These Sarbane-Oxley auditors always come around asking for many information every year. At here they always asked list of all active (and disabled) user accounts in all domains in our company.
You can get this list for a given Active Directory domain in two ways, one GUI way and my favorite Script way.
Before we go into how to get the results, I have to explain what "userAccountControl" property means. Every object in Active Directory has "userAccountControl" property which has a numerical value. The following are the list of "userAccountControl" values and what that means. This table of information is list at How to use the UserAccountControl flags to manipulate user account properties
| Property flag | Value in hexadecimal | Value in decimal |
| SCRIPT | 0x0001 | 1 |
| ACCOUNTDISABLE | 0x0002 | 2 |
| HOMEDIR_REQUIRED | 0x0008 | 8 |
| LOCKOUT | 0x0010 | 16 |
| PASSWD_NOTREQD | 0x0020 | 32 |
| PASSWD_CANT_CHANGE | 0x0040 | 64 |
| ENCRYPTED_TEXT_PWD_ALLOWED | 0x0080 | 128 |
| TEMP_DUPLICATE_ACCOUNT | 0x0100 | 256 |
| NORMAL_ACCOUNT | 0x0200 | 512 |
| INTERDOMAIN_TRUST_ACCOUNT | 0x0800 | 2048 |
| WORKSTATION_TRUST_ACCOUNT | 0x1000 | 4096 |
| SERVER_TRUST_ACCOUNT | 0x2000 | 8192 |
| DONT_EXPIRE_PASSWORD | 0x10000 | 65536 |
| MNS_LOGON_ACCOUNT | 0x20000 | 131072 |
| SMARTCARD_REQUIRED | 0x40000 | 262144 |
| TRUSTED_FOR_DELEGATION | 0x80000 | 524288 |
| NOT_DELEGATED | 0x100000 | 1048576 |
| USE_DES_KEY_ONLY | 0x200000 | 2097152 |
| DONT_REQ_PREAUTH | 0x400000 | 4194304 |
| PASSWORD_EXPIRED | 0x800000 | 8388608 |
| TRUSTED_TO_AUTH_FOR_DELEGATION | 0x1000000 | 16777216 |
If you look at the table, you can list the account with many categories. Now let me show you how list the active users in GUI Way.
List the Active users using "Active Directory Users and Computers" console
1. Open Active Directory Users and Computers console, obviously
2. In left hand side of the Tree, Right click on "Saved Queries" and select "New Query"
3. Type the Name of the Query and nice description as above. Click on Define Query button.
4. Select Custom Search in Find drop-down box. Click on Advanced tab. Paste the following Query in "Enter LDAP Query" box.
(&(&(objectCategory=user)(userAccountControl=512)))
Note the UserAccountControl value I put here is 512 which is "Active Account". 514 means disabled account. Refer the above table.
5. Click OKs to close the dialog boxes.
6. You will see the results in right hand side when you select this query. To export to a file, right click on the query name (e.g., Active Accounts) and select "Export to a file".
Note: You can select more columns (in View menu) like First Name, Last Name, City, etc., before you export to file.
List Active users using VBScript
Modify the following script to your needs. Look for the comment where you have to type your domain name in this script.
Note: You can modify the following script (or above GUI query) to get many different lists of information. E.g., Accounts with expired password value is 8388608. If you find this information useful, please leave me a comment.
'*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
'*-* Script Name: ListActiveUserAccounts.vbs
'*-* Description: This script lists all active and disabled accounts in a
'*-* in a specified active directory domain. I also save the list in a CSV file.
'*-* Written by: Anand Venkatachalapathy
'*-* Date Written: July 1st 2008
'*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
On Error Resume Next
Dim fso
Dim hFile
Dim strContainer, sStatus
Dim objConnection, objCommand, objRecordSet
'Create a CSV text file for saving the results
Set fso = CreateObject("Scripting.FileSystemObject")
Set hFile = fso.CreateTextFile("Domain Name - Active Accounts.csv", True)
hFile.WriteLine "A/C Status" & chr(9) & " User Name" & chr(9) & "Account Name" & _
chr(9) & "Description"
' Set the query settings
Const ADS_SCOPE_SUBTREE = 2
strContainer = "DC=company,DC=com" '<<<<<<REPLACE YOUR DOMAIN NAME HERE
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = ("ADsDSOObject")
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.Properties("Page Size") = 3000
objCommand.CommandText = _
"SELECT CN,sAMAccountName,userAccountControl,description " _
& "FROM 'LDAP://" & strContainer & "' " _
& "WHERE objectCategory='user' "
'Execute the Query
Set objRecordSet = objCommand.Execute
'List the results into a CSV file
i = 1
Do Until objRecordSet.EOF
arrDes = objRecordSet.Fields("description").Value
If objRecordSet.Fields("userAccountControl").Value = "514" Then
sStatus = "Disabled"
Else
sStatus = " "
End If
WSCript.Echo sStatus,objRecordSet.Fields("CN").Value, _
objRecordSet.Fields("sAMAccountname").Value, arrDes(0)
hFile.WriteLine sStatus & chr(9) & objRecordSet.Fields("CN").Value & _
Chr(9) & objRecordSet.Fields("sAMAccountname").Value & chr(9) & arrDes(0)
objRecordSet.MoveNext
Loop
hFile.Close
'*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*-*
No comments:
Post a Comment