Thursday, July 23, 2009

Find Enabled Users in the Domain Admin Group

Sorry I've been out for a while, I'm back now with a quick hitter and more entries coming...well at least I have them planned in my head :)

I often receive requests from the security group to send them all user accounts in the domain admin group. What I've found is that there are often both disabled and enabled accounts. All they want is enabled accounts.

For this quick hitter I'll use my favorite tool. ADFIND by top MVP Joe Richards

adfind -default -f "name= domain admins" member -list | adfind -bit -f "&(objectcategory=person)(objectclass=user)(!useraccountcontrol:AND:=2)" samaccountname -nodn



There are other ways to do that in adfind but I really love playing with adfind being piped into adfind (great feature by joe)

Can anyone see another quick hitter coming about from this...how do you do this in powershell?...what about nested groups (see previous blog entry)...more to come :)

Update from Shariq via comments

I won't be doing a quick hitter for Powershell...thanks for the assist Shariq

Get-QADgroupmember "domain admins" | Get-QADuser -enabled



I also highly recommend checking out Shariq's Blog

Thanks Shariq!!

5 comments:

  1. PoSH way for this would be :

    Get-QADgroupmember "domain admins" | Get-QADuser -enabled

    ReplyDelete
  2. Thanks Shariq!!...blog updated

    ReplyDelete
  3. You'are welcome Mike and Congrats on being MVP'd.

    I go by Rick and do hang out in ActiveDir List as well.

    Keep up the good work !!

    Rick

    ReplyDelete
  4. Great meeting you Rick and thanks man. I really like the community we have.

    ReplyDelete
  5. Hi Mike, I agree that ADFind rocks! In fact I run a little blog on Free Active Directory tools and it is still one of my favorite free AD tools dude.

    Please feel free to stop by!

    ReplyDelete