0

I'm trying to use below script to get all active users from AD, however, I don't get any results although I know there are data with value 512.

Do you know what I have wrong here? 

  Get-ADUser -filter {$userAccountControl -eq "512"} -properties Name,userAccountControl -Server myserver.local | Export-CSV "E:\Folder\ADusers.csv" -NoTypeInformation -Encoding UTF8
Turpan
  • 491
  • 2
  • 8
  • 17
  • 1
    whats in $userAccountControl? – guiwhatsthat May 28 '18 at 08:58
  • 1
    `Get-ADUser -filter {userAccountControl -band [int]512}` – JosefZ May 28 '18 at 09:10
  • Caution: `userAccountControl` is a bitmap (i.e., an integer treated as a series of bits, wherein each position represents an on/off state) - see @dev.greg's answer. – Bill_Stewart May 28 '18 at 16:06
  • Well, I've tried with -band ... and still got error: Get-ADUser : The term 'Get-ADUser' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At E:\AD\ad_script_test_2.ps1:1 char:1 + Get-ADUser -filter {userAccountControl -band [int]512} -properties Na ... + ~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (Get-ADUser:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException – Turpan May 30 '18 at 08:57

2 Answers2

2

As pointed out in the comments, the $ does not belong. That tells PowerShell that you want to use the value in a variable called $userAccountControl and compare that to 512. Considering that you probably never set a variable called $userAccountControl, that means it's comparing nothing to 512 and seeing that it's not true for every account.

Remove the $ and it will compare the property called userAccountControl to 512.

Get-ADUser -filter {userAccountControl -eq "512"} -properties Name,userAccountControl -Server myserver.local | Export-CSV "E:\Folder\ADusers.csv" -NoTypeInformation -Encoding UTF8
Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
  • Doesn't work, it seems the syntax is incorrect: "Get-ADUser : The term 'Get-ADUser' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At E:\AD\ad_script_test_2.ps1:1 char:1 + Get-ADUser -filter {userAccountControl -eq "512"} -properties Name,us ... + ~~~~~~~~~~ + CategoryInfo : ObjectNotFound: (Get-ADUser:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException" – Turpan May 30 '18 at 08:58
  • Sounds like you hadn't loaded the ActiveDirectory module. Do that first: `Import-Module ActiveDirectory` – Gabriel Luci May 30 '18 at 12:03
  • If you're still getting the `The term 'Get-ADUser' is not recognized` error, that means PowerShell has no idea what `Get-ADUser` means. Either the ActiveDirectory module is not installed, or not loaded. You need to work that out first. – Gabriel Luci Jun 06 '18 at 12:08
  • You can find instructions for installing here (follow the steps for your version of Windows): https://4sysops.com/wiki/how-to-install-the-powershell-active-directory-module/ – Gabriel Luci Jun 06 '18 at 12:10
  • Correct, the module wasn't on test server, when I ran it on prod server, it worked fine. Thanks ;) – Turpan Jun 11 '18 at 12:13
  • I have one additional issue, now I get the results, which is great, however, I get more than I need. I have specified in -properties that I want to get only Name and userAccountControl. For some reason i'm getting like everything: DistinguishedName Enabled GivenName Name ObjectClass ObjectGUID SamAccountName SID Surname userAccountControl UserPrincipalName; Would you know how can I limit it only to those two? – Turpan Jun 11 '18 at 12:19
  • I don't think there is a way to do that with `Get-ADUser`. It always gets the ["default set"](https://social.technet.microsoft.com/wiki/contents/articles/12037.active-directory-get-aduser-default-and-extended-properties.aspx) of attributes. The `Properties` parameter only lets you ask for more, not less. If you're serious about this, you could try using .NET's `DirectorySearcher` instead. It'll give you more control, but it's a little more complex to work with: https://www.petri.com/discovering-active-directory-searcher-powershell You'll want to set the `PropertiesToLoad` list. – Gabriel Luci Jun 11 '18 at 12:55
1

you could try the LDAPfilter syntax 

Get-ADUser -property userAccountControl -LDAPfilter "(userAccountControl=512)"

However, this might not be a good method : userAccountControl is a binary field, each bit representing a binary value (see https://support.microsoft.com/en-us/help/305144/how-to-use-the-useraccountcontrol-flags-to-manipulate-user-account-pro ) for example :

512 is "normal account", wich you want

66048 is "normal account" + "password dont expire", which you might also want

514 is "normal account" + "account disabled" , which you might not want

all value would match

-band 512

you need to clarify what's an active user.

dev.greg
  • 71
  • 1
  • 10