These Sarbane-Oxley auditors always come around asking for many information every year. At here they always asked list of all active (and disabled) user accounts in all domains in our company.
You can get this list for a given Active Directory domain in two ways, one GUI way and my favorite Script way.
Before we go into how to get the results, I have to explain what “userAccountControl” property means. Every object in Active Directory has “userAccountControl” property which has a numerical value. The following are the list of “userAccountControl” values and what that means. This table of information is list at How to use the UserAccountControl flags to manipulate user account properties
|
Property flag |
Value in hexadecimal |
Value in decimal |
|
SCRIPT |
0x0001 |
1 |
|
ACCOUNTDISABLE |
0x0002 |
2 |
|
HOMEDIR_REQUIRED |
0x0008 |
8 |
|
LOCKOUT |
0x0010 |
16 |
|
PASSWD_NOTREQD |
0x0020 |
32 |
|
PASSWD_CANT_CHANGE |
0x0040 |
64 |
|
ENCRYPTED_TEXT_PWD_ALLOWED |
0x0080 |
128 |
|
TEMP_DUPLICATE_ACCOUNT |
0x0100 |
256 |
|
NORMAL_ACCOUNT |
0x0200 |
512 |
|
INTERDOMAIN_TRUST_ACCOUNT |
0x0800 |
2048 |
|
WORKSTATION_TRUST_ACCOUNT |
0x1000 |
4096 |
|
SERVER_TRUST_ACCOUNT |
0x2000 |
8192 |
|
DONT_EXPIRE_PASSWORD |
0x10000 |
65536 |
|
MNS_LOGON_ACCOUNT |
0x20000 |
131072 |
|
SMARTCARD_REQUIRED |
0x40000 |
262144 |
|
TRUSTED_FOR_DELEGATION |
0x80000 |
524288 |
|
NOT_DELEGATED |
0x100000 |
1048576 |
|
USE_DES_KEY_ONLY |
0x200000 |
2097152 |
|
DONT_REQ_PREAUTH |
0x400000 |
4194304 |
|
PASSWORD_EXPIRED |
0x800000 |
8388608 |
|
TRUSTED_TO_AUTH_FOR_DELEGATION |
0x1000000 |
16777216 |
If you look at the table, you can list the account with many categories. Now let me show you how list the active users in GUI Way.
List the Active users using “Active Directory Users and Computers” console
1. Open Active Directory Users and Computers console, obviously
2. In left hand side of the Tree, Right click on “Saved Queries” and select “New Query”
3. Type the Name of the Query and nice description as above. Click on Define Query button.
4. Select Custom Search in Find drop-down box. Click on Advanced tab. Paste the following Query in “Enter LDAP Query” box.
(&(&(objectCategory=user)(userAccountControl=512)))
Note the UserAccountControl value I put here is 512 which is “Active Account”. 514 means disabled account. Refer the above table.
5. Click OKs to close the dialog boxes.
6. You will see the results in right hand side when you select this query. To export to a file, right click on the query name (e.g., Active Accounts) and select “Export to a file”.
Note: You can select more columns (in View menu) like First Name, Last Name, City, etc., before you export to file.
List Active users using VBScript
Modify the following script to your needs. Look for the comment where you have to type your domain name in this script.
Note: You can modify the following script (or above GUI query) to get many different lists of information. E.g., Accounts with expired password value is 8388608. If you find this information useful, please leave me a comment.
‘*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
‘*-* Script Name: ListActiveUserAccounts.vbs
‘*-* Description: This script lists all active and disabled accounts in a
‘*-* in a specified active directory domain. I also save the list in a CSV file.
‘*-* Written by: Anand Venkatachalapathy
‘*-* Date Written: July 1st 2008
‘*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
On Error Resume Next
Dim fso
Dim hFile
Dim strContainer, sStatus
Dim objConnection, objCommand, objRecordSet
‘Create a CSV text file for saving the results
Set fso = CreateObject(“Scripting.FileSystemObject”)
Set hFile = fso.CreateTextFile(“Domain Name – Active Accounts.csv”, True)
hFile.WriteLine “A/C Status” & chr(9) & ” User Name” & chr(9) & “Account Name” & _
chr(9) & “Description”
‘ Set the query settings
Const ADS_SCOPE_SUBTREE = 2
strContainer = “DC=company,DC=com” ‘<<<<<<REPLACE YOUR DOMAIN NAME HERE
Set objConnection = CreateObject(“ADODB.Connection”)
Set objCommand = CreateObject(“ADODB.Command”)
objConnection.Provider = (“ADsDSOObject”)
objConnection.Open “Active Directory Provider”
objCommand.ActiveConnection = objConnection
objCommand.Properties(“Searchscope”) = ADS_SCOPE_SUBTREE
objCommand.Properties(“Page Size”) = 3000
objCommand.CommandText = _
“SELECT CN,sAMAccountName,userAccountControl,description ” _
& “FROM ‘LDAP://” & strContainer & “‘ ” _
& “WHERE objectCategory=’user’ ”
‘Execute the Query
Set objRecordSet = objCommand.Execute
‘List the results into a CSV file
i = 1
Do Until objRecordSet.EOF
arrDes = objRecordSet.Fields(“description”).Value
If objRecordSet.Fields(“userAccountControl”).Value = “514” Then
sStatus = “Disabled”
Else
sStatus = ” ”
End If
WSCript.Echo sStatus,objRecordSet.Fields(“CN”).Value, _
objRecordSet.Fields(“sAMAccountname”).Value, arrDes(0)
hFile.WriteLine sStatus & chr(9) & objRecordSet.Fields(“CN”).Value & _
Chr(9) & objRecordSet.Fields(“sAMAccountname”).Value & chr(9) & arrDes(0)
objRecordSet.MoveNext
Loop
hFile.Close
‘*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
Anand, the Architect 
How can i add more columns like first name and last name
If you are using Active Directory Users and Computers, you can add more columns (check View menu). If use the script, it already has first name and last name in the results (using listing CN – canonical name).
Great script, thanks. I knew about disabled accounts, but not the enabled or normal accounts.
HI , I want to get list of NEP active accounts in a domain.. what is the command i need to put in Enter LDAP Query box.
What do you mean by NEP active accounts?
non expiring password Accounts
OK..now I understand. Accounts set their password not to expire. You got to be clear when asking questions.
Use this query:
(&(&(objectCategory=user)(userAccountControl=66048)))
This really works man thank u so much..
You’re Welcome. Glad it helped you.
The GUI worked well, but on a close look there are a bunch of active users missing from the query result. I used UserAccountControl=512. Any workaround for this.?
Great information – thank you for sharing. Any way to add the user account security group into the query. Auditing queries for all active user accounts and security groups.
hi
i want to know something about update the userAccountControl to set value
DONT_EXPIRE_PASSWORD (65536).
can you tell me how i can run this script on any OU.
ex:i create user account (70k) from my code and i forgot to add the DONT_EXPIRE_PASSWORD so because of this field every month password expired.
what i want execute some query on OU so that all the previously created accounts value set to be userAccountControl=65536 not for previous but if any new user will create in this OU that value automatically applied to his/her account.
i need something related to AD not with VB script.
really appreciate if you help me
I just can’t get it to work. No output to file, not screen output… nothing
Hi Anand,
Your script is very good but i want the output in a excel sheet for Active users in the following format:-
First name: givenName
Last name: sn
NT ID: sAMAccountName
Region and Site: ?? (possibly distinguishedName, or maybe department, or the address fields: l, st, c)
Email ID: mail
PS ID: (PS id means its like identifaction number means for every employee will be having a id number).
Full Address: streetAddress, l, st, c
And one important thing is We are having contractors also but i should get only permanent emplyee details and for your information we are having different ous for employess and contractors)
And also i want it for only active enabled users.Mainly i should get the output in excel format.And i should run the script from a remote machine.
Your help in this is very apprecited as iam dialy doing it manually.
Hi,
I tried to get disbled list, but it did not show me complete result. I followed the complete process described above. I am using windows 2003 Server SP2
tanx so much but How can i see the users that already loging on to a domain our loging out?!
thank you!
I tried this GUI and script. There are multiple users they wont show in Active or Disabled link. I am unable to find any common reason. Please help.
Hi and thank you for good information! I actually want a list of active users.. I mean not just active like, right now at the moment, but more like, active with in the last week or maybe month. Do you understand what I mean? We have like 1400 users within the domain but all of them isn’t really working here anymore.. I want to know who’s really are in need of a domain user account and who’s not. Hope you understand my question =) Regards
This can be easily done in Power Shell. Copy and past the following code into notepad, and save as ActiveUsers.ps1. Run this file from the powershell like a batch file.
Import-Module ActiveDirectory
# get today’s date
$today = Get-Date
#Get today – 60 days (2 month old)
$cutoffdate = $today.AddDays(-60)
#Get the computer accounts filtered by lastlogondate. Select
#only required properites of the computer account and
#export it to a file
Get-ADUser -Properties * -Filter {LastLogonDate -gt $cutoffdate} | `
Select Name,samaccountname,LastLogonDate,distinguishedname | `
Export-Csv ./ActiveUsers.csv
Thank you very much man!! This really helped me =) You’re awesome! Merry Christmas
i there any script for inactive users for not login since 180 days
i need to do it using LDAP as a query
can you help please ?
I tried using the query in the GUI. The list is populated, but it doesn’t have all of the objects in all of the containers. I do have the sub folders checked.
Hello anand,
thanks for the saved query solution that you have given. I have checked the query in my test environment and it worked fine but when i checked in my production environment it wasnt giving the complete list. I mean i know some accounts which were active but i couldnt find them in the list. I havent tried the second solution as the query list missed few accounts which i added manually. thank you once again for sharing your knowledge. all the best and take care.
Try ASN Active Directory Manager tool.http://www.adsysnet.com/downloads.aspx
Nice article, we can also look at http://www.morgantechspace.com/2014/03/Export-Active-Directory-users-into-CSV-file-in-VBScript.html
It’s amazing ffor me to have a web site, which is valuable in favor of my knowledge.
thanks admin
I want a list of all active user and whose password are not set as never expire.
Is there a way to include both “Active Users” (512) and Passwords set to not expire (66048) in one query?
May I just say what a relief to find someone who actually
knows what they are discussing over the internet. You actually realize how to
bring a problem to light and make it important. More people have to check this out and understand this side of
your story. I was surprised you aren’t more popular given that you surely possess the gift.
I am surprised that no one has pointed out that the methods described here are not correctly using userAccountControl for the intended purpose. If you *just* search for “512” as a value, then you are not really going to be sure of getting *all* enabled regular user accounts. The flag requires a bitwise operation, unless you are ONLY wanting to search for the cumulative value for all of the desired flag settings. For example, a user account could have the bit set to allow delegation, and that will give you a different number, but it’s still an enabled account: 66048 [NORMAL_USER(512)\;NO_EXPIRE(65536)].
Someone else asked if there is a way to search for both: yes, you should be doing the search for each bit,unless you really care about other bits. I could add a lot more here, but there is so much on bitwise operations on the Internet. You could just search for ADFIND (at joeware.net) and find good examples.
The actual LDAP search for simply looking for enabled user accounts (not filtering out anything else) would be:
(& (objectclass=user) (objectcategory=person) (!(UserAccountControl:1.2.840.113556.1.4.803:=2)) )
And if you wanted to find any enabled user account that also has the password set to never expire, you could either add an additional check to the above LDAP query with the string “(UserAccountControl:1.2.840.113556.1.4.803:=65536)” (which makes more sense to look at) or you could add the two bits together, which gives you “65538” (which is 2 + 65536).
You, meaning everyone, should really look at this attribute as the bit flag that it is, and that it has multiple values that it can represent.
You are right Rob. Thanks for pointing it out.
I should have added this link as a good reference to explain the bit flag usage:
http://blog.joeware.net/2008/09/05/1453/
Awesome thanks for the clarification and providing the link
Mahtava blogi sinulla! En typillisesti kauheasti blogeja seuraa, mutta nyt pistikn osoitteen muistiin – oli niinkin kiinnostavaa tekstiä.
Pidähän lippu korkealla jatkossakin!
What is code number for already expired user account
Super useful query for AD users and computers console. I got it all right just in seconds! Thanks 🙂 I hope it helps me score at my new work 😛
HI. I want a list of Users with the date of Created of them. How can i get it ? And all LDAP queries woth Get* are not working in my AD tool while query with && are working , why is it so ?
It’s much easier to do in PowerShell these days. Open PowerShell and run these commands and it will create a CSV file with all Active Uses with Created date.
Import-Module ActiveDirectory
Get-ADUser -Filter { enabled -eq $true } -Properties WhenCreated | Select-Object Name,SamAccountName,WhenCreated | Export-Csv .\ActiveUsers.csv -NoTypeInformation
Appreciate your time Anand!!! Thanks for the EZ to read and understand details.
I have some disabled users on AD. I want to have the list of only enabled ones. please help.