?
Solved

How can I get a list of all enabled accounts on my AD domain?

Posted on 2007-10-03
4
Medium Priority
?
1,878 Views
Last Modified: 2008-05-31
I am looking for a way to get a list of all the enabled accounts on my AD domain.My preferred method is to use a script that I can then pipe into a text file. All I need is the full name, username, and description.

I can get a list of all the <i>disabled</i> accounts, and a list of <i>all</i> accounts. From there I could just look plop it all into excel and have it show me the differences, but I am really looking for a much more simple way.

0
Comment
Question by:Cogentco
4 Comments
 
LVL 26

Accepted Solution

by:
Farhan Kazi earned 100 total points
ID: 20011553
Click Start -> Run -> Cmd.exe

DSQuery * -Filter "(&(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" -Attr samAccountName -Limit 0

OR

DSQuery * -Filter "(&(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" -Limit 0

To store results in file:

DSQuery * -Filter "(&(sAMAccountType=805306368)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" -Attr samAccountName -Limit 0 >EnabledAccount.txt

Hope this helps!
0
 
LVL 18

Assisted Solution

by:BSonPosh
BSonPosh earned 100 total points
ID: 20011699
If you wouldn't mind using powershell this will do exactly what you want output at the end.

#########################
$dom = [ADSI]"LDAP://<DN of Domain>"
$filter = "(&(objectcategory=user))"
$ds = new-object System.DirectoryServices.DirectorySearcher($dom,$filter)
$users = $ds.Findall()
@(foreach($user in $users){
    $user = $user.GetDirectoryEntry()
    $myobj = "" | Select-Object FullName, sAMAccountName,Description,Disabled
    $myobj.FullName = $user.cn | %{$_}
    $myobj.sAMAccountName = $user.samaccountname | %{$_}
    $myobj.Description = $user.description | %{$_}
    $myobj.Disabled = $user.psbase.invokeget('accountdisabled')
    $myobj
}) | export-Csv c:\temp\userstate.csv -notype
########################################
FullName,sAMAccountName,Description,Disabled
TUser1,TUser1,"I am %USERNAME%",True
TUser2,TUser2,"I am %USERNAME%",True
TUser3,TUser3,"I am %USERNAME%",False
"Test User 4",tuser4,"I am %USERNAME%",False
tUser5,tuser5,"I am %USERNAME%",False
Tuser6,Tuser6,"I am %USERNAME%",False
0
 

Author Comment

by:Cogentco
ID: 20144774
Thanks guys, sorry for the delays.
0
 

Expert Comment

by:VegasRage
ID: 25454943
I had to do this for our HR department but they needed a clean list of names that didn't have any LDAP in it. Unfortunately the DS commands don't give you an easy means to show just the enabled accounts, but of course it's easy to look at the disabled. Also they wanted it sent weekly in an email.

Below is my solution to both problems, you can use it by simply changing the values in the variables at the top. You need an SMTP enabled IIS server for the mail piece to work, since this code creates the email file and then moves it to the drop directory of the mail server. Simply create a directory such as C:\AD_Users and save the below code in a .cmd file, you can then schedule a task to have it run on whatever interval you like. The duplicate removal and email portion is a bit of a road warrior hack, the script even cleans up the excess surrounding quotes inherent to DSQUERY but it works like a charm.

Cheers,

The variables explained:

_emailto - The SMTP address of the person or distribution list email address the report should be sent to
_emailfr - A descriptive unique SMTP address the mail is coming from (not in use on the mail server)
_Subject - The email subject
_dropdir - The mail drop directory it can be a local or UNC path
_srcroot - The LDAP root of your domain at minimum, but you can refine it to a OU
_Contact - In the body of the email a contact email for people getting this report.
@echo off
REM Set variables
-----------------
set _emailto=All-Department-Heads@yourdomain.com
set _emailfr=User-Reports@fyourdomain.com
set _Subject=User Account Report for %date%
set _dropdir=\\servername\c$\Inetpub\mailroot\Pickup
set _srcroot=DC=YourDomain,DC=com
set _Contact=Reply-To@YourDomain.com
 
if exist *.txt del /q /f *.txt
REM Query ad for users
REM ------------------
dsquery user -o rdn -limit 10000 -disabled > _Disabled.tm1 || > _Disabled.tm1 echo There are no disabled accounts
dsquery user -o rdn -limit 10000 "%_srcroot%" > _Users.tm1 || > _Users.tm1 echo There are no users ROLMAO!
 
REM clean up quotes
REM ---------------
FOR /F "delims=" %%A in (_Disabled.tm1) do echo %%~A >> _Disabled.tm2
FOR /F "delims=" %%A in (_Users.tm1) do echo %%~A >> _Users.tm2
 
REM Sort results and clean up temp files
REM ------------------------------------
sort "%cd%\_Disabled.tm2" /O "%cd%\_Disabled.txt"
sort "%cd%\_Users.tm2" /O "%cd%\_Users.txt"
if exist *.tm? del /q /f *.tm?
 
REM Remove the duplicates
REM ---------------------
IF not exist "%cd%\Dups" mkdir "%cd%\Dups"
FOR /F "tokens=*" %%a in (_Users.txt) do echo %%a > "%cd%\dups\%%a"
FOR /F "tokens=*" %%a in (_Disabled.txt) do del /q "%cd%\dups\%%a"
FOR /F "tokens=*" %%a in (_Exclude.lst) do del /q "%cd%\dups\%%a"
cd Dups
dir /b > "..\_Enabled.txt"
cd ..
rmdir /s /q "%cd%\dups"
 
echo build email
> adlist.eml echo X-Receiver: %_emailto%
>> adlist.eml echo X-Sender: %_emailfr%
>> adlist.eml echo From: ^<%_emailfr%^>
>> adlist.eml echo To: ^<%_emailto%^>
>> adlist.eml echo Subject: %_Subject%
>> adlist.eml echo MIME-Version: 1.0
>> adlist.eml echo Content-Type: text/plain;
>> adlist.eml echo charset="iso-8859-1"
>> adlist.eml echo Content-Transfer-Encoding: 7bit
>> adlist.eml echo X-Mailer: Microsoft CDO for Windows 2003
>> adlist.eml echo Content-Class: urn:content-classes:message
>> adlist.eml echo X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506
>> adlist.eml echo.
>> adlist.eml echo -- INSTRUCTIONS --
>> adlist.eml echo 1) Please review the list of users for accuracy. If you see an account no longer needed, should be disabled, or removed.
>> adlist.eml echo 2) Verify with Human Resources the actions you want to take
>> adlist.eml echo 3) Contact %_Contact% to have the proper action taken on the account.
>> adlist.eml echo.
>> adlist.eml echo ......................................
>> adlist.eml echo Disabled user accounts
>> adlist.eml echo ...............................................................................
>> adlist.eml echo.
type _Disabled.txt >> adlist.eml
 
>> adlist.eml echo.
>> adlist.eml echo ......................................
>> adlist.eml echo Enabled User Accounts
>> adlist.eml echo ..............................................................................
>> adlist.eml echo.
type _Enabled.txt >> adlist.eml
 
move /Y adlist.eml "%_dropdir%"

Open in new window

0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
In the absence of a fully-fledged GPO Management product like AGPM, the script in this article will provide you with a simple way to watch the domain (or a select OU) for GPOs changes and automatically take backups when policies are added, removed o…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

864 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question