How can I tell when a user is disabled in Active Directory?


  1. Open the Active Directory Users and Computers snap-in.
  2. In the left pane, connect to the domain you want to query.
  3. Right-click on the domain and select Find.
  4. Beside Find, select Common Queries.
  5. Check the box beside “disabled accounts.”
  6. Click the Find Now button.

What are user attributes in Active Directory?

A user object in AD has attributes that contain information such as canonical name. first name, middle name, last name, login credentials telephone number, manager who he or she reports to, address, who their subordinates are, and more.

What is userAccountControl in AD?

The Active Directory attribute userAccountControl contains a range of flags which define some important basic properties of a user object. These flags can also be used to request or change the status of an account.

What does user disabled mean?

A disabled account means you’ve been taken offline, often for security reasons. It can mean everything from illegal activity on your part to a hacking attempt from someone else.

What is dsCorePropagationData attribute?

The dsCorePropagationData is a “system” attribute which is used by the Active Directory service and cannot and should not be modified by anything other than the directory itself. If you try to modify it via a script (and presumably an application) it will fail.

What UserAccountControl 544?

UserAccountControl value 544 means that the account is enabled but must to change password on next logon.

What is the difference between locked and disabled accounts?

Disabled indicates an account has been administratively or automatically disabled for some reason. Usually some action is required to release it. Locked indicates an account has been automatically suspended due to invalid login attempts.