On 8/16/2012 6:26 AM, JasonYZX wrote:
> Hi, has anyone got any idea about how to query all the disabled users
> from AD?

This is more of an engine and drivers forum question. Designer is the
tool used to write the policy, not really the place for questions about
the policies...

Anyway, there is a pseudo attribute that the shim maps to the
userAccountControl bit that controls login disabled. (You do not
specify account expiry disabled, vs login disabled so I assume the later).

You would just query AD for that pseudo attribute. It is in the filter,
and I always spell it wrong so I select vs type.

dirXML-uacLoginDisabled or somesuch. Look it up.