none
How to determine whether a user account / group is built in ?

    Question

  • Hi,

    We are working on a AD cleanup script and wanted to delete every user / group in AD except from built in accounts. Is there any way to determine whether a particular user / group is built in? I was looking at this article https://technet.microsoft.com/en-us/library/dn579255(v=ws.11).aspx which talks about determining it using Distinguished Name and SID. This can be complex and also ambiguous sometimes. Is there any discrete property to determine this?

    Thanks & Regards,

    Pratik 

    Thursday, March 16, 2017 7:21 AM

Answers

  • > But is there any other way to do this? Like some internal property on the AD object, which will tell that it is a built in account?
     
    isCriticalSystemObject=TRUE
     
    Thursday, March 16, 2017 10:14 AM

All replies

  • Hi Nedim,

    Thanks for quick response. This was helpful.

    But is there any other way to do this? Like some internal property on the AD object, which will tell that it is a built in account?

    Why I am thinking of an internal property because whenever I try to delete these accounts, I get a prompt that cannot delete built in accounts, so there must be some internal flag that may be telling the system regarding this. It would be great if we can access such flags if any..

    Thanks & Regards,

    Pratik

    Thursday, March 16, 2017 9:32 AM
  • > But is there any other way to do this? Like some internal property on the AD object, which will tell that it is a built in account?
     
    isCriticalSystemObject=TRUE
     
    Thursday, March 16, 2017 10:14 AM
  • Hi Martin,

    Thanks a ton :) . Won't be able to test it now though, will get back afterwards in case of any issue..

    Thanks & Regards,

    Pratik

    Friday, March 17, 2017 5:47 AM
  • Hi Martin,

    Finally got time to test this out, this property is present but is null for all objects..

    Thanks & Regards,

    Pratik

    Friday, March 31, 2017 9:08 AM
  • Hi Pratik,
    Alternatively, as far as I know, built-in accounts are created when you install the first domain controller. You can check the object creation date of the accounts through object Attribute Editor to determine if it's a built-in account or not. 
    Best regards, 
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, April 3, 2017 5:17 AM
    Moderator
  • Got the 'isCriticalSystemObject' property value when i ran get-adobject with -properties *.

    Thank you once again, my bad..

    Monday, April 3, 2017 10:33 AM