Finding out the attribute name for a User Account

Hi guys,

I hope you are all well and can assist.

I have attached the following picture so you guys now what attribute I am trying to track down.

What I intend to do with this is to create a script that queries this attribute name for its value across all user accounts in our active directory, so we know how many accounts are using DES for encryption.

The intention is to write a query of something like the below:

dsquery * -filter "(&(objectcategory=user)(name=*))" -attr name <whatever the name of this DES attribute is>


Any help greatly appreciated.
des.bmp
LVL 1
Simon336697Asked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
There is no attribute it is part of useraccountcontrol.  Brian talks about it below

http://briandesmond.com/blog/delegating-enable-disable-account-rights-in-active-directory/

I'll write more in the morning about how to find those accounts if no one else responds (need to fire my lab up)

Thanks

Mike
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Simon336697Author Commented:
Thanks so much Mike.
i need to find out how many accounts in Active Directory have this option ticked, as opposed to not ticked.
Thanks again Mike.
0
Mike KlineCommented:
So the useraccountcontrol attribute has values and you add them up for the options you want

http://support.microsoft.com/kb/305144

There is a great spreadsheet that can help with getting that number

http://identityunderground.wordpress.com/2007/11/30/miis-and-ad-useraccountcontrol/

I like to use adfind for things like this (small lightweight tool)

http://www.joeware.net/freetools/tools/adfind/

So the first thing to do is to figure out what the useraccount value is.   To see yourself you  can look at one of your users that have it checked and run

adfind -sc u:NameOfUser useraccountcontrol

that should come back with 2097664.  If you calculate that in the spreadhseet it will also show.  That number is  Normal Account (512) + Use_DES_Key_Only (2097152)

To check for all the users that have it checked

adfind -default -bit -f "&(objectcategory=person)(objectclass=user)(useraccountcontrol:AND:=2097152)" samaccountname

Please let me know how that works.

Thanks

Mike
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Simon336697Author Commented:
that is brilliant info mike. Ill let you know how I go :>)
Thanks so much
0
Simon336697Author Commented:
Mike,

It worked really well!

Thank you that was very helpful.
0
Mike KlineCommented:
Glad to help out.

Thanks

Mike
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.