List all Active users in a domain


These Sarbane-Oxley auditors always come around asking for many information every year. At here they always asked list of all active (and disabled) user accounts in all domains in our company.

You can get this list for a given Active Directory domain in two ways, one GUI way and my favorite Script way.

Before we go into how to get the results, I have to explain what “userAccountControl” property means. Every object in Active Directory has “userAccountControl” property which has a numerical value. The following are the list of “userAccountControl” values and what that means. This table of information is list at How to use the UserAccountControl flags to manipulate user account properties

Property flag

Value in hexadecimal

Value in decimal

SCRIPT

0x0001

1

ACCOUNTDISABLE

0x0002

2

HOMEDIR_REQUIRED

0x0008

8

LOCKOUT

0x0010

16

PASSWD_NOTREQD

0x0020

32

PASSWD_CANT_CHANGE
Note You cannot assign this permission by directly modifying the UserAccountControl attribute. For information about how to set the permission programmatically, see the “Property flag descriptions” section.

0x0040

64

ENCRYPTED_TEXT_PWD_ALLOWED

0x0080

128

TEMP_DUPLICATE_ACCOUNT

0x0100

256

NORMAL_ACCOUNT

0x0200

512

INTERDOMAIN_TRUST_ACCOUNT

0x0800

2048

WORKSTATION_TRUST_ACCOUNT

0x1000

4096

SERVER_TRUST_ACCOUNT

0x2000

8192

DONT_EXPIRE_PASSWORD

0x10000

65536

MNS_LOGON_ACCOUNT

0x20000

131072

SMARTCARD_REQUIRED

0x40000

262144

TRUSTED_FOR_DELEGATION

0x80000

524288

NOT_DELEGATED

0x100000

1048576

USE_DES_KEY_ONLY

0x200000

2097152

DONT_REQ_PREAUTH

0x400000

4194304

PASSWORD_EXPIRED

0x800000

8388608

TRUSTED_TO_AUTH_FOR_DELEGATION

0x1000000

16777216

 

If you look at the table, you can list the account with many categories.  Now let me show you how list the active users in GUI Way.

List the Active users using “Active Directory Users and Computers” console

1. Open Active Directory Users and Computers console, obviously

2. In left hand side of the Tree, Right click on “Saved Queries” and select “New Query”

Capture1

3. Type the Name of the Query and nice description as above. Click on Define Query button.

4. Select Custom Search in Find drop-down box. Click on Advanced tab. Paste the following Query in “Enter LDAP Query” box.

(&(&(objectCategory=user)(userAccountControl=512)))

Note the UserAccountControl value I put here is 512 which is “Active Account”. 514 means disabled account. Refer the above table.

Capture2

5. Click OKs to close the dialog boxes.

6. You will see the results in right hand side when you select this query. To export to a file, right click on the query name (e.g., Active Accounts) and select “Export to a file”.

Note: You can select more columns (in View menu) like First Name, Last Name, City, etc., before you export to file.

 

List Active users using VBScript

Modify the following script to your needs. Look for the comment where you have to type your domain name in this script.

Note: You can modify the following script (or above GUI query) to get many different lists of information. E.g., Accounts with expired password value is 8388608. If you find this information useful, please leave me a comment.

‘*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
‘*-*  Script Name: ListActiveUserAccounts.vbs
‘*-*  Description: This script lists all active and disabled accounts in a
‘*-*  in a specified active directory domain. I also save the list in a CSV file.
‘*-*  Written by: Anand Venkatachalapathy
‘*-*  Date Written: July 1st 2008
‘*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

On Error Resume Next

Dim fso
Dim hFile
Dim strContainer, sStatus
Dim objConnection, objCommand, objRecordSet

‘Create a CSV text file for saving the results
Set fso = CreateObject(“Scripting.FileSystemObject”)
Set hFile = fso.CreateTextFile(“Domain Name – Active Accounts.csv”, True)
hFile.WriteLine “A/C Status” & chr(9) & ” User Name” & chr(9) & “Account Name” & _
chr(9) & “Description”

‘ Set the query settings
Const ADS_SCOPE_SUBTREE = 2
strContainer = “DC=company,DC=com”    ‘<<<<<<REPLACE YOUR DOMAIN NAME HERE

Set objConnection = CreateObject(“ADODB.Connection”)
Set objCommand = CreateObject(“ADODB.Command”)
objConnection.Provider = (“ADsDSOObject”)
objConnection.Open “Active Directory Provider”
objCommand.ActiveConnection = objConnection
objCommand.Properties(“Searchscope”) = ADS_SCOPE_SUBTREE
objCommand.Properties(“Page Size”) = 3000
objCommand.CommandText = _
“SELECT CN,sAMAccountName,userAccountControl,description ” _
& “FROM ‘LDAP://” & strContainer & “‘ ” _
& “WHERE objectCategory=’user’ ”

‘Execute the Query
Set objRecordSet = objCommand.Execute

‘List the results into a CSV file
i = 1
Do Until objRecordSet.EOF
arrDes = objRecordSet.Fields(“description”).Value
If objRecordSet.Fields(“userAccountControl”).Value = “514” Then
sStatus = “Disabled”
Else
sStatus = ”       ”
End If
WSCript.Echo sStatus,objRecordSet.Fields(“CN”).Value, _
objRecordSet.Fields(“sAMAccountname”).Value, arrDes(0)
hFile.WriteLine sStatus & chr(9) & objRecordSet.Fields(“CN”).Value & _
Chr(9) & objRecordSet.Fields(“sAMAccountname”).Value & chr(9) & arrDes(0)
objRecordSet.MoveNext
Loop

hFile.Close
‘*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

29 comments on “List all Active users in a domain

  1. Abimbola says:

    How can i add more columns like first name and last name

    • If you are using Active Directory Users and Computers, you can add more columns (check View menu). If use the script, it already has first name and last name in the results (using listing CN – canonical name).

  2. Spoke says:

    Great script, thanks.  I knew about disabled accounts, but not the enabled or normal accounts.

  3. Velu says:

    HI , I want to get list of NEP active accounts in a domain.. what is the command i need to put in Enter LDAP Query box.

  4. OK..now I understand. Accounts set their password not to expire. You got to be clear when asking questions.

    Use this query:
    (&(&(objectCategory=user)(userAccountControl=66048)))

  5. Chibizo says:

    This really works man thank u so much..

  6. Cathy O says:

    Great information – thank you for sharing. Any way to add the user account security group into the query. Auditing queries for all active user accounts and security groups.

  7. Noman says:

    hi
    i want to know something about update the userAccountControl to set value
    DONT_EXPIRE_PASSWORD (65536).
    can you tell me how i can run this script on any OU.

    ex:i create user account (70k) from my code and i forgot to add the DONT_EXPIRE_PASSWORD so because of this field every month password expired.
    what i want execute some query on OU so that all the previously created accounts value set to be userAccountControl=65536 not for previous but if any new user will create in this OU that value automatically applied to his/her account.

    i need something related to AD not with VB script.
    really appreciate if you help me

  8. Mic says:

    I just can’t get it to work. No output to file, not screen output… nothing

  9. bhaskar says:

    Hi Anand,

    Your script is very good but i want the output in a excel sheet for Active users in the following format:-

    First name: givenName
    Last name: sn
    NT ID: sAMAccountName
    Region and Site: ?? (possibly distinguishedName, or maybe department, or the address fields: l, st, c)
    Email ID: mail
    PS ID: (PS id means its like identifaction number means for every employee will be having a id number).
    Full Address: streetAddress, l, st, c

    And one important thing is We are having contractors also but i should get only permanent emplyee details and for your information we are having different ous for employess and contractors)
    And also i want it for only active enabled users.Mainly i should get the output in excel format.And i should run the script from a remote machine.
    Your help in this is very apprecited as iam dialy doing it manually.

  10. Satinder Loriya says:

    Hi,

    I tried to get disbled list, but it did not show me complete result. I followed the complete process described above. I am using windows 2003 Server SP2

  11. bahar says:

    tanx so much but How can i see the users that already loging on to a domain our loging out?!

  12. dr. no says:

    thank you!

  13. Zee Love says:

    I tried this GUI and script. There are multiple users they wont show in Active or Disabled link. I am unable to find any common reason. Please help.

  14. Henrik says:

    Hi and thank you for good information! I actually want a list of active users.. I mean not just active like, right now at the moment, but more like, active with in the last week or maybe month. Do you understand what I mean? We have like 1400 users within the domain but all of them isn’t really working here anymore.. I want to know who’s really are in need of a domain user account and who’s not. Hope you understand my question =) Regards

    • This can be easily done in Power Shell. Copy and past the following code into notepad, and save as ActiveUsers.ps1. Run this file from the powershell like a batch file.

      Import-Module ActiveDirectory

      # get today’s date
      $today = Get-Date

      #Get today – 60 days (2 month old)
      $cutoffdate = $today.AddDays(-60)

      #Get the computer accounts filtered by lastlogondate. Select
      #only required properites of the computer account and
      #export it to a file
      Get-ADUser -Properties * -Filter {LastLogonDate -gt $cutoffdate} | `
      Select Name,samaccountname,LastLogonDate,distinguishedname | `
      Export-Csv ./ActiveUsers.csv

  15. Rob says:

    I tried using the query in the GUI. The list is populated, but it doesn’t have all of the objects in all of the containers. I do have the sub folders checked.

  16. sreekarachanta says:

    Hello anand,

    thanks for the saved query solution that you have given. I have checked the query in my test environment and it worked fine but when i checked in my production environment it wasnt giving the complete list. I mean i know some accounts which were active but i couldnt find them in the list. I havent tried the second solution as the query list missed few accounts which i added manually. thank you once again for sharing your knowledge. all the best and take care.

  17. Mackay says:

    Try ASN Active Directory Manager tool.http://www.adsysnet.com/downloads.aspx

  18. Lily says:

    It’s amazing ffor me to have a web site, which is valuable in favor of my knowledge.
    thanks admin

  19. Kamal says:

    I want a list of all active user and whose password are not set as never expire.

  20. Ken Weyer says:

    Is there a way to include both “Active Users” (512) and Passwords set to not expire (66048) in one query?

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s