Solved

How to run a script or program that counts how many accounts don't have something checked in Active Directory

Posted on 2009-07-06
11
1,380 Views
Last Modified: 2012-05-07
Is there a way I can run something that I can see if I don't have an option checked in the Account tab of active diretory and lets me know who or how many accounts don't have something checked ?

Example I want to see how many accounts don't have check "Smart card is required for interactive logon"

Also I don't have access to the server just access to make changes to AD.
0
Comment
Question by:sstretchh
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 5
11 Comments
 
LVL 2

Expert Comment

by:iarla
ID: 24790136
Hi there

Have a look at the following:

http://www.eggheadcafe.com/conversation.aspx?messageid=32069750&threadid=32069744

The code is written in VBScript
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24790977
what I'd go with is adfind by MVP Joe Richards
http://www.joeware.net/freetools/tools/adfind/index.htm
So some AD attributes are bit flags which means and expressed as integers.  Useraccountcontrol is one of them and needed here.   Joe also has a really good blog entry about it here:
 http://blog.joeware.net/2008/09/05/1453/
Smart Updates of bitwise attributes
So to get your query using adfind
adfind -default -bit -f  "&(objectcategory=person)(objectclass=user)(!useraccountcontrol:1.2.840.113556.1.4.802:=262144)" samaccountname -nodn
That will return the samaccountname with all users that don't have "Smart card is required for interactive logon" checked
...want to know which ones have it checked just remove the ! before useraccountcontrol
Thanks
Mike
 
0
 

Author Comment

by:sstretchh
ID: 24795487
I have writes to get in AD but I am doing this from XP and not from the server itself. I see that this runs in the command prompt and able to run it but it's returning 0 results. Any ideas ??

As for the first comment up there with the link to the VB script it actually needs a lot of tweaking but working with the code to see what I can do with it
0
Ransomware-A Revenue Bonanza for Service Providers

Ransomware – malware that gets on your customers’ computers, encrypts their data, and extorts a hefty ransom for the decryption keys – is a surging new threat.  The purpose of this eBook is to educate the reader about ransomware attacks.

 
LVL 57

Expert Comment

by:Mike Kline
ID: 24795516
You can take out the part that checks for the checkbox just to make sure you are getting results for users

adfind -default -f  "&(objectcategory=person)(objectclass=user)" samaccountname -nodn
That will give you all your users.  Just as a test.  Running from XP is fine.
Thanks
 
Mike
0
 

Author Comment

by:sstretchh
ID: 24795547
ok that gave me the results of all the different types of users
0
 

Author Comment

by:sstretchh
ID: 24795660
Even If i could use the search option that is built into AD that would be great just can't find the right options to search.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24795722
oh boy...I just noticed a typo.  SORRY about that
 
adfind -default -bit -f  "&(objectcategory=person)(objectclass=user)(!useraccountcontrol:1.2.840.113556.1.4.803:=262144)" samaccountname -nodn
I had .802 in the original
Thanks
Mike
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 500 total points
ID: 24795775
If you wanted to use the search in AD you can use an LDAP query (custom search)
See screenshot
Thanks
Mike
 

AD-search-non-smartcard.jpg
0
 

Author Closing Comment

by:sstretchh
ID: 31600410
You were very helpful thanks, this is exactly what I was trying to do. We get audited if we don't have over a certain percantage of people we don't set back to CAC card. Now are section can look are self to see who we are missing.
0
 
LVL 57

Expert Comment

by:Mike Kline
ID: 24796023
CAC card...must be DoD :)  Hoooaaahh!!!
Glad I was able to help
Thanks
Mike
0
 

Author Comment

by:sstretchh
ID: 24796052
;-P ssssssssssssssshhhhhhhhhhhhh

I am not the admin you are looking for
0

Featured Post

Turn Insights into Action

Communication across every corner of your business is essential to increase the velocity of your application delivery and support pipeline. Automate, standardize, and contextualize your communication processes with xMatters.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

687 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question