RSS

List all Active users in a domain

02 Jul

These Sarbane-Oxley auditors always come around asking for many information every year. At here they always asked list of all active (and disabled) user accounts in all domains in our company.

You can get this list for a given Active Directory domain in two ways, one GUI way and my favorite Script way.

Before we go into how to get the results, I have to explain what "userAccountControl" property means. Every object in Active Directory has "userAccountControl" property which has a numerical value. The following are the list of "userAccountControl" values and what that means. This table of information is list at How to use the UserAccountControl flags to manipulate user account properties

 

Property flag

Value in hexadecimal

Value in decimal

SCRIPT

0×0001

1

ACCOUNTDISABLE

0×0002

2

HOMEDIR_REQUIRED

0×0008

8

LOCKOUT

0×0010

16

PASSWD_NOTREQD

0×0020

32

PASSWD_CANT_CHANGE
Note You cannot assign this permission by directly modifying the UserAccountControl attribute. For information about how to set the permission programmatically, see the "Property flag descriptions" section.

0×0040

64

ENCRYPTED_TEXT_PWD_ALLOWED

0×0080

128

TEMP_DUPLICATE_ACCOUNT

0×0100

256

NORMAL_ACCOUNT

0×0200

512

INTERDOMAIN_TRUST_ACCOUNT

0×0800

2048

WORKSTATION_TRUST_ACCOUNT

0×1000

4096

SERVER_TRUST_ACCOUNT

0×2000

8192

DONT_EXPIRE_PASSWORD

0×10000

65536

MNS_LOGON_ACCOUNT

0×20000

131072

SMARTCARD_REQUIRED

0×40000

262144

TRUSTED_FOR_DELEGATION

0×80000

524288

NOT_DELEGATED

0×100000

1048576

USE_DES_KEY_ONLY

0×200000

2097152

DONT_REQ_PREAUTH

0×400000

4194304

PASSWORD_EXPIRED

0×800000

8388608

TRUSTED_TO_AUTH_FOR_DELEGATION

0×1000000

16777216

 

If you look at the table, you can list the account with many categories.  Now let me show you how list the active users in GUI Way.

List the Active users using "Active Directory Users and Computers" console

1. Open Active Directory Users and Computers console, obviously

2. In left hand side of the Tree, Right click on "Saved Queries" and select "New Query"

Capture1

3. Type the Name of the Query and nice description as above. Click on Define Query button.

4. Select Custom Search in Find drop-down box. Click on Advanced tab. Paste the following Query in "Enter LDAP Query" box.

(&(&(objectCategory=user)(userAccountControl=512)))

Note the UserAccountControl value I put here is 512 which is "Active Account". 514 means disabled account. Refer the above table.

Capture2

5. Click OKs to close the dialog boxes.

6. You will see the results in right hand side when you select this query. To export to a file, right click on the query name (e.g., Active Accounts) and select "Export to a file".

Note: You can select more columns (in View menu) like First Name, Last Name, City, etc., before you export to file.

 

List Active users using VBScript

Modify the following script to your needs. Look for the comment where you have to type your domain name in this script.

Note: You can modify the following script (or above GUI query) to get many different lists of information. E.g., Accounts with expired password value is 8388608. If you find this information useful, please leave me a comment.

‘*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
‘*-*  Script Name: ListActiveUserAccounts.vbs
‘*-*  Description: This script lists all active and disabled accounts in a
‘*-*  in a specified active directory domain. I also save the list in a CSV file.
‘*-*  Written by: Anand Venkatachalapathy
‘*-*  Date Written: July 1st 2008
‘*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

On Error Resume Next

Dim fso
Dim hFile
Dim strContainer, sStatus
Dim objConnection, objCommand, objRecordSet

‘Create a CSV text file for saving the results
Set fso = CreateObject("Scripting.FileSystemObject")
Set hFile = fso.CreateTextFile("Domain Name – Active Accounts.csv", True)
hFile.WriteLine "A/C Status" & chr(9) & " User Name" & chr(9) & "Account Name" & _
                chr(9) & "Description"

‘ Set the query settings
Const ADS_SCOPE_SUBTREE = 2
strContainer = "DC=company,DC=com"    ‘<<<<<<REPLACE YOUR DOMAIN NAME HERE

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = ("ADsDSOObject")
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Page Size") = 3000
objCommand.CommandText = _
  "SELECT CN,sAMAccountName,userAccountControl,description " _
   & "FROM ‘LDAP://" & strContainer & "’ " _
   & "WHERE objectCategory=’user’ "

‘Execute the Query
Set objRecordSet = objCommand.Execute

‘List the results into a CSV file
i = 1
Do Until objRecordSet.EOF
  arrDes = objRecordSet.Fields("description").Value
  If objRecordSet.Fields("userAccountControl").Value = "514" Then
    sStatus = "Disabled"
  Else
    sStatus = "       "
  End If
  WSCript.Echo sStatus,objRecordSet.Fields("CN").Value, _
          objRecordSet.Fields("sAMAccountname").Value, arrDes(0)
  hFile.WriteLine sStatus & chr(9) & objRecordSet.Fields("CN").Value & _
          Chr(9) & objRecordSet.Fields("sAMAccountname").Value & chr(9) & arrDes(0)
  objRecordSet.MoveNext
Loop

hFile.Close
‘*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

About these ads
 
25 Comments

Posted by on July 2, 2008 in Uncategorized

 

25 responses to “List all Active users in a domain

  1. Abimbola

    November 30, 1999 at 12:00 am

    How can i add more columns like first name and last name

     
    • anandthearchitect

      May 7, 2011 at 3:14 am

      If you are using Active Directory Users and Computers, you can add more columns (check View menu). If use the script, it already has first name and last name in the results (using listing CN – canonical name).

       
  2. Spoke

    November 19, 2008 at 2:47 pm

    Great script, thanks.  I knew about disabled accounts, but not the enabled or normal accounts.

     
  3. Velu

    March 16, 2011 at 6:05 pm

    HI , I want to get list of NEP active accounts in a domain.. what is the command i need to put in Enter LDAP Query box.

     
    • anandthearchitect

      March 16, 2011 at 6:10 pm

      What do you mean by NEP active accounts?

       
      • velu

        March 17, 2011 at 2:29 am

        non expiring password Accounts

         
  4. anandthearchitect

    March 17, 2011 at 8:51 pm

    OK..now I understand. Accounts set their password not to expire. You got to be clear when asking questions.

    Use this query:
    (&(&(objectCategory=user)(userAccountControl=66048)))

     
  5. Chibizo

    March 29, 2011 at 4:47 pm

    This really works man thank u so much..

     
  6. Cathy O

    August 31, 2011 at 6:19 pm

    Great information – thank you for sharing. Any way to add the user account security group into the query. Auditing queries for all active user accounts and security groups.

     
  7. Noman

    September 21, 2011 at 1:35 pm

    hi
    i want to know something about update the userAccountControl to set value
    DONT_EXPIRE_PASSWORD (65536).
    can you tell me how i can run this script on any OU.

    ex:i create user account (70k) from my code and i forgot to add the DONT_EXPIRE_PASSWORD so because of this field every month password expired.
    what i want execute some query on OU so that all the previously created accounts value set to be userAccountControl=65536 not for previous but if any new user will create in this OU that value automatically applied to his/her account.

    i need something related to AD not with VB script.
    really appreciate if you help me

     
  8. Mic

    January 13, 2012 at 11:08 pm

    I just can’t get it to work. No output to file, not screen output… nothing

     
  9. bhaskar

    February 7, 2012 at 3:44 pm

    Hi Anand,

    Your script is very good but i want the output in a excel sheet for Active users in the following format:-

    First name: givenName
    Last name: sn
    NT ID: sAMAccountName
    Region and Site: ?? (possibly distinguishedName, or maybe department, or the address fields: l, st, c)
    Email ID: mail
    PS ID: (PS id means its like identifaction number means for every employee will be having a id number).
    Full Address: streetAddress, l, st, c

    And one important thing is We are having contractors also but i should get only permanent emplyee details and for your information we are having different ous for employess and contractors)
    And also i want it for only active enabled users.Mainly i should get the output in excel format.And i should run the script from a remote machine.
    Your help in this is very apprecited as iam dialy doing it manually.

     
  10. Satinder Loriya

    March 23, 2012 at 5:45 am

    Hi,

    I tried to get disbled list, but it did not show me complete result. I followed the complete process described above. I am using windows 2003 Server SP2

     
  11. bahar

    June 27, 2012 at 7:37 am

    tanx so much but How can i see the users that already loging on to a domain our loging out?!

     
  12. dr. no

    July 13, 2012 at 6:50 am

    thank you!

     
  13. Zee Love

    August 2, 2012 at 7:36 am

    I tried this GUI and script. There are multiple users they wont show in Active or Disabled link. I am unable to find any common reason. Please help.

     
  14. Henrik

    December 18, 2012 at 2:44 pm

    Hi and thank you for good information! I actually want a list of active users.. I mean not just active like, right now at the moment, but more like, active with in the last week or maybe month. Do you understand what I mean? We have like 1400 users within the domain but all of them isn’t really working here anymore.. I want to know who’s really are in need of a domain user account and who’s not. Hope you understand my question =) Regards

     
    • anandthearchitect

      December 19, 2012 at 3:55 am

      This can be easily done in Power Shell. Copy and past the following code into notepad, and save as ActiveUsers.ps1. Run this file from the powershell like a batch file.

      Import-Module ActiveDirectory

      # get today’s date
      $today = Get-Date

      #Get today – 60 days (2 month old)
      $cutoffdate = $today.AddDays(-60)

      #Get the computer accounts filtered by lastlogondate. Select
      #only required properites of the computer account and
      #export it to a file
      Get-ADUser -Properties * -Filter {LastLogonDate -gt $cutoffdate} | `
      Select Name,samaccountname,LastLogonDate,distinguishedname | `
      Export-Csv ./ActiveUsers.csv

       
      • Henrik

        December 19, 2012 at 11:56 am

        Thank you very much man!! This really helped me =) You’re awesome! Merry Christmas

         
      • James Robert

        April 24, 2013 at 10:26 am

        i there any script for inactive users for not login since 180 days

         
  15. Rob

    April 17, 2013 at 2:11 pm

    I tried using the query in the GUI. The list is populated, but it doesn’t have all of the objects in all of the containers. I do have the sub folders checked.

     
  16. sreekarachanta

    July 24, 2013 at 6:21 am

    Hello anand,

    thanks for the saved query solution that you have given. I have checked the query in my test environment and it worked fine but when i checked in my production environment it wasnt giving the complete list. I mean i know some accounts which were active but i couldnt find them in the list. I havent tried the second solution as the query list missed few accounts which i added manually. thank you once again for sharing your knowledge. all the best and take care.

     
  17. Mackay

    October 3, 2013 at 6:55 am

    Try ASN Active Directory Manager tool.http://www.adsysnet.com/downloads.aspx

     
  18. Jack

    March 18, 2014 at 7:37 am

     

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
Follow

Get every new post delivered to your Inbox.

Join 101 other followers

%d bloggers like this: