabled’ or ‘Disabled’ flag, but is stored as part of a bitmask with a combination of various attributes, including whether the account in disabled. You could wade through this Microsoft Support article How to use the UserAccountControl flags to manipulate user account properties, but at a high level what you need to know is that the flags are cumulative. For example to disable a user’s account the UserAccountControl attribute is set to to 0x0202 (0x002 + 0x0200). In decimal, which is how it will be imported into a SQL table, this is 514 (2 + 512). For a Workstation Trust Account it’s 4098 (4096 + 2). This means that Disabled accounts can have a multitude of values, depending on the type of account and what other attributes have been set.

Simply importing the UserAccountControl would not allow an easy way to identify Enabled vs Disabled accounts. One would have to build a lookup table of all possible combinations of attributes to determine which values in the UserAccountControl field indicate Disabled accounts. For example 514 and 4098 are both Disabled accounts.

I wanted a way of importing ALL the users and mapping the value for Enabled/Disabled. The simplest way to do this is to import first the Enabled users and then the Disabled users. I will build on the C# script task from previous posts, the latest version of which you can find here: Importing Empty Fields from Active Directory.

Simply add this to the filter in the script:

ENABLED USERS:

    //Where useraccountcontrol <>2 means account is enabled
    ds.Filter = "(&(objectClass=user)(!useraccountcontrol:1.2.840.113556.1.4.803:=2))";

DISABLED USERS:

    //Where useraccountcontrol = 2 means account is enabled
    ds.Filter = "(&(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2))";

You can duplicate the C# code and have one script for Enabled users and one for Disabled users. Add an IsEnabled field to the the table and alter the INSERT statement in the code to populate the field.

Helpful References:

http://social.technet.microsoft.com/Forums/en-US/connectors/thread/467a8c66-4473-4074-8ecc-900b4fc51b19

http://rajnishbhatia19.blogspot.ca/2008/11/active-directory-useraccountcontrol.html

How to use the UserAccountControl flags to manipulate user account properties

Tag: Enabled

Interpreting Active Directory UserAccountControl