• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 555
  • Last Modified:

AD reports

A few more questions for you AD gurus if I may:

1) Is there any setting against an AD account to determine whether it can interactively login or it can’t, if so how can you run a report of which accounts can login, and which cant?

2) Do expired accounts, i.e. those only set up for say 1 month for a temp member of staff, have any symbol by them in AD users and computers, or if not…. how can you identify which accounts are expired (but not disabled). Or if you put a date in account expires, when that date comes around, does it automatically go into “disabled”? I need an accurate list of which accounts are “active”, and which are disabled/expired. And some insight into the difference between expired and disabled.

3) Are there any tools to run a report, for all accounts with non-expiring passwords ONLY, to list the following fields (login name, date of last login, account created date, date password last set)?
0
pma111
Asked:
pma111
  • 13
  • 10
1 Solution
 
Krzysztof PytkoActive Directory EngineerCommented:
Hey PMA,

AD1) unfortunately not, there is no AD attribute stored in account properties. This is only defined by group policy and you should review all GPOs to document that accounts

AD2) No, expired account have not separate icon to display them. They are enabled and unlocked accounts without any visible feature (that's a shame)

To check that you need to use some tools querying AD for that. Microsoft DS Tools or PowerShell or ADInfo would be enough

AD3) Some of them are give above. You may also try with free Spiceworks but I don't know if it is helpful in bigger environments (its limit is up to 250 users)

Regards,
Krzysztof
0
 
pma111Author Commented:
Thanks again, do you have syntax for 3 at all? Are you referring to dsquery?
0
 
Sushil SonawaneCommented:
Please try this software this will help  ADManager Plus, ADAudit Plus. Through this you can manage your complete AD.

Download link is below.

AD Manager.

(http://www.manageengine.com/products/ad-manager/index.html)

AD Audit plus.
http://www.manageengine.com/products/active-directory-audit/index.html
0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
pma111Author Commented:
There not free though, so if a free tool can do the same I'll go with the freebie
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Yes, we can try to address that over dsquery and if it would not work then you will decide if you wish to use ADInfo or PowerShell.

Just give me a second to prepare a syntax for you

Krzysztof
0
 
Krzysztof PytkoActive Directory EngineerCommented:
So, to see user account expiration use
dsquery user -name * -limit 0 | dsget user -samid -fn -ln -acctexpires >>c:\expires.txt

Open in new window


for disabled accounts
dsquery * -filter "(&(objectClass=user)(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=2))" -attr sAMAccountName givenName sn >>c:\disabled.txt

Open in new window


for enabled accounts
dsquery * -filter "(&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))" -attr sAMAccountName givenName sn >>c:\enabled.txt

Open in new window


Krzysztof
0
 
pma111Author Commented:
Is there anyway for 1 single report, to output all accounts with non expiring passwords, and just list login name, date of last login, account created date, date password last set per account
0
 
Krzysztof PytkoActive Directory EngineerCommented:
With DSQUERY no :/ it's limited tool and not support output in human readable format for date/time format :)

However, if you wish, we may try to create single report but you need to use another tools to convert date and time

Krzysztof
0
 
pma111Author Commented:
Is there no way to do it in AD users and comps?
0
 
Krzysztof PytkoActive Directory EngineerCommented:
You can use saved queries but output would not be ideal because many attributes won't be displayed.

For that you should use PowerShell which allows for that in much more easy steps

Krzysztof
0
 
pma111Author Commented:
Do you have an example powershell?
0
 
Krzysztof PytkoActive Directory EngineerCommented:
I would prepare an example in Quest PowerShell module for AD.
Just a second please

Krzysztof
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Try that using free Quest PowerShell
http://www.quest.com/powershell/activeroles-server.aspx

Get-QADUser * -SizeLimit 0 | Select SamAccountName,FirstName,LastName,whenCreated,PasswordNeverExpires,LastLogonTimestamp,PasswordLastSet | Export-CSV c:\report.csv

Open in new window


Krzysztof
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Does it work as you expected ?

Krzysztof
0
 
pma111Author Commented:
Dont have admin rights to install that tool unfortunately :(
0
 
Krzysztof PytkoActive Directory EngineerCommented:
It does not have to be installed on a DC. You may simply run it from your domain member workstation :)

However, if it is still not possible, we can try with DSQUERY

Krzysztof
0
 
pma111Author Commented:
Yeah only have a workstation to work with so if DSquery can do it can we try that first.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
OK, let try with DSQUERY

Run this code, please
dsquery * -filter "(&(objectClass=user)(objectCategory=person)(userAccountControl:1.2.840.113556.1.4.803:=65536))" -limit 0 -attr sAMAccountName givenName sn whenCreated lastLogonTimestamp pwdLastSet >>c:\neverexpires.txt

Open in new window


dsquery * -filter "(&(objectClass=user)(objectCategory=person)(!(userAccountControl:1.2.840.113556.1.4.803:=65536)))" -limit 0 -attr sAMAccountName givenName sn whenCreated lastLogonTimestamp pwdLastSet >>c:\pwdexpires.txt

Open in new window


all those strange values from output (numbers) you can convert to human readable format using w32tm command

i.e.
w32tm /ntte NUMBER_INT_64

Open in new window


for more details about that, please check an article on my blog for lastLogon vs lastLogonTimestamp attributes at
http://kpytko.wordpress.com/2012/07/30/lastlogon-vs-lastlogontimestamp/

Krzysztof
0
 
pma111Author Commented:
Cheers do I need to put the no limit thing on as there are quite a few expected results
0
 
Krzysztof PytkoActive Directory EngineerCommented:
Hey,

I have added -limit 0 to each syntax to get all objects to be querying. By default it is only 100 displayed.

If you expect to get less than 100 results, you can simply skip -limit 0 switch in each command

Krzysztof
0
 
pma111Author Commented:
Would there be anyway to format all the dates in one go?
0
 
Krzysztof PytkoActive Directory EngineerCommented:
We can try to use the output file and import it to excel then copy whole column where only numbers are stored and then use loop to convert them.

If you wish, you may send the output files to my e-mail: kpytko at go2 dot pl
and I will conevrt it for you and then describe a syntax here (it would be much more easy way :) )

Krzysztof
0
 
pma111Author Commented:
Hmmm probs shouldnt send external account names are a potential security issue - thats not insinuating anything, just that I should be careful. I will thank you for your help and give points at this stage.
0
 
Krzysztof PytkoActive Directory EngineerCommented:
So, just send me a fake file with some lastLogonTimeStamp values and I will show you general rule for that :)

Krzysztof
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 13
  • 10
Tackle projects and never again get stuck behind a technical roadblock.
Join Now