Here is a script I have created that searches for all users within an Active Directory domain and provides a report (.csv file) showing all account names and their status. The status is determined from the useraccountcontrol property contained within each account.
The useraccountcontrol property is stored as a number/integer - the most common numbers/values I've translated to their meanings as part of this script - eg. Enabled, Disabled, Password Expired etc.
You only need to change the value for $outfile variable if required - the script should work in it's current form on any windows/active directory domain
$report = @()
$outfile = "C:\temp\UserAudit.csv"
$searcher = New-Object DirectoryServices.DirectorySearcher
$searcher.filter = "(&(objectCategory=person)(objectClass=user))"
$userlist = $searcher.FindAll()
foreach ($user in $userlist)
{
$name = $($user.properties.displayname)
$dn = $($user.properties.distinguishedname)
$status = $($user.properties.useraccountcontrol)
if ($status -eq "66050"){$status = "Disabled, password never expires"}
elseif ($status -eq "66048"){$status = "Enabled, password never expires"}
elseif ($status -eq "512"){$status = "Enabled Account"}
elseif ($status -eq "514"){$status = "Disabled Account"}
elseif ($status -eq "66080"){$status = "Enabled, password never expires, user cannot change password"}
$report += new-object psobject -property @{Name=$name;DN=$dn;Status=$status}
}
$report | select Name, Status, DN | export-csv -path $outfile -notype
The script could be further customized to include other values/properties from the account as required. In it's current form it includes the users display name, distinguished name and status.
No comments:
Post a Comment