List all Active users in a domain


These Sarbane-Oxley auditors always come around asking for many information every year. At here they always asked list of all active (and disabled) user accounts in all domains in our company.

You can get this list for a given Active Directory domain in two ways, one GUI way and my favorite Script way.

Before we go into how to get the results, I have to explain what “userAccountControl” property means. Every object in Active Directory has “userAccountControl” property which has a numerical value. The following are the list of “userAccountControl” values and what that means. This table of information is list at How to use the UserAccountControl flags to manipulate user account properties

Property flag

Value in hexadecimal

Value in decimal

SCRIPT

0x0001

1

ACCOUNTDISABLE

0x0002

2

HOMEDIR_REQUIRED

0x0008

8

LOCKOUT

0x0010

16

PASSWD_NOTREQD

0x0020

32

PASSWD_CANT_CHANGE
Note You cannot assign this permission by directly modifying the UserAccountControl attribute. For information about how to set the permission programmatically, see the “Property flag descriptions” section.

0x0040

64

ENCRYPTED_TEXT_PWD_ALLOWED

0x0080

128

TEMP_DUPLICATE_ACCOUNT

0x0100

256

NORMAL_ACCOUNT

0x0200

512

INTERDOMAIN_TRUST_ACCOUNT

0x0800

2048

WORKSTATION_TRUST_ACCOUNT

0x1000

4096

SERVER_TRUST_ACCOUNT

0x2000

8192

DONT_EXPIRE_PASSWORD

0x10000

65536

MNS_LOGON_ACCOUNT

0x20000

131072

SMARTCARD_REQUIRED

0x40000

262144

TRUSTED_FOR_DELEGATION

0x80000

524288

NOT_DELEGATED

0x100000

1048576

USE_DES_KEY_ONLY

0x200000

2097152

DONT_REQ_PREAUTH

0x400000

4194304

PASSWORD_EXPIRED

0x800000

8388608

TRUSTED_TO_AUTH_FOR_DELEGATION

0x1000000

16777216

 

If you look at the table, you can list the account with many categories.  Now let me show you how list the active users in GUI Way.

List the Active users using “Active Directory Users and Computers” console

1. Open Active Directory Users and Computers console, obviously

2. In left hand side of the Tree, Right click on “Saved Queries” and select “New Query”

Capture1

3. Type the Name of the Query and nice description as above. Click on Define Query button.

4. Select Custom Search in Find drop-down box. Click on Advanced tab. Paste the following Query in “Enter LDAP Query” box.

(&(&(objectCategory=user)(userAccountControl=512)))

Note the UserAccountControl value I put here is 512 which is “Active Account”. 514 means disabled account. Refer the above table.

Capture2

5. Click OKs to close the dialog boxes.

6. You will see the results in right hand side when you select this query. To export to a file, right click on the query name (e.g., Active Accounts) and select “Export to a file”.

Note: You can select more columns (in View menu) like First Name, Last Name, City, etc., before you export to file.

 

List Active users using VBScript

Modify the following script to your needs. Look for the comment where you have to type your domain name in this script.

Note: You can modify the following script (or above GUI query) to get many different lists of information. E.g., Accounts with expired password value is 8388608. If you find this information useful, please leave me a comment.

‘*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
‘*-*  Script Name: ListActiveUserAccounts.vbs
‘*-*  Description: This script lists all active and disabled accounts in a
‘*-*  in a specified active directory domain. I also save the list in a CSV file.
‘*-*  Written by: Anand Venkatachalapathy
‘*-*  Date Written: July 1st 2008
‘*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

On Error Resume Next

Dim fso
Dim hFile
Dim strContainer, sStatus
Dim objConnection, objCommand, objRecordSet

‘Create a CSV text file for saving the results
Set fso = CreateObject(“Scripting.FileSystemObject”)
Set hFile = fso.CreateTextFile(“Domain Name – Active Accounts.csv”, True)
hFile.WriteLine “A/C Status” & chr(9) & ” User Name” & chr(9) & “Account Name” & _
chr(9) & “Description”

‘ Set the query settings
Const ADS_SCOPE_SUBTREE = 2
strContainer = “DC=company,DC=com”    ‘<<<<<<REPLACE YOUR DOMAIN NAME HERE

Set objConnection = CreateObject(“ADODB.Connection”)
Set objCommand = CreateObject(“ADODB.Command”)
objConnection.Provider = (“ADsDSOObject”)
objConnection.Open “Active Directory Provider”
objCommand.ActiveConnection = objConnection
objCommand.Properties(“Searchscope”) = ADS_SCOPE_SUBTREE
objCommand.Properties(“Page Size”) = 3000
objCommand.CommandText = _
“SELECT CN,sAMAccountName,userAccountControl,description ” _
& “FROM ‘LDAP://” & strContainer & “‘ ” _
& “WHERE objectCategory=’user’ ”

‘Execute the Query
Set objRecordSet = objCommand.Execute

‘List the results into a CSV file
i = 1
Do Until objRecordSet.EOF
arrDes = objRecordSet.Fields(“description”).Value
If objRecordSet.Fields(“userAccountControl”).Value = “514” Then
sStatus = “Disabled”
Else
sStatus = ”       ”
End If
WSCript.Echo sStatus,objRecordSet.Fields(“CN”).Value, _
objRecordSet.Fields(“sAMAccountname”).Value, arrDes(0)
hFile.WriteLine sStatus & chr(9) & objRecordSet.Fields(“CN”).Value & _
Chr(9) & objRecordSet.Fields(“sAMAccountname”).Value & chr(9) & arrDes(0)
objRecordSet.MoveNext
Loop

hFile.Close
‘*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*

35 thoughts on “List all Active users in a domain

    1. If you are using Active Directory Users and Computers, you can add more columns (check View menu). If use the script, it already has first name and last name in the results (using listing CN – canonical name).

  1. Velu says:

    HI , I want to get list of NEP active accounts in a domain.. what is the command i need to put in Enter LDAP Query box.

      1. Daniel says:

        The GUI worked well, but on a close look there are a bunch of active users missing from the query result. I used UserAccountControl=512. Any workaround for this.?

  2. Cathy O says:

    Great information – thank you for sharing. Any way to add the user account security group into the query. Auditing queries for all active user accounts and security groups.

  3. Noman says:

    hi
    i want to know something about update the userAccountControl to set value
    DONT_EXPIRE_PASSWORD (65536).
    can you tell me how i can run this script on any OU.

    ex:i create user account (70k) from my code and i forgot to add the DONT_EXPIRE_PASSWORD so because of this field every month password expired.
    what i want execute some query on OU so that all the previously created accounts value set to be userAccountControl=65536 not for previous but if any new user will create in this OU that value automatically applied to his/her account.

    i need something related to AD not with VB script.
    really appreciate if you help me

  4. bhaskar says:

    Hi Anand,

    Your script is very good but i want the output in a excel sheet for Active users in the following format:-

    First name: givenName
    Last name: sn
    NT ID: sAMAccountName
    Region and Site: ?? (possibly distinguishedName, or maybe department, or the address fields: l, st, c)
    Email ID: mail
    PS ID: (PS id means its like identifaction number means for every employee will be having a id number).
    Full Address: streetAddress, l, st, c

    And one important thing is We are having contractors also but i should get only permanent emplyee details and for your information we are having different ous for employess and contractors)
    And also i want it for only active enabled users.Mainly i should get the output in excel format.And i should run the script from a remote machine.
    Your help in this is very apprecited as iam dialy doing it manually.

  5. Satinder Loriya says:

    Hi,

    I tried to get disbled list, but it did not show me complete result. I followed the complete process described above. I am using windows 2003 Server SP2

  6. Zee Love says:

    I tried this GUI and script. There are multiple users they wont show in Active or Disabled link. I am unable to find any common reason. Please help.

  7. Henrik says:

    Hi and thank you for good information! I actually want a list of active users.. I mean not just active like, right now at the moment, but more like, active with in the last week or maybe month. Do you understand what I mean? We have like 1400 users within the domain but all of them isn’t really working here anymore.. I want to know who’s really are in need of a domain user account and who’s not. Hope you understand my question =) Regards

    1. This can be easily done in Power Shell. Copy and past the following code into notepad, and save as ActiveUsers.ps1. Run this file from the powershell like a batch file.

      Import-Module ActiveDirectory

      # get today’s date
      $today = Get-Date

      #Get today – 60 days (2 month old)
      $cutoffdate = $today.AddDays(-60)

      #Get the computer accounts filtered by lastlogondate. Select
      #only required properites of the computer account and
      #export it to a file
      Get-ADUser -Properties * -Filter {LastLogonDate -gt $cutoffdate} | `
      Select Name,samaccountname,LastLogonDate,distinguishedname | `
      Export-Csv ./ActiveUsers.csv

  8. I tried using the query in the GUI. The list is populated, but it doesn’t have all of the objects in all of the containers. I do have the sub folders checked.

  9. sreekarachanta says:

    Hello anand,

    thanks for the saved query solution that you have given. I have checked the query in my test environment and it worked fine but when i checked in my production environment it wasnt giving the complete list. I mean i know some accounts which were active but i couldnt find them in the list. I havent tried the second solution as the query list missed few accounts which i added manually. thank you once again for sharing your knowledge. all the best and take care.

  10. May I just say what a relief to find someone who actually
    knows what they are discussing over the internet. You actually realize how to
    bring a problem to light and make it important. More people have to check this out and understand this side of
    your story. I was surprised you aren’t more popular given that you surely possess the gift.

  11. Rob "I" says:

    I am surprised that no one has pointed out that the methods described here are not correctly using userAccountControl for the intended purpose. If you *just* search for “512” as a value, then you are not really going to be sure of getting *all* enabled regular user accounts. The flag requires a bitwise operation, unless you are ONLY wanting to search for the cumulative value for all of the desired flag settings. For example, a user account could have the bit set to allow delegation, and that will give you a different number, but it’s still an enabled account: 66048 [NORMAL_USER(512)\;NO_EXPIRE(65536)].

    Someone else asked if there is a way to search for both: yes, you should be doing the search for each bit,unless you really care about other bits. I could add a lot more here, but there is so much on bitwise operations on the Internet. You could just search for ADFIND (at joeware.net) and find good examples.

    The actual LDAP search for simply looking for enabled user accounts (not filtering out anything else) would be:

    (& (objectclass=user) (objectcategory=person) (!(UserAccountControl:1.2.840.113556.1.4.803:=2)) )

    And if you wanted to find any enabled user account that also has the password set to never expire, you could either add an additional check to the above LDAP query with the string “(UserAccountControl:1.2.840.113556.1.4.803:=65536)” (which makes more sense to look at) or you could add the two bits together, which gives you “65538” (which is 2 + 65536).

    You, meaning everyone, should really look at this attribute as the bit flag that it is, and that it has multiple values that it can represent.

  12. Mahtava blogi sinulla! En typillisesti kauheasti blogeja seuraa, mutta nyt pistikn osoitteen muistiin – oli niinkin kiinnostavaa tekstiä.
    Pidähän lippu korkealla jatkossakin!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s