0

I have a problem with the python3 pyad module. I'd like to query my active directory environment for all PCs with some Information and if they are enabled or not.

This is the code:

q = pyad.adquery.ADQuery()
q.execute_query(
    attributes = ["CN", "OperatingSystem", "OperatingSystemVersion", "Description", "Enabled"],
    where_clause = "objectClass = 'Computer'",
    base_dn = "OU=Client,OU=####,OU=########,DC=###############,DC=########,DC=local"
)

ad_result = []
for row in q.get_results():
    ad_result.append(row)
    print(row)

This is what I am getting back:

{'Enabled': None, 'Description': None, 'OperatingSystemVersion': '10.0 (17763)', 'OperatingSystem': 'Windows 10 Pro', 'CN': '<PC NAME>'}
{'Enabled': None, 'Description': None, 'OperatingSystemVersion': '10.0 (17763)', 'OperatingSystem': 'Windows 10 Pro', 'CN': '<PC NAME>'}
{'Enabled': None, 'Description': None, 'OperatingSystemVersion': '10.0 (17763)', 'OperatingSystem': 'Windows 10 Pro', 'CN': '<PC NAME>'}
{'Enabled': None, 'Description': None, 'OperatingSystemVersion': '10.0 (17763)', 'OperatingSystem': 'Windows 10 Pro', 'CN': '<PC NAME>'}
{'Enabled': None, 'Description': None, 'OperatingSystemVersion': '10.0 (17763)', 'OperatingSystem': 'Windows 10 Pro', 'CN': '<PC NAME>'}
{'Enabled': None, 'Description': None, 'OperatingSystemVersion': '10.0 (17763)', 'OperatingSystem': 'Windows 10 Pro', 'CN': '<PC NAME>'}
{'Enabled': None, 'Description': None, 'OperatingSystemVersion': '10.0 (17763)', 'OperatingSystem': 'Windows 10 Pro', 'CN': '<PC NAME>'}

So my problem is that instead of getting back the "Enabled" Status as True or False, I only get None. It works fine when I query via Powershell, but I'd really like to use python. I don't want to bodge some Powershell csv export into my script. If anyone has any idea I'd appreciate an answer, thank you.

DevSepp
  • 116
  • 1
  • 5

2 Answers2

1

To determine whether a system is enabled or not you have to check the userAccountControl flag.

The detailed flag information can be found here and here

You can easily parse enabled vs disabled by converting the return code to hex, and then flagging disabled systems if they end in 2.

Example:

assets = ad_query.get_results()
for asset in assets:
    code = hex(asset["userAccountControl"])
        if code.endswith("2"):
        print(f"{asset["name"]} is DISABLED")
Arseassin
  • 37
  • 5
0

I do not know why this behavior is as observed but I do know where to get the 'Enabled' attribute:

comp = adcomputer.ADComputer.from_cn("xxxxxxxx")
comp.get_user_account_control_settings()

Will yield:

{'SCRIPT': False,
 'ACCOUNTDISABLE': False,
...

for a machine which is enabled and for a machine which is disabled:

{'SCRIPT': False,
 'ACCOUNTDISABLE': True,
...

For the description field:

comp.get_allowed_attributes()

If the attribute name is in the output of the above call, you can query using:

comp.get_attribute('description')
Kris
  • 2,100
  • 5
  • 31
  • 50