We all know maintaining hundreds of user accounts can be frustrating especially when it comes to audit time and you need a good list of information to pass on to an auditor. Well today I am your savory, this simple script will produce you a list of users with some detailed information that can make audits or documentation much easier. The script creates a Comma Separated Values file or CSV that you can edit in Microsoft Excel or any standard spreadsheet application so you can customize the information before adding it to your report or audit. Below are the specific fields that this script will provide detail on for your Active Directory Users.
User Details
- Name
- Description
- Profile Path
- Home Drive
- Account Disabled
- Password Required
- User Changable Password
- Password Expires
- SmartCard Required
- Login Count
- Last Login (date)
- Last Password Change (date)
- Created (date)
- Modified (date)
Script Configuration
Before running this script there is some minor configuration that must be done so it can communicate with your Active Directory setup.
- Find objConnection.Open “Active Directory Server” change Active Directory Server to the name of your Domain Controller
- Find objCommand.CommandText = _
“SELECT Name, description, profilePath, homeDrive, distinguishedName,userAccountControl FROM ‘LDAP://dc=subdomain,dc=domain,dc=suffix’ WHERE objectCategory=’user'” change subdomain, domain, and suffix to the name of your domain i.e. west consco com (respectively) - Find Set logStream = objFSO.opentextfile(“C:\domainusers.csv”, 8, True) and change C:\domainusers.csv to the location where you want the file saved. Be sure to save it with the extension CSV
On Error Resume Next
Const ADS_SCOPE_SUBTREE = 2
Const ADS_UF_ACCOUNTDISABLE = &H0002
Const ADS_UF_PASSWD_NOTREQD = &H0020
Const ADS_UF_PASSWD_CANT_CHANGE = &H0040
Const ADS_UF_DONT_EXPIRE_PASSWD = &H10000
Const ADS_UF_SMARTCARD_REQUIRED = &H40000
Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Server"
Set objCommand.ActiveConnection = objConnection
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
objCommand.CommandText = _
"SELECT Name, description, profilePath, homeDrive, distinguishedName,userAccountControl FROM 'LDAP://dc=subdomain,dc=domain,dc=suffix' WHERE objectCategory='user'"
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst
Set objFSO = CreateObject("scripting.filesystemobject")
Set logStream = objFSO.opentextfile("C:\domainusers.csv", 8, True)
logStream.writeline("Name,Description,Profile Path,Home Drive,Account Disabled,Password Required,User Changable Password,Password Expires,SmartCard Required,Login Count,Last Login,Last Password Change,Created,Modified")
Do Until objRecordSet.EOF
strDN = objRecordset.Fields("distinguishedName").Value
Set objUser = GetObject ("LDAP://" & strDN)
If objRecordset.Fields("userAccountControl").Value AND ADS_UF_ACCOUNTDISABLE Then
Text = "Yes"
Else
Text = "No"
End If
If objRecordset.Fields("userAccountControl").Value AND ADS_UF_PASSWD_NOTREQD Then
Text = Text & ",No"
Else
Text = Text & ",Yes"
End If
If objRecordset.Fields("userAccountControl").Value AND ADS_PASSWORD_CANT_CHANGE Then
Text = Text & ",No"
Else
Text = Text & ",Yes"
End If
If objRecordset.Fields("userAccountControl").Value AND ADS_UF_DONT_EXPIRE_PASSWD Then
Text = Text & ",No"
Else
Text = Text & ",Yes"
End If
If objRecordset.Fields("userAccountControl").Value AND ADS_UF_SMARTCARD_REQUIRED Then
Text = Text & ",Yes"
Else
Text = Text & ",No"
End If
logStream.writeline(objRecordset.Fields("Name").Value & ","_
& objRecordset.Fields("description").Value & ","_
& objRecordset.Fields("profilePath").Value & ","_
& objRecordset.Fields("homeDrive").Value & ","_
& text & ","_
& objUser.logonCount & ","_
& objUser.LastLogin & ","_
& objUser.PasswordLastChanged & ","_
& objUser.whenCreated & ","_
& objUser.whenChanged & ","_
)
objRecordSet.MoveNext
Loop
logStream.Close
Good script, I could also see using adfind or powershell to get some good exports of users from AD.
Thanks
Mike
I have tried the above script by changing it but didnt worked.
I can see a file is created on c drive ,but its not pulling the information of users.
Kindly help me in getting an information of AD users which is created from last 6 months only. let say from 1st May 2009 to Feb 28 2010.
Thanks in advance.
Waiting for your reply.
B.Sridhar
sridharb_007@yahoo.com
sorry one more to add thr is no sub domains and also i need only the information of users created in last 6 months. not profile path, smart ,homeDrive,LastLogin,
Thanks
The script works great…my only concern is if i am running this script on a windows 2000 active directory, and pointing it to a specific domain controller (objConnection.Open), then it wont give me exact information as windows 2000 domains controllers may not have upto date information regarding last logon feild. I have around 40 DCs spread across 20 sites. It would be great to if someone can shed some light on objConnection.Open parameters.
Many thanks
the script works.
but there is a small issue,
i have about 150 users in active directory server 2003.
the script export about 90 users insted of 150.
why is that?
what can i do to export the full list 150 users?
i follow your instructions exactly like you wrote.
please advise.
many many thanks.
I noticed that it only outputs a small percentage of our overall users as well. It seems like it’s filtering on something, but I can’t discern what that is. Any insight?
script works but exports a small subset of all the users in my AD…around 200 out of 400 users are exported.
Same problem
It works, but the script does not show all the user accounts. I only get about 200 and then it stops working. The last account always listed in the domainusers.csv is a test account that might be killing the script. Please advise.
Here’s a modified version that removes the need to enter the DC details. Just run it.
http://pastebin.com/6rb3KAUm
It looks like the issues with the missing users in the export is only when the user contains a description. I’ve scratched my head on this one and can’t figure it out. However, if you remove the description field it works, example:
http://pastebin.com/KhV6hJAA
I don’t have any AD that I can run it in that has more than about 100 users, but my list is perfect. It does filter out admin and system accounts, so maybe that is what you are seeing as missing?
How I can get accountexpires propertie using this script?
Thanks,
Thank you in advance for that enable!
Nice article, we can also look at http://www.morgantechspace.com/2014/03/Export-Active-Directory-users-into-CSV-file-in-VBScript.html
How to compile this script? in which language is ti?
This is written in Visual Basic Script. I honestly wouldn’t recommend using this method unless you are still on an old 2003 domain. Powershell is the way to go for this now. Take a look at Get-ADUser command and Search-ADAccount in PowerShell.