We sometimes disable macOS accounts by setting their UserShell to /usr/bin/false. It would be helpful to be able to create an analysis that returns which user accounts are disabled or not, by checking their shell.
Some attributes already exist:
Q: attributes of user "its"
A: dsAttrTypeStandard:NFSHomeDirectory: /Users/its
A: dsAttrTypeStandard:PrimaryGroupID: 20
A: dsAttrTypeStandard:RealName: its
A: dsAttrTypeStandard:RecordName: its
A: dsAttrTypeStandard:UniqueID: 503
T: 12580
I: user attribute
but not the UserShell:
Q: attribute "dsAttrTypeStandard:UserShell" of user "its"
E: Singular expression refers to nonexistent object.
T: 7928
I: user attribute
Example of a disabled account:
admin@iMac ~ % dscl -plist . -read /users/its UserShell
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>dsAttrTypeStandard:UserShell</key>
<array>
<string>/usr/bin/false</string>
</array>
</dict>
</plist>
Thank you for your consideration 
https://bigfix-ideas.hcltechsw.com/ideas/BFLCM-I-247