• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1923
  • Last Modified:

How do I list only active(non-disabled) AD user accounts in Powershell?

I have a Powershell script to dump all AD user accounts to a text file, but I'd like to take this script a step further and only list the accounts that are not disabled. How would I go about this? What I have so far is below:

### Set up search in AD for just user accounts
$searcher = New-Object System.DirectoryServices.DirectorySearcher("(objectCategory=User)")

### List each of the objects for name, mail, ldap path, distinguished name and member of
$searcher.FindAll() | ForEach-Object{ $_.GetDirectoryEntry() } | select Name, Mail, Path, DistinguishedName, memberOf > adusers.txt

Open in new window

0
FAL-Illinois
Asked:
FAL-Illinois
  • 4
1 Solution
 
MNH1966Commented:
If you're using the AD Module for Powershell, you could use:

Get-ADUser -Filter {Enabled -Eq $False}

Pipe it to for instance Format-Table and add the properties you want to see.
For a list of all properties, try:
Get-ADUser -Filter {Name -Eq "John"} - Properties *

Of course you have to fill in the name of an existing user ;)
In any case, the propertie you're looking for is Enabled and the value is either True of False.
0
 
GusGallowsCommented:
Using the DirectorySearcher, you can use the UserAccountControl attribute to strip out the disabled accounts. Basically, if you understand binary, if the second bit is on, then it is disabled. The following is a small list of values used by the UserAccountControl as laid out in the following article:
http://support.microsoft.com/kb/305144
2 - Account Disabled 0000000000000010
512 - Enabled Normal Account 000100000000
514 - Disabled Normal Account 000100000010
66048 - Enabled Normal Account with non expiring password 0001000100000000
66050 - Disabled Normal Account with non expiring password 0001000100000010
66080 - Enabled Normal Account with Non Expiring password and Password not required 0001000100010000
66082 - Disabled Normal Account with Non Expiring password and Password not required 0001000100010010
524288 - Trusted for Delegation Enabled Normal Account with non expiring password 1001000100000000

So if you convert the userAccount Control to binary, you can see if it is disabled or not if it's last two bits are 10.

But to simplify, using the most common settings (512, 66048, 66080, and 524288), you can do the following in your script to make it only output the enabled accounts.
### Set up search in AD for just user accounts
$searcher = New-Object System.DirectoryServices.DirectorySearcher("(objectCategory=User)")

### List each of the objects for name, mail, ldap path, distinguished name and member of
$searcher.FindAll() | ForEach-Object{ $_.GetDirectoryEntry() } | where {((($_.userAccountControl -eq '512') -or ($_.userAccountControl -eq '66048')) -or (($_.userAccountControl -eq '66080') -or ($_.userAccountControl -eq '590336')))}| select Name, Mail, Path, DistinguishedName, memberOf, userAccountControl > adusers2.txt

Open in new window


If you add the UserAccountControl to your select statement without making any other changes you can see which settings you have. I would wage most are 512, 514, 66048, or 66050.

Check out the article for other combinations of UACs.
0
 
GusGallowsCommented:
On a side note, the following function can take any useraccountcontrol number and check it to see if it is disabeld or enabled:
 
Function CheckDisabled ($UAC)
{
	$binVal = [convert]::ToString($UAC,2)
	$bit2 = $binval.Substring($binVal.Length -2, 1)
	if ($bit2 -eq '0')
	{
		Return "Disabled"
	}
	Else
	{
		Return "Enabled"
	}
}

Open in new window

If you pass the value of the user's UserAccountControl to the function, it will return whether it is enabled or disabled. It basically converts the number to binary, and then check to see if the value in the second bit is a 1 (disabled) or a 0 (enabled). You may be able to work that function into your script like so:
 
Function CheckDisabled ($UAC)
{
	$binVal = [convert]::ToString($UAC,2)
	$bit2 = $binval.Substring($binVal.Length -2, 1)
	if ($bit2 -eq '0')
	{
		Return "Disabled"
	}
	Else
	{
		Return "Enabled"
	}
}

$searcher = New-Object System.DirectoryServices.DirectorySearcher("(objectCategory=User)")
$searcher.PageSize = 100000
$searcher.FindAll() | ForEach-Object{ $_.GetDirectoryEntry() } | where {CheckDisabled $_.userAccountControl -eq "Enabled"} | select Name, Mail, Path, DistinguishedName, memberOf, userAccountControl > adusers.txt

Open in new window

I am not 100% sure this will work this way, but it should give you some room to figure it out. I will keep working on it on my end to see if I can get the function to work properly from within the where statement.
0
Restore individual SQL databases with ease

Veeam Explorer for Microsoft SQL Server delivers an easy-to-use, wizard-driven interface for restoring your databases from a backup. No expert SQL background required. Web interface provides a complete view of all available SQL databases to simplify the recovery of lost database

 
GusGallowsCommented:
Here I go again. The if statement above should say the following:
if ($bit2 -eq '1')

1 equals disabled, 0 equals enabled.

0
 
FAL-IllinoisAuthor Commented:
GusGallows, thank you for the excellent answer, the UserAccountCode is exactly what I was looking for.
0
 
GusGallowsCommented:
Your welcome. Just one more thing. I figured out how to do it without having to manually put in each UAC. Check this out.
 
Function CheckDisabled ($UAC)
{
	$binVal = [convert]::ToString($UAC,2)
	$bit2 = $binval.Substring($binVal.Length -2, 1)
	Return $bit2
}

$out = "C:\ADUsers.txt"
$searcher = New-Object System.DirectoryServices.DirectorySearcher("(objectCategory=User)")
$searcher.PageSize = 100000
$ADUsers = $searcher.FindAll() | ForEach-Object{ $_.GetDirectoryEntry() }

foreach ($ADUser in $ADUsers)
{
	$aduac = [String]$aduser.userAccountControl
	$res = CheckDisabled $aduac
	if ($res -eq "0")
	{
		$name = "Name: " + $ADUser.Name
		$Mail = "Mail: " + $ADUser.Mail
		$Path = "Path: " + $ADUser.Path
		$DN = "DistinguishedName: " + $ADUser.DistinguishedName
		$memberof = "MemberOf: " + $ADUser.MemberOf
		out-file $out -inputobject $name -Append
		out-file $out -inputobject $Mail -Append
		out-file $out -inputobject $Path -Append
		out-file $out -inputobject $DN -Append
		out-file $out -inputobject $MemberOf -Append
		out-file $out -inputobject "--------------------------------------------------------" -Append
	}

}

Open in new window


I like this format better. :)
0

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now