Script To Enlist All "Built-In" User Accounts in the Domain RRS feed

  • Question

  • Hi There,

    I am looking for a script that will enumerate/list all built-in user-accounts in the domain -- not other user accounts.
    LDAP Filter: "(sAMAccountType=805306368)" gives all User-Accounts, including built-in user accounts. But I am looking for a script that will give, as output, the list of all "Built-In" user accounts only.
    I have also tried the LDAP Filter -- "(objectCategory=builtinDomain)" --- This only gives the Built-In container. But it does not give the list of all "built-In" user accounts. By default the "Built-In" container contains Built-In Groups.
    For example: in a domain there are a list of built-in user accounts like "krbtgt", "guest" etc. These accounts may be enabled or disabled -- doesn't matter.

    I am looking for a script that will enlist all these "built-in" user-accounts only.

    Please help me by give me the code snippet or by pointing me to a script.

    Thank you

    Monimoy Sanyal

    Friday, April 18, 2014 4:44 PM


All replies

  • Why do you need to do it? What's provoking the question?

    -- Bill Stewart [Bill_Stewart]

    Friday, April 18, 2014 4:54 PM
  • Hi Bill,

    Sorry for being late in response.

    I need to obtain LastLogonTimeStamp for variety of users in the domain. These users are scattered all over in all OUs. I can write a script that will fetch the LastLogonTimeStamp of User-Accounts. However, I need to exclude all "Built-In" User-Accounts. Hence, I need to know a VBScript that will check if the User-Account is a "Built-In" account or not.

    My action Plan is as follows:

    1. Execute the script
    2. Script checks if the user-account is "Built-In" ---- I need assistance here only
    3. If Yes -- "Built-In" -- do nothing
    4. Else -- Get LastLogonTimeStamp information of the user account --- I know how to do this

    Thus, I am seeking assistance on getting a script that will enlist/detect/check ONLY for "Built-In" user-accounts in the domain.

    Sunday, May 11, 2014 10:15 AM
  • There is no way to "check".  There is no flag that says "BUILTIN account".

    You must do this from a manual list. Furthermore, different operating systems will have different "default" accounts depending on how they are configured (Example: IIS adds accounts when installed).

    You must code this by yourself. 

    Just get all accounts and check against your list.  There is no other way.  Here is a starter - Guest and Administrator may exist on any machine - They won't if AD has been set to rename them. 

    You can also start by using a list of SIDS.  (EXAMPLE: S-1-5-XX-xxxxxxxxxx-xxxxxxxx-xxxxxxxxxx-500 BUITLTIN\Administrator even if it is renamed) (SEE: )

    Some more clues:


    Sunday, May 11, 2014 12:03 PM
  • Agree with jrv. AFAICT, there is nothing on an account that flags it as an account that got created when AD was installed. The closest you can probably get is to check the account's RID (relative ID--the last part of the SID), as he suggested.

    -- Bill Stewart [Bill_Stewart]

    Monday, May 12, 2014 2:27 PM