We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

How to run a script or program that counts how many accounts don't have something checked in Active Directory

Medium Priority
1,716 Views
Last Modified: 2012-05-07
Is there a way I can run something that I can see if I don't have an option checked in the Account tab of active diretory and lets me know who or how many accounts don't have something checked ?

Example I want to see how many accounts don't have check "Smart card is required for interactive logon"

Also I don't have access to the server just access to make changes to AD.
Comment
Watch Question

Commented:
Hi there

Have a look at the following:

http://www.eggheadcafe.com/conversation.aspx?messageid=32069750&threadid=32069744

The code is written in VBScript
CERTIFIED EXPERT
Top Expert 2013

Commented:
what I'd go with is adfind by MVP Joe Richards
http://www.joeware.net/freetools/tools/adfind/index.htm
So some AD attributes are bit flags which means and expressed as integers.  Useraccountcontrol is one of them and needed here.   Joe also has a really good blog entry about it here:
 http://blog.joeware.net/2008/09/05/1453/
Smart Updates of bitwise attributes
So to get your query using adfind
adfind -default -bit -f  "&(objectcategory=person)(objectclass=user)(!useraccountcontrol:1.2.840.113556.1.4.802:=262144)" samaccountname -nodn
That will return the samaccountname with all users that don't have "Smart card is required for interactive logon" checked
...want to know which ones have it checked just remove the ! before useraccountcontrol
Thanks
Mike
 

Author

Commented:
I have writes to get in AD but I am doing this from XP and not from the server itself. I see that this runs in the command prompt and able to run it but it's returning 0 results. Any ideas ??

As for the first comment up there with the link to the VB script it actually needs a lot of tweaking but working with the code to see what I can do with it
CERTIFIED EXPERT
Top Expert 2013

Commented:
You can take out the part that checks for the checkbox just to make sure you are getting results for users

adfind -default -f  "&(objectcategory=person)(objectclass=user)" samaccountname -nodn
That will give you all your users.  Just as a test.  Running from XP is fine.
Thanks
 
Mike

Author

Commented:
ok that gave me the results of all the different types of users

Author

Commented:
Even If i could use the search option that is built into AD that would be great just can't find the right options to search.
CERTIFIED EXPERT
Top Expert 2013

Commented:
oh boy...I just noticed a typo.  SORRY about that
 
adfind -default -bit -f  "&(objectcategory=person)(objectclass=user)(!useraccountcontrol:1.2.840.113556.1.4.803:=262144)" samaccountname -nodn
I had .802 in the original
Thanks
Mike
CERTIFIED EXPERT
Top Expert 2013
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview

Author

Commented:
You were very helpful thanks, this is exactly what I was trying to do. We get audited if we don't have over a certain percantage of people we don't set back to CAC card. Now are section can look are self to see who we are missing.
CERTIFIED EXPERT
Top Expert 2013

Commented:
CAC card...must be DoD :)  Hoooaaahh!!!
Glad I was able to help
Thanks
Mike

Author

Commented:
;-P ssssssssssssssshhhhhhhhhhhhh

I am not the admin you are looking for
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.