How can I get a list of all enabled accounts on my AD domain?
I am looking for a way to get a list of all the enabled accounts on my AD domain.My preferred method is to use a script that I can then pipe into a text file. All I need is the full name, username, and description.
I can get a list of all the <i>disabled</i> accounts, and a list of <i>all</i> accounts. From there I could just look plop it all into excel and have it show me the differences, but I am really looking for a much more simple way.
I can get a list of all the <i>disabled</i> accounts, and a list of <i>all</i> accounts. From there I could just look plop it all into excel and have it show me the differences, but I am really looking for a much more simple way.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
I had to do this for our HR department but they needed a clean list of names that didn't have any LDAP in it. Unfortunately the DS commands don't give you an easy means to show just the enabled accounts, but of course it's easy to look at the disabled. Also they wanted it sent weekly in an email.
Below is my solution to both problems, you can use it by simply changing the values in the variables at the top. You need an SMTP enabled IIS server for the mail piece to work, since this code creates the email file and then moves it to the drop directory of the mail server. Simply create a directory such as C:\AD_Users and save the below code in a .cmd file, you can then schedule a task to have it run on whatever interval you like. The duplicate removal and email portion is a bit of a road warrior hack, the script even cleans up the excess surrounding quotes inherent to DSQUERY but it works like a charm.
Cheers,
The variables explained:
_emailto - The SMTP address of the person or distribution list email address the report should be sent to
_emailfr - A descriptive unique SMTP address the mail is coming from (not in use on the mail server)
_Subject - The email subject
_dropdir - The mail drop directory it can be a local or UNC path
_srcroot - The LDAP root of your domain at minimum, but you can refine it to a OU
_Contact - In the body of the email a contact email for people getting this report.
Below is my solution to both problems, you can use it by simply changing the values in the variables at the top. You need an SMTP enabled IIS server for the mail piece to work, since this code creates the email file and then moves it to the drop directory of the mail server. Simply create a directory such as C:\AD_Users and save the below code in a .cmd file, you can then schedule a task to have it run on whatever interval you like. The duplicate removal and email portion is a bit of a road warrior hack, the script even cleans up the excess surrounding quotes inherent to DSQUERY but it works like a charm.
Cheers,
The variables explained:
_emailto - The SMTP address of the person or distribution list email address the report should be sent to
_emailfr - A descriptive unique SMTP address the mail is coming from (not in use on the mail server)
_Subject - The email subject
_dropdir - The mail drop directory it can be a local or UNC path
_srcroot - The LDAP root of your domain at minimum, but you can refine it to a OU
_Contact - In the body of the email a contact email for people getting this report.
@echo off
REM Set variables
-----------------
set _emailto=All-Department-Heads@yourdomain.com
set _emailfr=User-Reports@fyourdomain.com
set _Subject=User Account Report for %date%
set _dropdir=\\servername\c$\Inetpub\mailroot\Pickup
set _srcroot=DC=YourDomain,DC=com
set _Contact=Reply-To@YourDomain.com
if exist *.txt del /q /f *.txt
REM Query ad for users
REM ------------------
dsquery user -o rdn -limit 10000 -disabled > _Disabled.tm1 || > _Disabled.tm1 echo There are no disabled accounts
dsquery user -o rdn -limit 10000 "%_srcroot%" > _Users.tm1 || > _Users.tm1 echo There are no users ROLMAO!
REM clean up quotes
REM ---------------
FOR /F "delims=" %%A in (_Disabled.tm1) do echo %%~A >> _Disabled.tm2
FOR /F "delims=" %%A in (_Users.tm1) do echo %%~A >> _Users.tm2
REM Sort results and clean up temp files
REM ------------------------------------
sort "%cd%\_Disabled.tm2" /O "%cd%\_Disabled.txt"
sort "%cd%\_Users.tm2" /O "%cd%\_Users.txt"
if exist *.tm? del /q /f *.tm?
REM Remove the duplicates
REM ---------------------
IF not exist "%cd%\Dups" mkdir "%cd%\Dups"
FOR /F "tokens=*" %%a in (_Users.txt) do echo %%a > "%cd%\dups\%%a"
FOR /F "tokens=*" %%a in (_Disabled.txt) do del /q "%cd%\dups\%%a"
FOR /F "tokens=*" %%a in (_Exclude.lst) do del /q "%cd%\dups\%%a"
cd Dups
dir /b > "..\_Enabled.txt"
cd ..
rmdir /s /q "%cd%\dups"
echo build email
> adlist.eml echo X-Receiver: %_emailto%
>> adlist.eml echo X-Sender: %_emailfr%
>> adlist.eml echo From: ^<%_emailfr%^>
>> adlist.eml echo To: ^<%_emailto%^>
>> adlist.eml echo Subject: %_Subject%
>> adlist.eml echo MIME-Version: 1.0
>> adlist.eml echo Content-Type: text/plain;
>> adlist.eml echo charset="iso-8859-1"
>> adlist.eml echo Content-Transfer-Encoding: 7bit
>> adlist.eml echo X-Mailer: Microsoft CDO for Windows 2003
>> adlist.eml echo Content-Class: urn:content-classes:message
>> adlist.eml echo X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1506
>> adlist.eml echo.
>> adlist.eml echo -- INSTRUCTIONS --
>> adlist.eml echo 1) Please review the list of users for accuracy. If you see an account no longer needed, should be disabled, or removed.
>> adlist.eml echo 2) Verify with Human Resources the actions you want to take
>> adlist.eml echo 3) Contact %_Contact% to have the proper action taken on the account.
>> adlist.eml echo.
>> adlist.eml echo ......................................
>> adlist.eml echo Disabled user accounts
>> adlist.eml echo ...............................................................................
>> adlist.eml echo.
type _Disabled.txt >> adlist.eml
>> adlist.eml echo.
>> adlist.eml echo ......................................
>> adlist.eml echo Enabled User Accounts
>> adlist.eml echo ..............................................................................
>> adlist.eml echo.
type _Enabled.txt >> adlist.eml
move /Y adlist.eml "%_dropdir%"
ASKER