PowerShell - Find all enabled AD users

Tags:

A friend is working on a script to pull active LCS accounts from his AD. One last bit of information that he that was troubling him was enabled/disabled AD accounts.

Reading the Scripting Guys article, I found a switch that will tell all disabled AD accounts. Perfect, but just the opposite of what he wanted. Reading deeper, they state that when the bit is set to 2, it shows disabled accounts, so I implied that when it's set to (something else??) 0 (or 1) it must be enabled. Tested 1, nope. Then I found this article that shown that using a NOT statement will return what I was looking for.

This tiny script will query your current AD environment and return all ENABLED accounts in the environment.

get-qaduser -includeallproperties -ldapfilter "(!(userAccountControl:1.2.840.113556.1.4.803:=2))"

The "-includeallproperties" switch is required, otherwise you will get all accounts, and not those that apply to the LDAP filter.

Note, if you haven't already done so, you'll need to download and configure the Quest ActiveRoles Management Shell to run this query. This article helped me setup my environment and includes links to the various tools I use.

Printer-friendly version

Comments

Submitted by Roel Stroeve (not verified) on Tue, 2008-09-30 07:44.

Hi, what you could do

Hi,

what you could do alternatively is the following:

Get-QADuser -SizeLimit 0 -DontUseDefaultIncludedProperties -IncludedProperties useraccountcontrol -ldapfilter "(!userAccountControl:1.2.840.113556.1.4.803:=2))"

This will speed up the process, since it will not query all attributes. You can add the ldap-attributes which you need to the includedproperties, so you can create a nice list.

gr Roel.

Submitted by Shay Levy (not verified) on Mon, 2008-09-01 09:19.

Aleksandar is right,

Aleksandar is right, -includeallproperties is not needed (in this case) . Alternatively you can execute:

# Get Enabled users only
Get-QADUser -Enabled -SizeLimit 0

- or -

# Get Disabled users only
Get-QADUser -Disabled -SizeLimit 0

Submitted by ericwoodford on Mon, 2008-08-18 11:38.

Thanks, Not sure where I why

Thanks, Not sure where I why I needed it for my testing, but I'll revise my script. I typically avoid using the switch as it can double to triple the execution time of my scripts.

In my mixed environment, your script will always return FALSE. They have an separate authentication domain and mailbox domain. So typically mailboxes are not enabled, except for a the service accounts and administrators. Authentication accounts are disabled when they are to be deleted, where in an environment of 100,000 domain accounts, at least one is disabled all the time.

Submitted by aleksandar (not verified) on Thu, 2008-08-14 04:56.

The "-includeallproperties"

The "-includeallproperties" switch is not required and you should use it only when you need all attributes of the respective directory object (such as a User object). The attribute values are stored in the memory cache on the local computer.

$enabledusers = get-qaduser -ldapfilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)" -sizelimit 0

$disabledusers = get-qaduser -ldapfilter "(userAccountControl:1.2.840.113556.1.4.803:=2)" -sizelimit 0

$allusers = get-qaduser - sizelimit 0

$enabledusers.count + $disabledusers.count -eq $allusers.count should give you $true. :-)

en Passant