sstretchh
asked on
How to run a script or program that counts how many accounts don't have something checked in Active Directory
Is there a way I can run something that I can see if I don't have an option checked in the Account tab of active diretory and lets me know who or how many accounts don't have something checked ?
Example I want to see how many accounts don't have check "Smart card is required for interactive logon"
Also I don't have access to the server just access to make changes to AD.
Example I want to see how many accounts don't have check "Smart card is required for interactive logon"
Also I don't have access to the server just access to make changes to AD.
what I'd go with is adfind by MVP Joe Richards
http://www.joeware.net/fre etools/too ls/adfind/index.htm
So some AD attributes are bit flags which means and expressed as integers. Useraccountcontrol is one of them and needed here. Joe also has a really good blog entry about it here:
http://blog.joeware.net/2008/09/0 5/1453/
Smart Updates of bitwise attributes
So to get your query using adfind
adfind -default -bit -f "&(objectcategory=person)( objectclas s=user)(!u seraccount control:1. 2.840.1135 56.1.4.802 :=262144)" samaccountname -nodn
That will return the samaccountname with all users that don't have "Smart card is required for interactive logon" checked
...want to know which ones have it checked just remove the ! before useraccountcontrol
Thanks
Mike
http://www.joeware.net/fre
So some AD attributes are bit flags which means and expressed as integers. Useraccountcontrol is one of them and needed here. Joe also has a really good blog entry about it here:
http://blog.joeware.net/2008/09/0
Smart Updates of bitwise attributes
So to get your query using adfind
adfind -default -bit -f "&(objectcategory=person)(
That will return the samaccountname with all users that don't have "Smart card is required for interactive logon" checked
...want to know which ones have it checked just remove the ! before useraccountcontrol
Thanks
Mike
ASKER
I have writes to get in AD but I am doing this from XP and not from the server itself. I see that this runs in the command prompt and able to run it but it's returning 0 results. Any ideas ??
As for the first comment up there with the link to the VB script it actually needs a lot of tweaking but working with the code to see what I can do with it
As for the first comment up there with the link to the VB script it actually needs a lot of tweaking but working with the code to see what I can do with it
You can take out the part that checks for the checkbox just to make sure you are getting results for users
adfind -default -f "&(objectcategory=person)( objectclas s=user)" samaccountname -nodn
That will give you all your users. Just as a test. Running from XP is fine.
Thanks
Mike
adfind -default -f "&(objectcategory=person)(
That will give you all your users. Just as a test. Running from XP is fine.
Thanks
Mike
ASKER
ok that gave me the results of all the different types of users
ASKER
Even If i could use the search option that is built into AD that would be great just can't find the right options to search.
oh boy...I just noticed a typo. SORRY about that
adfind -default -bit -f "&(objectcategory=person)( objectclas s=user)(!u seraccount control:1. 2.840.1135 56.1.4.803 :=262144)" samaccountname -nodn
I had .802 in the original
Thanks
Mike
adfind -default -bit -f "&(objectcategory=person)(
I had .802 in the original
Thanks
Mike
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
You were very helpful thanks, this is exactly what I was trying to do. We get audited if we don't have over a certain percantage of people we don't set back to CAC card. Now are section can look are self to see who we are missing.
CAC card...must be DoD :) Hoooaaahh!!!
Glad I was able to help
Thanks
Mike
Glad I was able to help
Thanks
Mike
ASKER
;-P ssssssssssssssshhhhhhhhhhh hh
I am not the admin you are looking for
I am not the admin you are looking for
Have a look at the following:
http://www.eggheadcafe.com/conversation.aspx?messageid=32069750&threadid=32069744
The code is written in VBScript