I want to set up an alert if an account is disabled in active directory, a related account exists, and is left enabled. The relationship between the accounts is defined, for example, related accounts have the same sAMAccountName but with a number appended to the end to make them unique.
I have an account in active directory that was disabled: sAMAccountName=Sara. I want to verify the account is still disabled, and if so, automatically check active directory to see if Sara1 or Sara(whatever) exists, and if it is still enabled.
I need to verify because this search will not be running in real-time, so it is possible an account was disabled and re-enabled, and I do not want this to generate results.
I have SA-ldapsearch installed, and I can get various parts of this to work, but not all in the same search.
• I can perform the basic search to return results of all accounts that were disabled.
• I can use ldapfilter to check attributes and verify the account is still disabled.
• I have used ldapsearch separately to return attributes of existing accounts, and can use the wildcard to find all the accounts I want.
How do I put this all together? How do I take the results of the first half of my search, and feed them into an ldapsearch command adding a wildcard? When I try this I run into the problem that ldapsearch must be the first command of a search.
I have thought about splitting this into two searches and using a lookup file to store the results, but that seems like an awfully complex way to do this. And I am not even sure it would work.