Script for Terminated accounts?

[bran2235]

Hellow everyone-

Does anyone know how I can export/generate a list of all expired / terminated User Accounts in my domain?

Many Thanks!
Brandon

 

[WhoKilledKenny]

A simple way is to run a custom LDAP query. From ADUC do a search (Find). Under the Find dropdown box choose Custom Search. Click the Advanced Tab. In Enter LDAP query: copy to following code. This query results in all user accounts that are disabled.

(&(objectCategory=person)(objectClass=user)(userAccountControl:1.2.840.113556.1.4.803:=2))

To do reports you can use LDIFDE and output results into a file. You can also do LDAP queries via scripting languages such as VBScript.

To assist you with LDAP, here is the link to LDAP Query Basics on MS Web-Site.

http://technet.microsoft.com/en-us/library/aa996205.aspx

There is also an LDAP forum on this site for further questions:
forum774

 

[bran2235]

Is there any way to generate a list (specifying SPECIFIC OUs) of all user accounts but exclude ones that are expired/terminated??

This is really what I am trying to accomplish here... I know how to export on an OU by OU basis, but I don't know how to exclude:
1) Terminated / Expired Accounts; or
2) Only search specific OUs... I don't need my entire Forest (domain)...

Please help me if you can...!

Many Thanks!!
Brandon

 

[WhoKilledKenny]

yes, LDIFDE which I posted before can do those things for you. Search LDIFDE on the MS web-site for more information. You can also use VBScript, but if you are not familiar with it then there is a learning curve to deal with.

This is really what I am trying to accomplish here... I know how to export on an OU by OU basis, but I don't know how to exclude:
1) Terminated / Expired Accounts; or
2) Only search specific OUs... I don't need my entire Forest (domain)...

The LDIFDE code to do what you are asking would look similar to this. Bear in mind I don't know your AD structure so this code would not work without modifying the AD path.

ldifde -d "OU=Sales,DC=MyCompany,DC=com" -f c:\SalesUsers.txt -r "(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"

The code queries all enabled users that are in the OU Sales and saves the info in a text file.

Here is another link for LDIFDE

http://technet2.microsoft.com/Windo...3722-4d9b-925a-82c516a1ca141033.mspx?mfr=true

You may not want all the attributes of a user. You can use the -o switch to output only the attributes you want, for example sAMAccountName (logon name) and/or CN (Common Name).

From ADUC:
You could also just right click on the OU you want and do a custom query there. That way you won't get the info from your whole domain.

Here is also an LDAP FAQ file written by Paul Chapman to assit you with creating the LDAP Filter portion of your query.

Title: Writing LDAP queries: Filters, Common Attributes, and Samples
by: Paul S. Chapman
edited: 2/8/2005

=================================================
CONVENTIONS AND DEFINITIONS
=================================================
()................Parenthesis encapsulate filters and separate them into sections

{}................Braces (or curly brackets) encapsulate my notes about the contents of the filter

CAPITAL LETTERS...Plain English title

mIxEd cAsE........Attribute name in AD

Bit Value.........Decimal value of a binary number (ie. 001000010 bin=34 dec). If you want to
examine multiple bit values, simply add them up (ie. 2+65536=65538). Use the
"Bitwise AND" or "Bitwise OR" filters for searches based on these values.

Attribute.........Attributes are the properties of an Object in AD.

Value.............Values are data related to the attributes with which they are associated. They may
be "present" or "not present" (blank). Data may be in plain text, hex, numeric, or
other formats.

Class.............Objects in AD are categorized into Classes. This document only discusses 3 classes:
Users, Computers, and Groups.

Integer8 Date.....The value represents the number of 100-nanosecond intervals since 12:00 AM January 1, 1601.
At the bottom of this document you can find the text of a VBScript that will convert normal
dates to Integer8 dates so that you can use them in searches. Simply cut and paste the
VB into a text file with a .vbs extension and use it from a command prompt.


=================================================
WHERE TO GET INFORMATION
=================================================
-Microsoft's MSDN website

-Google

-ADSI Edit allows you to see a RAW view of Active Directory. **USE EXTREME CAUTION WHEN USING THIS UTILITY. DO
NOT MANUALLY CHANGE ANY VALUES WHILE USING THIS UTILITY.** This utility allows you to see the actual
attribute names and the values they use so that you can perform searches. This utility is included with the
Windows 2000 Server or Windows Server 2003 support pack.


=================================================
FILTERS
=================================================
******BASE FILTERS******
WILDCARD...........................*
PRESENCE...........................(attribute=*)
EQUALITY...........................(attribute=value)
PARTIAL MATCH......................(attribute={partial value}*)
PARTIAL MATCH......................(attribute=*{partial value})
PARTIAL MATCH......................(attribute=*{partial value}*)
PARTIAL MATCH......................(attribute=*{partial value 1}*{partial value 2}*)
GREATER THAN or EQUAL..............(attribute>=value)
LESS THAN or EQUAL.................(attribute<=value)
APPROXIMATELY EQUAL................(attribute~=value)

******BOOLEAN FILTERS******
AND................................(&(filter1)(filter2))
AND................................(&(filter1)(filter2)(filter3))
OR.................................(|(filter1)(filter2))
OR.................................(|(filter1)(filter2)(filter3))
NOT................................(!(filter1))
BITWISE AND........................(attribute:1.2.840.113556.1.4.803:={bitvalue in decimal})
BITWISE OR.........................(attribute:1.2.840.113556.1.4.804:={bitvalue in decimal})

******SPECIAL CHARACTERS IN "VALUE" FIELDS******
(..................................\28
)..................................\29
*..................................\2A
\..................................\5C

******CORRELARY FILTERs******
NOT PRESENT (BLANK FIELD)..........(!(attribute=*))


=================================================
COMMON OBJECT CLASSES AND ATTRIBUTES
=================================================

******USER ACCOUNT******
CLASS..............................objectCategory=person AND objectClass=user

ACCOUNT DISABLED...................userAccountControl={contains bit value of 2}
PASSWORD NOT REQUIRED..............userAccountControl={contains bit value of 32}
PASSWORD NEVER EXPIRES.............userAccountControl={contains bit value of 65536}
SMARTCARD REQUIRED.................userAccountControl={contains bit value of 262144}
ACCOUNT TRUSTED FOR DELEGATION.....userAccountControl={contains bit value of 524288}
ACCOUNT CANNOT BE DELEGATED........userAccountControl={contains bit value of 1048576}
USE DES ENCRYPTION.................userAccountControl={contains bit value of 2097152}
DON'T REQUIRE KERBEROS PRE-AUTH....userAccountControl={contains bit value of 4194304}
PREVIOUS PASSWORD CHANGE...........pwdLastSet {Integer8 Date, use .vbs to convert conventional dates, use "<=" for all dates before or >= for all dates after}
LAST LOGON.........................lastLogon {Integer8 Date as above, value of 0 or blank means NEVER}
REQUIRE P/W CHANGE AT NEXT LOGON...pwdLastSet {Value of 0, any other value is previous p/w change date}
GROUP MEMBERSHIP...................memberOf {Specify exact DN of group, no wildcards allowed}
EXCHANGE USER......................msExchHomeServerName {wildcard, or complete or partial servername}
EXCHANGE USER (OPTIONAL)...........homeMDB {wildcard, or complete or partial servername}
DESCRIPTION........................description {wildcard, or complete or partial text}
FIRST NAME.........................givenName {wildcard, or complete or partial text}
LAST NAME..........................sn {wildcard, or complete or partial text}
EMPLOYEE TYPE......................employeeType {wildcard, or complete or partial text}
EMPLOYEE NUMBER....................employeeID {wildcard, or complete or partial text}
DEPARTMENT NUMBER..................department {wildcard, or complete or partial text}
DEPARTMENT NAME....................extensionAttribute1 {wildcard, or complete or partial text}
NICKNAME...........................extensionAttribute5 {wildcard, or complete or partial text}
LOGON NAME.........................sAMAccountName {wildcard, or complete or partial text}
USER PRINCIPAL NAME (UPN)..........userPrincipalName {wildcard, or complete or partial text}


******COMPUTER ACCOUNT******
CLASS..............................objectCategory=computer

OS NAME............................operatingSystem {ie. Windows 2000 Professional, use "PARTIAL" filter}
OS SERVICE PACK....................operatingSystemServicePack {ie. Service Pack 4, use "PARTIAL" filter}
OS VERSION.........................operatingSystemVersion {ie. 5.0 (2195), use "PARTIAL" filter}
DOMAIN CONTROLLER..................userAccountControl={contains bit value of 8192}
DESCRIPTION........................description {wildcard, or complete or partial text}


******GROUP OBJECTS******
CLASS..............................objectCategory=group

DESCRIPTION........................description {wildcard, or complete or partial text}
NAME...............................CN {wildcard, or complete or partial text}
SECURITY GROUP.....................groupType {contains bit value of 2147483648}
GLOBAL GROUP.......................groupType {contains bit value of 2}
DOMAIN LOCAL GROUP.................groupType {contains bit value of 4}
UNIVERSAL GROUP....................groupType {contains bit value of 8}


=================================================
SAMPLE QUERY SEGMENTS
=================================================

Object is a user
(&(objectCategory=person)(objectClass=user))

Object is an Enabled User
(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))


User has Mailbox
(|(homeMDB=*)(msExchHomeServerName=*))


User is member of group (Specify DN of Group)
(memberOf=CN=\#Everyone - Restricted Use,OU=TEST,DC=mycompany,DC=com)


Account is not disabled
(!(userAccountControl:1.2.840.113556.1.4.803:=2))

Account Password Never Expires not set
(!(userAccountControl:1.2.840.113556.1.4.803:=65536))

Password set on or before 8/9/2004 (Specify Integer8 Date, Use VB script to determine)
(pwdLastSet<=127365120000000000)

Change Password at next logon flag
(pwdLastSet=0)

Account has never logged on
(|(lastLogon=0)(!(lastLogon=*)))



=================================================
SAMPLE FULL QUERIES
=================================================

[Enabled Users] with [mailboxes] and [Not members of the #Everyone - Restrict Use D/L]
(&(&(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(|(homeMDB=*)(msExchHomeServerName=*)))(!(memberOf=CN=\#Everyone - Restricted Use,OU=TEST,DC=mycompany,DC=com)))


[Users] with [P/W never expires flag is not set and not disabled] and [P/W age >180 days] and [Password change flag is not set]
(&(&(&(&(objectCategory=person)(objectClass=user))(!(userAccountControl:1.2.840.113556.1.4.804:=65538)))(pwdLastSet<=127365120000000000))(!(pwdLastSet=0)))

[Enabled Users] with [P/W age >180 days] or [Password change flag is set and Last Logon is never] or [Last Logon is >90 days]
(&(&(objectCategory=person)(objectClass=user)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))(|(&(pwdLastSet=0)(|(lastLogon=0)(!(lastLogon=*))))(lastLogon<=127439424000000000)(&(pwdLastSet<=127365120000000000)(!(userAccountControl:1.2.840.113556.1.4.803:=65536)))))

[Groups] with [type of Global and Security]
(&(objectCategory=group)(groupType:1.2.840.113556.1.4.803:=2147483650))


=================================================
SAMPLE FULL QUERIES
=================================================
Simply copy and paste the following text into a file called DateToInteger8.vbs and execute from a command prompt.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
' DateToInteger8.vbs
' VBScript program demonstrating how to convert a datetime value to
' the corresponding Integer8 (64-bit) value. The Integer8 value is the
' number of 100-nanosecond intervals since 12:00 AM January 1, 1601,
' in Coordinated Universal Time (UTC). The conversion is only accurate
' to the nearest second, so the Integer8 value will always end in at
' least 7 zeros.
'
' ----------------------------------------------------------------------
' Copyright (c) 2004 Richard L. Mueller
' Hilltop Lab web site -

http://www.rlmueller.net

' Version 1.0 - June 11, 2004
'
' You have a royalty-free right to use, modify, reproduce, and
' distribute this script file in any way you find useful, provided that
' you agree that the copyright owner above has no warranty, obligations,
' or liability for such use.

Option Explicit

Dim dtmDateValue, dtmAdjusted, lngSeconds, str64Bit
Dim objShell, lngBiasKey, lngBias, k

If Wscript.Arguments.Count <> 1 Then
Wscript.Echo "Required argument <DateTime> missing"
Wscript.Echo "For example:"
Wscript.Echo ""
Wscript.Echo "cscript DateToInteger8.vbs ""2/5/2004 4:58:58 PM"""
Wscript.Echo ""
Wscript.Echo "If the date/time value has spaces, enclose in quotes"
Wscript.Quit
End If

dtmDateValue = CDate(Wscript.Arguments(0))

' Obtain local Time Zone bias from machine registry.
Set objShell = CreateObject("Wscript.Shell")
lngBiasKey = objShell.RegRead("HKLM\System\CurrentControlSet\Control\" _
& "TimeZoneInformation\ActiveTimeBias")
If UCase(TypeName(lngBiasKey)) = "LONG" Then
lngBias = lngBiasKey
ElseIf UCase(TypeName(lngBiasKey)) = "VARIANT()" Then
lngBias = 0
For k = 0 To UBound(lngBiasKey)
lngBias = lngBias + (lngBiasKey(k) * 256^k)
Next
End If

' Convert datetime value to UTC.
dtmAdjusted = DateAdd("n", lngBias, dtmDateValue)

' Find number of seconds since 1/1/1601.
lngSeconds = DateDiff("s", #1/1/1601#, dtmAdjusted)

' Convert the number of seconds to a string
' and convert to 100-nanosecond intervals.
str64Bit = CStr(lngSeconds) & "0000000"
Wscript.Echo "Integer8 value: " & str64Bit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~



Used Queries:
User in which dial-up access is enabled.
(&(&(objectCategory=person)(objectClass=user)(msNPAllowDialin=TRUE)))

That is the best information I can provide for you, the rest is taking the time to understand it.

Hope that helps...

 

[bran2235]

you rock!!! THANK YOU!
I will give it a shot!

Thanks, Brandon