I often receive requests from the security group to send them all user accounts in the domain admin group. What I've found is that there are often both disabled and enabled accounts. All they want is enabled accounts.
For this quick hitter I'll use my favorite tool. ADFIND by top MVP Joe Richards
adfind -default -f "name= domain admins" member -list | adfind -bit -f "&(objectcategory=person)(objectclass=user)(!useraccountcontrol:AND:=2)" samaccountname -nodn
There are other ways to do that in adfind but I really love playing with adfind being piped into adfind (great feature by joe)
Can anyone see another quick hitter coming about from this...how do you do this in powershell?...what about nested groups (see previous blog entry)...more to come :)
Update from Shariq via comments
I won't be doing a quick hitter for Powershell...thanks for the assist Shariq
Get-QADgroupmember "domain admins" | Get-QADuser -enabled
I also highly recommend checking out Shariq's Blog
Thanks Shariq!!
Posts
PoSH way for this would be :
ReplyDeleteGet-QADgroupmember "domain admins" | Get-QADuser -enabled
Thanks Shariq!!...blog updated
ReplyDeleteYou'are welcome Mike and Congrats on being MVP'd.
ReplyDeleteI go by Rick and do hang out in ActiveDir List as well.
Keep up the good work !!
Rick
Great meeting you Rick and thanks man. I really like the community we have.
ReplyDeleteHi Mike, I agree that ADFind rocks! In fact I run a little blog on Free Active Directory tools and it is still one of my favorite free AD tools dude.
ReplyDeletePlease feel free to stop by!