Find Enabled Users in the Domain Admin Group ~ My blog about Active Directory and everything else

Thursday, July 23, 2009

Find Enabled Users in the Domain Admin Group

Sorry I've been out for a while, I'm back now with a quick hitter and more entries coming...well at least I have them planned in my head :)

I often receive requests from the security group to send them all user accounts in the domain admin group. What I've found is that there are often both disabled and enabled accounts. All they want is enabled accounts.

For this quick hitter I'll use my favorite tool. ADFIND by top MVP Joe Richards

adfind -default -f "name= domain admins" member -list | adfind -bit -f "&(objectcategory=person)(objectclass=user)(!useraccountcontrol:AND:=2)" samaccountname -nodn

There are other ways to do that in adfind but I really love playing with adfind being piped into adfind (great feature by joe)

Can anyone see another quick hitter coming about from do you do this in powershell?...what about nested groups (see previous blog entry)...more to come :)

Update from Shariq via comments

I won't be doing a quick hitter for Powershell...thanks for the assist Shariq

Get-QADgroupmember "domain admins" | Get-QADuser -enabled

I also highly recommend checking out Shariq's Blog

Thanks Shariq!!


  1. PoSH way for this would be :

    Get-QADgroupmember "domain admins" | Get-QADuser -enabled

  2. Thanks Shariq!! updated

  3. You'are welcome Mike and Congrats on being MVP'd.

    I go by Rick and do hang out in ActiveDir List as well.

    Keep up the good work !!


  4. Great meeting you Rick and thanks man. I really like the community we have.

  5. Hi,

    Thanks for sharing your insightful thoughts and suggestions - very cool and helpful indeed.

    In the spirit of sharing helpful information, thought I'd mention that one of my Microsoft colleagues informed us about a cool FREE tool from a Microsoft partner, that offers over 50 super-helpful Active Directory security reports, such as which accounts are locked out, which accounts are set to expire in the next few days, which security groups are nested, where all a user may have permissions etc.

    The tool is called Gold Finger, and it is developed by a company called Paramount Defenses. You can download it from

    Why bother writing complicated scripts or using unsupported command-line tools when you can use a 100% AUTOMATED, GUI based, FREE solution that is not only SUPPORTED but also ENDORSED by Microsoft?!

    If you're into Active Directory security, then this tool is a must-have.

    Thought I'd share this helpful tip with you!


  6. Hi Mike, I agree that ADFind rocks! In fact I run a little blog on Free Active Directory tools and it is still one of my favorite free AD tools dude.

    Please feel free to stop by!