Solved

Get list of users who are enabled in a specific AD group using Powershell

Posted on 2016-09-12
12
39 Views
1 Endorsement
Last Modified: 2016-09-12
I have been trying to get this Powershell script to work but I am having unexplained results.

As listed in the title I am trying to user Powershell to query an AD OU for users who are enabled.

Get-ADUser -SearchBase "OU=Example,DC=company,DC=net" -Filter {Enabled -eq "true"}

When I run this it consistently lists all users in the group. However I know for sure there are some enabled and some disabled users in the group.

If I switch the parameter to "false" it lists no users.

All users are in the same AD group, so if it helps I can specify that as well.

Any advice on what i need to do to list ONLY enabled users?

Thank in advance!
1
Comment
Question by:cmoerbe
  • 6
  • 5
12 Comments
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Works here. Please double check.
Also try
Get-ADUser -SearchBase "OU=Example,DC=company,DC=net" -Filter {Enabled -eq "false"}

Open in new window

to see if the disabled ones are listed as expected.
0
 

Author Comment

by:cmoerbe
Comment Utility
It tried Enabled -eq false and get zero records.

That's strange that it works as expected for you.

I am going to try it in a different AD environment and see if maybe that changes the results.

I dont really know how the cmd-let is gathering the enabled attribute, as i dont see a disabled/enabled property when using the -Filter *

Will report back soon.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Create a test account there and disable it and retry.
0
 

Author Comment

by:cmoerbe
Comment Utility
I created 6 test accounts. I then manually logged on / off of a domain computer with each account to fully establish activity with the account.

I then disabled 3 of 6 accounts in AD.

I then tried to log onto a domain computer with one of the disabled accounts to verify the setting took.

Will report back once I try in a different AD environment.
0
 
LVL 16

Expert Comment

by:FOX
Comment Utility
Try this syntax not using the brackets

Get-ADUser -SearchBase "OU=Example,DC=company,DC=net" -Filter "Enabled -eq 'false'"
0
 

Author Comment

by:cmoerbe
Comment Utility
I tried without the brackets and get similar responses.

'false' produces no accounts

'true' produces 6 accounts
0
Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

 
LVL 53

Accepted Solution

by:
McKnife earned 500 total points
Comment Utility
Tell me, what is the result of
net user oneusernamethatshouldbedisabled /domain |findstr active

Open in new window

?
0
 

Author Comment

by:cmoerbe
Comment Utility
That helped me find the problem.

Im getting error code 5 - access denied (running PS as domain admin)

I closed PS and ran as administrator.....

Now all of the Powershell commands are working and producing the expected results.

Thanks for helping me figure that part out!!!
0
 

Author Closing Comment

by:cmoerbe
Comment Utility
It was a permission issue with Powershell.

Thanks a TON for helping me to figure that out in a round about way.
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Say, did you modify the OU security settings? normally, any user may read these attributes.
0
 

Author Comment

by:cmoerbe
Comment Utility
I actually created a new OU / Group / User scenario during this process.

After your question I went and checked the OU permissions with ADSI edit.

It shows domain admins have full rights to the new OU I created.

When I was running Powershell as domain admin it was not generating any permission errors. Just returning either all users or no users.

Then after trying net user command in it immediately threw a permission error. That immediately made me think about Powershell not liking my domain admin approach. Run as administrator though had no problems.

Odd?
0
 
LVL 53

Expert Comment

by:McKnife
Comment Utility
Please quote the complete permission list, there should be read permissions for the group authenticated users and various other entries, not just domain administrators.
0

Featured Post

What Security Threats Are You Missing?

Enhance your security with threat intelligence from the web. Get trending threat insights on hackers, exploits, and suspicious IP addresses delivered to your inbox with our free Cyber Daily.

Join & Write a Comment

"Migrate" an SMTP relay receive connector to a new server using info from an old server.
Create and license users in Office 365 in bulk based on a CSV file. A step-by-step guide with PowerShell script examples.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

8 Experts available now in Live!

Get 1:1 Help Now