Link to home
Start Free TrialLog in
Avatar of Pau Lo
Pau Lo

asked on

AD reports

A few more questions for you AD gurus if I may:

1) Is there any setting against an AD account to determine whether it can interactively login or it can’t, if so how can you run a report of which accounts can login, and which cant?

2) Do expired accounts, i.e. those only set up for say 1 month for a temp member of staff, have any symbol by them in AD users and computers, or if not…. how can you identify which accounts are expired (but not disabled). Or if you put a date in account expires, when that date comes around, does it automatically go into “disabled”? I need an accurate list of which accounts are “active”, and which are disabled/expired. And some insight into the difference between expired and disabled.

3) Are there any tools to run a report, for all accounts with non-expiring passwords ONLY, to list the following fields (login name, date of last login, account created date, date password last set)?
ASKER CERTIFIED SOLUTION
Avatar of Krzysztof Pytko
Krzysztof Pytko
Flag of Poland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of Pau Lo
Pau Lo

ASKER

Thanks again, do you have syntax for 3 at all? Are you referring to dsquery?
Please try this software this will help  ADManager Plus, ADAudit Plus. Through this you can manage your complete AD.

Download link is below.

AD Manager.

(http://www.manageengine.com/products/ad-manager/index.html)

AD Audit plus.
http://www.manageengine.com/products/active-directory-audit/index.html
Avatar of Pau Lo

ASKER

There not free though, so if a free tool can do the same I'll go with the freebie
Yes, we can try to address that over dsquery and if it would not work then you will decide if you wish to use ADInfo or PowerShell.

Just give me a second to prepare a syntax for you

Krzysztof
So, to see user account expiration use
dsquery user -name * -limit 0 | dsget user -samid -fn -ln -acctexpires >>c:\expires.txt

Open in new window


for disabled accounts
dsquery * -filter "(&(objectClass=user)(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=2))" -attr sAMAccountName givenName sn >>c:\disabled.txt

Open in new window


for enabled accounts
dsquery * -filter "(&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" -attr sAMAccountName givenName sn >>c:\enabled.txt

Open in new window


Krzysztof
Avatar of Pau Lo

ASKER

Is there anyway for 1 single report, to output all accounts with non expiring passwords, and just list login name, date of last login, account created date, date password last set per account
With DSQUERY no :/ it's limited tool and not support output in human readable format for date/time format :)

However, if you wish, we may try to create single report but you need to use another tools to convert date and time

Krzysztof
Avatar of Pau Lo

ASKER

Is there no way to do it in AD users and comps?
You can use saved queries but output would not be ideal because many attributes won't be displayed.

For that you should use PowerShell which allows for that in much more easy steps

Krzysztof
Avatar of Pau Lo

ASKER

Do you have an example powershell?
I would prepare an example in Quest PowerShell module for AD.
Just a second please

Krzysztof
Try that using free Quest PowerShell
http://www.quest.com/powershell/activeroles-server.aspx

Get-QADUser * -SizeLimit 0 | Select SamAccountName,FirstName,LastName,whenCreated,PasswordNeverExpires,LastLogonTimestamp,PasswordLastSet | Export-CSV c:\report.csv

Open in new window


Krzysztof
Does it work as you expected ?

Krzysztof
Avatar of Pau Lo

ASKER

Dont have admin rights to install that tool unfortunately :(
It does not have to be installed on a DC. You may simply run it from your domain member workstation :)

However, if it is still not possible, we can try with DSQUERY

Krzysztof
Avatar of Pau Lo

ASKER

Yeah only have a workstation to work with so if DSquery can do it can we try that first.
OK, let try with DSQUERY

Run this code, please
dsquery * -filter "(&(objectClass=user)(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=65536))" -limit 0 -attr sAMAccountName givenName sn whenCreated lastLogonTimestamp pwdLastSet >>c:\neverexpires.txt

Open in new window


dsquery * -filter "(&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=65536)))" -limit 0 -attr sAMAccountName givenName sn whenCreated lastLogonTimestamp pwdLastSet >>c:\pwdexpires.txt

Open in new window


all those strange values from output (numbers) you can convert to human readable format using w32tm command

i.e.
w32tm /ntte NUMBER_INT_64

Open in new window


for more details about that, please check an article on my blog for lastLogon vs lastLogonTimestamp attributes at
http://kpytko.wordpress.com/2012/07/30/lastlogon-vs-lastlogontimestamp/

Krzysztof
Avatar of Pau Lo

ASKER

Cheers do I need to put the no limit thing on as there are quite a few expected results
Hey,

I have added -limit 0 to each syntax to get all objects to be querying. By default it is only 100 displayed.

If you expect to get less than 100 results, you can simply skip -limit 0 switch in each command

Krzysztof
Avatar of Pau Lo

ASKER

Would there be anyway to format all the dates in one go?
We can try to use the output file and import it to excel then copy whole column where only numbers are stored and then use loop to convert them.

If you wish, you may send the output files to my e-mail: kpytko at go2 dot pl
and I will conevrt it for you and then describe a syntax here (it would be much more easy way :) )

Krzysztof
Avatar of Pau Lo

ASKER

Hmmm probs shouldnt send external account names are a potential security issue - thats not insinuating anything, just that I should be careful. I will thank you for your help and give points at this stage.
So, just send me a fake file with some lastLogonTimeStamp values and I will show you general rule for that :)

Krzysztof