It’s not uncommon to find poorly kept active directories. The more administrators there are and the more time that has elapsed it is common to find very poor active directory hygiene. One thing that a lot of administrators like to do is leave old accounts as disabled, scattered throughout the entire active directory. This makes auditing difficult.
Here we provide two easy to understand and modify scripts administrators can use to find all the details they need on their users.
Powershell Script to Display All Active Users
Get-ADUser -Filter {Enabled -eq $true -and ObjectClass -eq "user"} -Properties Name, GivenName, Name, Mail, Title, LastLogonDate, WhenCreated, LogonCount |
Format-Table Name, GivenName, Name, Title, Mail, LastLogonDate, WhenCreated, LogonCount -AutoSize
Powershell Script to Display All Disabled Users
Get-ADUser -Filter {Enabled -eq $false -and ObjectClass -eq "user"} -Properties Name, GivenName, Name, Mail, Title, LastLogonDate, WhenCreated, LogonCount |
Format-Table Name, GivenName, Name, Title, Mail, LastLogonDate, WhenCreated, LogonCount -AutoSize
How To Add Other Fields To the Output
It’s straightforward to remove columns from this script but a little more challenging to know what fields to add. In particular you probably don’t know the attribute names that you’re looking for. Fortunately they are is easily displayed:
- Open ACTIVE DIRECTORY USERS AND COMPUTER
- Click VIEW > ADVANCED OPTIONS
- Double click on ANY user
- Select the ATTRIBUTE EDITOR tab
The ATTRIBUTE column displays the name of all the attributes users have in Active Directory.
To make this easier to sort through you might want to click the FILTER button and select SHOW ONLY ATTRIBUTES THAT HAVE VALUES
0 Comments