How to run a script or program that counts how many accounts don't have something checked in Active Directory
Is there a way I can run something that I can see if I don't have an option checked in the Account tab of active diretory and lets me know who or how many accounts don't have something checked ?
Example I want to see how many accounts don't have check "Smart card is required for interactive logon"
Also I don't have access to the server just access to make changes to AD.
Example I want to see how many accounts don't have check "Smart card is required for interactive logon"
Also I don't have access to the server just access to make changes to AD.
what I'd go with is adfind by MVP Joe Richards
http://www.joeware.net/fre
So some AD attributes are bit flags which means and expressed as integers. Useraccountcontrol is one of them and needed here. Joe also has a really good blog entry about it here:
http://blog.joeware.net/2008/09/0
Smart Updates of bitwise attributes
So to get your query using adfind
adfind -default -bit -f "&(objectcategory=person)(
That will return the samaccountname with all users that don't have "Smart card is required for interactive logon" checked
...want to know which ones have it checked just remove the ! before useraccountcontrol
Thanks
Mike
http://www.joeware.net/fre
So some AD attributes are bit flags which means and expressed as integers. Useraccountcontrol is one of them and needed here. Joe also has a really good blog entry about it here:
http://blog.joeware.net/2008/09/0
Smart Updates of bitwise attributes
So to get your query using adfind
adfind -default -bit -f "&(objectcategory=person)(
That will return the samaccountname with all users that don't have "Smart card is required for interactive logon" checked
...want to know which ones have it checked just remove the ! before useraccountcontrol
Thanks
Mike
ASKER
I have writes to get in AD but I am doing this from XP and not from the server itself. I see that this runs in the command prompt and able to run it but it's returning 0 results. Any ideas ??
As for the first comment up there with the link to the VB script it actually needs a lot of tweaking but working with the code to see what I can do with it
As for the first comment up there with the link to the VB script it actually needs a lot of tweaking but working with the code to see what I can do with it
You can take out the part that checks for the checkbox just to make sure you are getting results for users
adfind -default -f "&(objectcategory=person)(
That will give you all your users. Just as a test. Running from XP is fine.
Thanks
Mike
adfind -default -f "&(objectcategory=person)(
That will give you all your users. Just as a test. Running from XP is fine.
Thanks
Mike
ASKER
ok that gave me the results of all the different types of users
ASKER
Even If i could use the search option that is built into AD that would be great just can't find the right options to search.
oh boy...I just noticed a typo. SORRY about that
adfind -default -bit -f "&(objectcategory=person)(
I had .802 in the original
Thanks
Mike
adfind -default -bit -f "&(objectcategory=person)(
I had .802 in the original
Thanks
Mike
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
You were very helpful thanks, this is exactly what I was trying to do. We get audited if we don't have over a certain percantage of people we don't set back to CAC card. Now are section can look are self to see who we are missing.
CAC card...must be DoD :) Hoooaaahh!!!
Glad I was able to help
Thanks
Mike
Glad I was able to help
Thanks
Mike
ASKER
;-P ssssssssssssssshhhhhhhhhhh
I am not the admin you are looking for
I am not the admin you are looking for
Have a look at the following:
http://www.eggheadcafe.com/conversation.aspx?messageid=32069750&threadid=32069744
The code is written in VBScript