locked
Retrieving a specific user attribute from AD from a list of SIDs by using script RRS feed

  • Question

  • Hi Guys,

    I need to retrieve the userAccountControl attribute value of specifics users from AD so that I will know whether the user account is enabled or disabled. NOTE: I only have their SIDs values and not usernames in a file.

    Would you guys be able to build a VBS that retrieves his result into a CSV file? The result should contain userAccountControl and samAccountName attributes.

    Thank you in advance.

    Best regards,


    Nilton Carlos MCP|MCSA+M|MCSE|MCT|MCTS|MCITP|ITIL|CobiT

    Thursday, November 27, 2014 1:45 PM

Answers

  • Just query any Global Catalog and you will get it all.

    get-aduser -server gcserver:3268 -filter "SID -eq '$_'"


    ¯\_(ツ)_/¯

    • Marked as answer by Nilton Carlos Thursday, November 27, 2014 7:16 PM
    Thursday, November 27, 2014 5:11 PM
  • You could use Powershell, much easier. If you only want to check whether the account is enabled and you aren't bothered about the exact flags it's even easier.

    gc C:\sids.txt | % {
    
    get-aduser -filter {SID -eq $_} -Properties Samaccountname, Enabled | Select @{N="User"; E={$_.SamaccountName}}, @{N="Enabled"; E={$_.Enabled}} | Export-csv C:\results.csv -NoTypeInformation -Append
    
    }

     

    • Marked as answer by Nilton Carlos Thursday, November 27, 2014 7:16 PM
    Thursday, November 27, 2014 2:58 PM
  • THis is the easy way:

    Get-Content sids.txt |
       ForEach-Object{
         get-aduser -filter "SID -eq '$_'"
       } |
       Select SamaccountName, Enabled |
       Export-Csv results.csv -notype
    


    ¯\_(ツ)_/¯

    • Marked as answer by Nilton Carlos Thursday, November 27, 2014 7:16 PM
    Thursday, November 27, 2014 3:08 PM

All replies

  • You could use Powershell, much easier. If you only want to check whether the account is enabled and you aren't bothered about the exact flags it's even easier.

    gc C:\sids.txt | % {
    
    get-aduser -filter {SID -eq $_} -Properties Samaccountname, Enabled | Select @{N="User"; E={$_.SamaccountName}}, @{N="Enabled"; E={$_.Enabled}} | Export-csv C:\results.csv -NoTypeInformation -Append
    
    }

     

    • Marked as answer by Nilton Carlos Thursday, November 27, 2014 7:16 PM
    Thursday, November 27, 2014 2:58 PM
  • THis is the easy way:

    Get-Content sids.txt |
       ForEach-Object{
         get-aduser -filter "SID -eq '$_'"
       } |
       Select SamaccountName, Enabled |
       Export-Csv results.csv -notype
    


    ¯\_(ツ)_/¯

    • Marked as answer by Nilton Carlos Thursday, November 27, 2014 7:16 PM
    Thursday, November 27, 2014 3:08 PM
  • FYI

    Default attributes of Get-AdUser

    PS C:\scripts> get-aduser -filter "SID -eq '$sid'"
    
    
    DistinguishedName : CN=Test User,OU=TestOU,DC=TESTLNET,DC=local
    Enabled           : True
    GivenName         : Test
    Name              : Test User
    ObjectClass       : user
    ObjectGUID        : c2977457-41c6-4ba7-9d14-3ec74e0e4052
    SamAccountName    : test
    SID               : S-1-5-21-1997746983-321388823-153622166-1130
    Surname           : User
    UserPrincipalName : Test.User@TESTNET.local
    


    ¯\_(ツ)_/¯

    Thursday, November 27, 2014 3:12 PM
  • It's the same way... The only difference is yours is formatted nicely and I changed one of the label names. Admittedly "Enabled" was redundant.
    Thursday, November 27, 2014 3:15 PM
  • Thank you all for the prompt replies.

    Both scripts have worked nicely. However, I have forgotten to mention something important, especially as using Get-ADUser cmdlet. I have an AD forest of multiple domains, so when I run any of the scripts above I only get user accounts results from the domain which my user account belongs to. I have also noticed that Get-ADUser cmdlet doesn't allow to specify other domain partitions other than yours in its "-SearchScope" syntax. This is something that "DSQUERY * forestroot" does.

    Any ideas?



    Nilton Carlos MCP|MCSA+M|MCSE|MCT|MCTS|MCITP|ITIL|CobiT

    Thursday, November 27, 2014 3:45 PM
  • Jrv - Ah, sorry I didn't catch the properties, you are right.

    Nilton, you can use this to get all of the domains in your forest and then do a foreach using the server parameter.

    $domains = (Get-ADForest).Domains 
    foreach ($domain in $domains) {
    
    Get-Content C:\sids.txt |
       ForEach-Object{
         get-aduser -server $domain -filter "SID -eq '$_'"
       } |
       Select SamaccountName, Enabled |
      Export-Csv results.csv -notype -Append
    
      }
    

    Thursday, November 27, 2014 3:52 PM
  • just noting that you don't need properties here.

    ¯\_(ツ)_/¯

    Thursday, November 27, 2014 4:26 PM
  • Just query any Global Catalog and you will get it all.

    get-aduser -server gcserver:3268 -filter "SID -eq '$_'"


    ¯\_(ツ)_/¯

    • Marked as answer by Nilton Carlos Thursday, November 27, 2014 7:16 PM
    Thursday, November 27, 2014 5:11 PM
  • Fantastic!

    That's my script after some modifications:

    Get-Content D:\sids.txt |
       ForEach-Object{
         get-aduser -server gcserver:3268 -filter "SID -eq '$_'"
       } |
       Select SID, Name, samAccountName, Enabled |
       Export-Csv D:\results.csv -NoTypeInformation -Append

    It's worked like a charm after I updated from PowerShell 2.0 to 4.0 on my Windows 7 workstation, this was necessary because the "-Append" syntax does not exist on the v2.0.

    I appreciate every single reply, guys. Thank you!

    Best wishes and see y'all around!


    Nilton Carlos MCP|MCSA+M|MCSE|MCT|MCTS|MCITP|ITIL|CobiT

    Thursday, November 27, 2014 7:14 PM
  • THere is no need to use append in a pipeline when export is the last element.


    ¯\_(ツ)_/¯

    Thursday, November 27, 2014 8:11 PM