List all Active users in a AD
In This Article You can get list of all active (and disabled) user accounts in all domains in company. list for a given Active Directory domain in two ways, one GUI way and my favorite Script way.
Before we go into how to get the results, I have to explain what “userAccountControl” property means. Every object in Active Directory has “userAccountControl” property which has a numerical value. The following are the list of “userAccountControl” values and what that means. This table of information is list at How to use the UserAccountControl flags to manipulate user account properties
If you look at the table, you can list the account with many categories.?Now let me show you how list the active users in GUI Way.
List the Active users using “Active Directory Users and Computers” console
1. Open Active Directory Users and Computers console, obviously
2. In left hand side of the Tree, Right click on “Saved Queries” and select “New Query”
3. Type the Name of the Query and nice description as above. Click on Define Query button.
4. Select Custom Search in Find drop-down box. Click on Advanced tab. Paste the following Query in “Enter LDAP Query” box.
领英推荐
(&(&(objectCategory=user)(userAccountControl=512)))
Note the UserAccountControl value I put here is 512 which is “Active Account”. 514 means disabled account. Refer the above table.
5. Click OKs to close the dialog boxes.
6. You will see the results in right hand side when you select this query. To export to a file, right click on the query name (e.g., Active Accounts) and select “Export to a file”.
Note: You can select more columns (in View menu) like First Name, Last Name, City, etc., before you export to file.
List Active users using PowerShell
Modify the following script to your needs.in This scenario we want find inactive user accounts (not logged on to the domain for more than 60 days)
$LastLogonDate= (Get-Date).AddDays(-60)
Get-ADUser -Properties LastLogonTimeStamp -Filter {LastLogonTimeStamp -lt $LastLogonDate } | ?{$_.Enabled –eq $True} |? Sort LastLogonTimeStamp| FT Name, @{N='lastlogontimestamp'; E={[DateTime]::FromFileTime($_.lastlogontimestamp)}} -AutoSize
Active Directory Architect
11 个月My query is Active User does not mean that ID is enabled, Is it possible to query if that user is currently logged on and actively working on his console. Can we query that user if he locked its desktop and far away.
Programmer/Analyst at UCSF
1 年The LDAP filter is insufficient. There are a few userAccountControl values which denote an active account other than 512 and a filter that only checks for a value of 512 will fail identify some accounts that are currently active. The most complete way to differentiate active and inactive is to take advantage of the bitwise capability of LDAP filtering as userAccountControl is conveniently a bitfield. As you've shown in that screenshot of the MDN website, ACCOUNTDISABLE is 2, so: (userAccountControl:1.2.840.113556.1.4.803:=2) denotes disabled (!(userAccountControl:1.2.840.113556.1.4.803:=2)) denotes enabled (i.e. not disabled) The OID in that filter (1.2.840.113556.1.4.803) is "LDAP_MATCHING_RULE_BIT_AND" , telling the := operator to perform a bitwise AND operation with 2 and the value of userAccountControl.