How do I list only active(non-disabled) AD user accounts in Powershell?

I have a Powershell script to dump all AD user accounts to a text file, but I'd like to take this script a step further and only list the accounts that are not disabled. How would I go about this? What I have so far is below:

### Set up search in AD for just user accounts
$searcher = New-Object System.DirectoryServices.DirectorySearcher("(objectCategory=User)")

### List each of the objects for name, mail, ldap path, distinguished name and member of
$searcher.FindAll() | ForEach-Object{ $_.GetDirectoryEntry() } | select Name, Mail, Path, DistinguishedName, memberOf > adusers.txt

Open in new window

FAL-IllinoisAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MNH1966Commented:
If you're using the AD Module for Powershell, you could use:

Get-ADUser -Filter {Enabled -Eq $False}

Pipe it to for instance Format-Table and add the properties you want to see.
For a list of all properties, try:
Get-ADUser -Filter {Name -Eq "John"} - Properties *

Of course you have to fill in the name of an existing user ;)
In any case, the propertie you're looking for is Enabled and the value is either True of False.
0
GusGallowsCommented:
Using the DirectorySearcher, you can use the UserAccountControl attribute to strip out the disabled accounts. Basically, if you understand binary, if the second bit is on, then it is disabled. The following is a small list of values used by the UserAccountControl as laid out in the following article:
http://support.microsoft.com/kb/305144
2 - Account Disabled 0000000000000010
512 - Enabled Normal Account 000100000000
514 - Disabled Normal Account 000100000010
66048 - Enabled Normal Account with non expiring password 0001000100000000
66050 - Disabled Normal Account with non expiring password 0001000100000010
66080 - Enabled Normal Account with Non Expiring password and Password not required 0001000100010000
66082 - Disabled Normal Account with Non Expiring password and Password not required 0001000100010010
524288 - Trusted for Delegation Enabled Normal Account with non expiring password 1001000100000000

So if you convert the userAccount Control to binary, you can see if it is disabled or not if it's last two bits are 10.

But to simplify, using the most common settings (512, 66048, 66080, and 524288), you can do the following in your script to make it only output the enabled accounts.
### Set up search in AD for just user accounts
$searcher = New-Object System.DirectoryServices.DirectorySearcher("(objectCategory=User)")

### List each of the objects for name, mail, ldap path, distinguished name and member of
$searcher.FindAll() | ForEach-Object{ $_.GetDirectoryEntry() } | where {((($_.userAccountControl -eq '512') -or ($_.userAccountControl -eq '66048')) -or (($_.userAccountControl -eq '66080') -or ($_.userAccountControl -eq '590336')))}| select Name, Mail, Path, DistinguishedName, memberOf, userAccountControl > adusers2.txt

Open in new window


If you add the UserAccountControl to your select statement without making any other changes you can see which settings you have. I would wage most are 512, 514, 66048, or 66050.

Check out the article for other combinations of UACs.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
GusGallowsCommented:
On a side note, the following function can take any useraccountcontrol number and check it to see if it is disabeld or enabled:
 
Function CheckDisabled ($UAC)
{
	$binVal = [convert]::ToString($UAC,2)
	$bit2 = $binval.Substring($binVal.Length -2, 1)
	if ($bit2 -eq '0')
	{
		Return "Disabled"
	}
	Else
	{
		Return "Enabled"
	}
}

Open in new window

If you pass the value of the user's UserAccountControl to the function, it will return whether it is enabled or disabled. It basically converts the number to binary, and then check to see if the value in the second bit is a 1 (disabled) or a 0 (enabled). You may be able to work that function into your script like so:
 
Function CheckDisabled ($UAC)
{
	$binVal = [convert]::ToString($UAC,2)
	$bit2 = $binval.Substring($binVal.Length -2, 1)
	if ($bit2 -eq '0')
	{
		Return "Disabled"
	}
	Else
	{
		Return "Enabled"
	}
}

$searcher = New-Object System.DirectoryServices.DirectorySearcher("(objectCategory=User)")
$searcher.PageSize = 100000
$searcher.FindAll() | ForEach-Object{ $_.GetDirectoryEntry() } | where {CheckDisabled $_.userAccountControl -eq "Enabled"} | select Name, Mail, Path, DistinguishedName, memberOf, userAccountControl > adusers.txt

Open in new window

I am not 100% sure this will work this way, but it should give you some room to figure it out. I will keep working on it on my end to see if I can get the function to work properly from within the where statement.
0
Introducing the "443 Security Simplified" Podcast

This new podcast puts you inside the minds of leading white-hat hackers and security researchers. Hosts Marc Laliberte and Corey Nachreiner turn complex security concepts into easily understood and actionable insights on the latest cyber security headlines and trends.

GusGallowsCommented:
Here I go again. The if statement above should say the following:
if ($bit2 -eq '1')

1 equals disabled, 0 equals enabled.

0
FAL-IllinoisAuthor Commented:
GusGallows, thank you for the excellent answer, the UserAccountCode is exactly what I was looking for.
0
GusGallowsCommented:
Your welcome. Just one more thing. I figured out how to do it without having to manually put in each UAC. Check this out.
 
Function CheckDisabled ($UAC)
{
	$binVal = [convert]::ToString($UAC,2)
	$bit2 = $binval.Substring($binVal.Length -2, 1)
	Return $bit2
}

$out = "C:\ADUsers.txt"
$searcher = New-Object System.DirectoryServices.DirectorySearcher("(objectCategory=User)")
$searcher.PageSize = 100000
$ADUsers = $searcher.FindAll() | ForEach-Object{ $_.GetDirectoryEntry() }

foreach ($ADUser in $ADUsers)
{
	$aduac = [String]$aduser.userAccountControl
	$res = CheckDisabled $aduac
	if ($res -eq "0")
	{
		$name = "Name: " + $ADUser.Name
		$Mail = "Mail: " + $ADUser.Mail
		$Path = "Path: " + $ADUser.Path
		$DN = "DistinguishedName: " + $ADUser.DistinguishedName
		$memberof = "MemberOf: " + $ADUser.MemberOf
		out-file $out -inputobject $name -Append
		out-file $out -inputobject $Mail -Append
		out-file $out -inputobject $Path -Append
		out-file $out -inputobject $DN -Append
		out-file $out -inputobject $MemberOf -Append
		out-file $out -inputobject "--------------------------------------------------------" -Append
	}

}

Open in new window


I like this format better. :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.