Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 73
  • Last Modified:

Get list of users who are enabled in a specific AD group using Powershell

I have been trying to get this Powershell script to work but I am having unexplained results.

As listed in the title I am trying to user Powershell to query an AD OU for users who are enabled.

Get-ADUser -SearchBase "OU=Example,DC=company,DC=net" -Filter {Enabled -eq "true"}

When I run this it consistently lists all users in the group. However I know for sure there are some enabled and some disabled users in the group.

If I switch the parameter to "false" it lists no users.

All users are in the same AD group, so if it helps I can specify that as well.

Any advice on what i need to do to list ONLY enabled users?

Thank in advance!
1
cmoerbe
Asked:
cmoerbe
  • 6
  • 5
1 Solution
 
McKnifeCommented:
Works here. Please double check.
Also try
Get-ADUser -SearchBase "OU=Example,DC=company,DC=net" -Filter {Enabled -eq "false"}

Open in new window

to see if the disabled ones are listed as expected.
0
 
cmoerbeAuthor Commented:
It tried Enabled -eq false and get zero records.

That's strange that it works as expected for you.

I am going to try it in a different AD environment and see if maybe that changes the results.

I dont really know how the cmd-let is gathering the enabled attribute, as i dont see a disabled/enabled property when using the -Filter *

Will report back soon.
0
 
McKnifeCommented:
Create a test account there and disable it and retry.
0
Worried about phishing attacks?

90% of attacks start with a phish. It’s critical that IT admins and MSSPs have the right security in place to protect their end users from these phishing attacks. Check out our latest feature brief for tips and tricks to keep your employees off a hackers line!

 
cmoerbeAuthor Commented:
I created 6 test accounts. I then manually logged on / off of a domain computer with each account to fully establish activity with the account.

I then disabled 3 of 6 accounts in AD.

I then tried to log onto a domain computer with one of the disabled accounts to verify the setting took.

Will report back once I try in a different AD environment.
0
 
FOXActive Directory/Exchange EngineerCommented:
Try this syntax not using the brackets

Get-ADUser -SearchBase "OU=Example,DC=company,DC=net" -Filter "Enabled -eq 'false'"
0
 
cmoerbeAuthor Commented:
I tried without the brackets and get similar responses.

'false' produces no accounts

'true' produces 6 accounts
0
 
McKnifeCommented:
Tell me, what is the result of
net user oneusernamethatshouldbedisabled /domain |findstr active

Open in new window

?
0
 
cmoerbeAuthor Commented:
That helped me find the problem.

Im getting error code 5 - access denied (running PS as domain admin)

I closed PS and ran as administrator.....

Now all of the Powershell commands are working and producing the expected results.

Thanks for helping me figure that part out!!!
0
 
cmoerbeAuthor Commented:
It was a permission issue with Powershell.

Thanks a TON for helping me to figure that out in a round about way.
0
 
McKnifeCommented:
Say, did you modify the OU security settings? normally, any user may read these attributes.
0
 
cmoerbeAuthor Commented:
I actually created a new OU / Group / User scenario during this process.

After your question I went and checked the OU permissions with ADSI edit.

It shows domain admins have full rights to the new OU I created.

When I was running Powershell as domain admin it was not generating any permission errors. Just returning either all users or no users.

Then after trying net user command in it immediately threw a permission error. That immediately made me think about Powershell not liking my domain admin approach. Run as administrator though had no problems.

Odd?
0
 
McKnifeCommented:
Please quote the complete permission list, there should be read permissions for the group authenticated users and various other entries, not just domain administrators.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

  • 6
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now