I have a process by which we disable an Active Directory user account when they are terminated. The Exchange 2007 mailbox is left and the forwarding is set to the users manager. I need to run a script periodically that will pull a list of currently active mailboxes with the corresponding AD account disabled. I have no experience with any type of scripting but believe it can be done based on other things i've read. I did some searching but came up empty handed with this specific requirement. Thank you.
Server 2003R2, Exchange 2007, AD
To be clear I am not asking for anyone to write this for me, just some links possibly to push me in the right direction.
Best Answer
You can use standard LDAP calls through a language like PHP or use AD-specific calls from a Microsoft product (C# with the DirectoryServices library, for example). I don't have Exchange, so I don't know what the raw attributes for mailboxes are, but to see whether an account is disabled, you would check the "userAccountControl" attribute for each user, and then interpret the numeric flags to see whether the account is disabled ( the list of flags can be seen here: http://support.microsoft.com/kb/305144 )
The basic process for the script would be:
Bind to the Active Directory using either LDAP (PHP, perl, etc.) or DirectoryService (Visual Basic, C#).
Do a search for all user objects (objects with a SamAccountType of 30000000 in hex) that are disabled (objects with a hex userAccountControl value containing '2' in their integer form)
Loop through the resulting objects and make a call to determine which ones have mailboxes that are active (again, I don't use Exchange so I don't have a good answer here).
Print out or write to file some appropriate attributes every time you get a hit in #3 (sAMAccountName, dn, and cn would be good places to start) along with perhaps a date stamp for the entire report.