[Last Call] Learn about multicloud storage options and how to improve your company's cloud strategy. Register Now


Get list of users who are enabled in a specific AD group using Powershell

Posted on 2016-09-12
Medium Priority
1 Endorsement
Last Modified: 2016-09-12
I have been trying to get this Powershell script to work but I am having unexplained results.

As listed in the title I am trying to user Powershell to query an AD OU for users who are enabled.

Get-ADUser -SearchBase "OU=Example,DC=company,DC=net" -Filter {Enabled -eq "true"}

When I run this it consistently lists all users in the group. However I know for sure there are some enabled and some disabled users in the group.

If I switch the parameter to "false" it lists no users.

All users are in the same AD group, so if it helps I can specify that as well.

Any advice on what i need to do to list ONLY enabled users?

Thank in advance!
Question by:cmoerbe
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 5
LVL 56

Expert Comment

ID: 41794196
Works here. Please double check.
Also try
Get-ADUser -SearchBase "OU=Example,DC=company,DC=net" -Filter {Enabled -eq "false"}

Open in new window

to see if the disabled ones are listed as expected.

Author Comment

ID: 41794211
It tried Enabled -eq false and get zero records.

That's strange that it works as expected for you.

I am going to try it in a different AD environment and see if maybe that changes the results.

I dont really know how the cmd-let is gathering the enabled attribute, as i dont see a disabled/enabled property when using the -Filter *

Will report back soon.
LVL 56

Expert Comment

ID: 41794217
Create a test account there and disable it and retry.
Fill in the form and get your FREE NFR key NOW!

Veeam® is happy to provide a FREE NFR server license to certified engineers, trainers, and bloggers.  It allows for the non‑production use of Veeam Agent for Microsoft Windows. This license is valid for five workstations and two servers.


Author Comment

ID: 41794227
I created 6 test accounts. I then manually logged on / off of a domain computer with each account to fully establish activity with the account.

I then disabled 3 of 6 accounts in AD.

I then tried to log onto a domain computer with one of the disabled accounts to verify the setting took.

Will report back once I try in a different AD environment.
LVL 16

Expert Comment

ID: 41794231
Try this syntax not using the brackets

Get-ADUser -SearchBase "OU=Example,DC=company,DC=net" -Filter "Enabled -eq 'false'"

Author Comment

ID: 41794246
I tried without the brackets and get similar responses.

'false' produces no accounts

'true' produces 6 accounts
LVL 56

Accepted Solution

McKnife earned 2000 total points
ID: 41794251
Tell me, what is the result of
net user oneusernamethatshouldbedisabled /domain |findstr active

Open in new window


Author Comment

ID: 41794302
That helped me find the problem.

Im getting error code 5 - access denied (running PS as domain admin)

I closed PS and ran as administrator.....

Now all of the Powershell commands are working and producing the expected results.

Thanks for helping me figure that part out!!!

Author Closing Comment

ID: 41794303
It was a permission issue with Powershell.

Thanks a TON for helping me to figure that out in a round about way.
LVL 56

Expert Comment

ID: 41794421
Say, did you modify the OU security settings? normally, any user may read these attributes.

Author Comment

ID: 41794467
I actually created a new OU / Group / User scenario during this process.

After your question I went and checked the OU permissions with ADSI edit.

It shows domain admins have full rights to the new OU I created.

When I was running Powershell as domain admin it was not generating any permission errors. Just returning either all users or no users.

Then after trying net user command in it immediately threw a permission error. That immediately made me think about Powershell not liking my domain admin approach. Run as administrator though had no problems.

LVL 56

Expert Comment

ID: 41794568
Please quote the complete permission list, there should be read permissions for the group authenticated users and various other entries, not just domain administrators.

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

650 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question