07 Jul
Posted by Nelson as How-To, Networking
Active Directory lacks a native tool to run reports on things like; User Accounts, Organizational Units, Disable Accounts, Security Groups etc. there are many commercial tools like AD reports that will do that, but some of them are limited for free use.
The good news is that if you know visual basic or Powershell scripting you can pull out a report from any active directory object really easy.
this VBS script gets the Username, First name, Last Name, and E-mail addresses of all the users in active directory, and save it as a comma-separated-value file:
Option Explicit
Const REPORT_FILE = “Users.csv”
Const ADS_SCOPE_SUBTREE = 2
Const ADS_UF_ACCOUNTDISABLE = 2
Dim objFileSystem, objFile, objConnection, objCommand, objRootDSE, objRecordSet
Dim strUsername, strFirstname, strLastname, strEmail
Dim intUAC
Set objFileSystem = CreateObject(”Scripting.FileSystemObject”)
Set objFile = objFileSystem.OpenTextFile(REPORT_FILE, 2, True, 0)
objFile.WriteLine “AD Username,First Name,Last Name,E-mail”
Set objConnection = CreateObject(”ADODB.Connection”)
objConnection.Provider = “ADsDSOObject”
objConnection.Open “Active Directory Provider”
Set objCommand = CreateObject(”ADODB.Command”)
objCommand.ActiveConnection = objConnection
Set objRootDSE = GetObject(”LDAP://RootDSE”)
objCommand.CommandText = “SELECT sAMAccountName, userAccountControl, givenName, sn, mail ” &_
“FROM ‘LDAP://” & objRootDSE.Get(”defaultNamingContext”) &_
“‘ WHERE objectClass=’user’ AND objectCategory=’person’”
Set objRootDSE = Nothing
objCommand.Properties(”Page Size”) = 1000
objCommand.Properties(”Timeout”) = 600
objCommand.Properties(”Searchscope”) = ADS_SCOPE_SUBTREE
objCommand.Properties(”Cache Results”) = False
Set objRecordSet = objCommand.Execute
While Not objRecordSet.EOF
intUAC = objRecordSet.Fields(”userAccountControl”)
If intUAC And ADS_UF_ACCOUNTDISABLE Then
‘ Account is Disabled, ignore it.
Else
On Error Resume Next
strUsername = “” : strUsername = objRecordSet.Fields(”sAMAccountName”)
strFirstname = “” : strFirstname = objRecordSet.Fields(”givenName”)
strLastname = “” : strLastname = objRecordSet.Fields(”sn”)
strEmail = “” : strEmail = objRecordSet.Fields(”mail”)
On Error Goto 0
objFile.WriteLine strUsername & “,” & strFirstname & “,” & strLastname & “,” & strEmail
End If
objRecordSet.MoveNext
Wend
objConnection.Close
Set objRecordSet = Nothing
Set objCommand = Nothing
Set objConnection = Nothing
This script will not get disable accounts in Active Directory, download the VBS file below
One Response
Chris Danielson
July 21st, 2008 at 1:41 pm
1Nelson,
This article is absolutely correct in regards to gathering the data achievable by an LDAP query. If you need to test your scripts by comparing off of our tool, we do offer a free 2 week trial now on our website. There is one catch that everyone must understand about Active Directory and that is LDAP queries alone will not get you 100% accurate results. Windows Active Directory also requires programmatic logic to make sense out of the policies. Our product brings this to the table. Thanks again Nelson for a great article!
Kind Regards,
Chris
Leave a reply