0

I got a PowerShell command that gives me a list of users and the groups those users are members of. The only problem is that is gives me every user including those that are disabled. I need to be able to list just the active users and their respective groups. Any help would be appreciated.

$adsi = [ADSI]"WinNT://$env:COMPUTERNAME"
$adsi.Children | where {$_.SchemaClassName -eq 'user'} | Foreach-Object {    $groups = $_.Groups() | Foreach-Object {$_.GetType().InvokeMember('Name', 'GetProperty', $null, $_, $null)} ; $_ | Select-Object @{n='UserName';e={$_.Name}},@{n='Groups';e={$groups -join ';'}} } | Format-Table -autosize -wrap
raetrace
  • 33
  • 1
  • 4

4 Answers4

4

You might use a WMI query to get AccountType (512 = Enabled, 514 = Disabled):

Edit: there are other flags which indicate enabled accounts, but the basic enabled/disabled is 512/514. Refer to this list.

Third try:

Function Check-Enabled ($Username) {
   -not (Get-WmiObject Win32_UserAccount -filter "LocalAccount=True AND Name='$Username'").disabled
}

Then add the property to your Select-Object. I also formatted it for my own readability, but still the same code:

$adsi = [ADSI]"WinNT://$env:COMPUTERNAME"
$adsi.Children | where { $_.SchemaClassName -eq 'user' } | Foreach-Object {
   $groups = $_.Groups() | Foreach-Object {
      $_.GetType().InvokeMember('Name', 'GetProperty', $null, $_, $null)
   }
   $_ | Select-Object @{n='UserName';e={$_.Name}},
                      @{n='Groups';e={$groups -join ';'}},
                      @{n='Enabled';e={Check-Enabled $_.Name}}
} | Format-Table -autosize -wrap
xXhRQ8sD2L7Z
  • 695
  • 5
  • 12
  • 1
    +1 For just making the effort to untangle the original copy/paste horror show. – jscott Feb 03 '16 at 00:33
  • For whatever reason, the local Administrator and Guest were both returning 512. I've tried this on two computers (Win 7 and Win8.1) and verified both had the Guest account disabled, but they returned 512 on both. – raetrace Feb 03 '16 at 00:51
  • In the function Check-Enabled you provided, if I replace `Select -ExpandProperty AccountStatus` with `Select -ExpandProperty Status` and replace the `-eq 512` with `-ne 'Degraded'` then I get exactly what I'm looking for. Now I just need to filter out the Enabled fields that have False. Thank you for pointing me in the right direction. – raetrace Feb 03 '16 at 01:02
  • The updated Check-Enabled function you provided has the same problem. It's returning the Guest account as Enabled=True, when in fact it is not. The newer one you posted is much faster though, so if we can get the new Function to either exclude disabled accounts or correctly mark them False then that would be perfect. – raetrace Feb 03 '16 at 01:17
  • I updated the function – xXhRQ8sD2L7Z Feb 03 '16 at 01:31
  • +1 (once I have enough reputation points). YOU ARE THE MAN! Works perfectly. Just a side note for those who use this, dog slow when the computer is on a domain. Runs pretty quickly in a workgroup though. – raetrace Feb 03 '16 at 01:52
1

Much more easier way with WMI

Get-WmiObject -Class win32_useraccount -filter "localaccount=true" | where {$_.disabled -eq $False}
strange walker
  • 592
  • 3
  • 10
1

Starting with Version 5.1 PowerShell also comes with an builtin cmdlet called Get-LocalUser Powershell Local Accounts

Get-LocalUser | Where-Object -Property Enabled -eq True
Gerald Schneider
  • 23,274
  • 8
  • 57
  • 89
Rajiv Iyer
  • 157
  • 9
0

The syntax is:

Get-LocalUser | Where-Object -Property Enabled -like true

Get-LocalUser | Where-Object -Property Enabled -like false

-eq operator does not output disabled accounts

Roberto Bermejo
  • 1