List users in specific group, plus active/disabled

by Jod_Lan at 2013-02-22 13:26:20

I need a Powershell script that will export users of a specific security group into a csv file. The only 2 pieces of information I need are the logon name, and whether they are active or disabled. I found the following script, which works, but I’m not sure how to narrow it down to just the 2 pieces of info I need, and have it run against a specific global security group, rather than all users in the domain:

$NumDays = 0
$LogDir = ".\User-Accounts.csv"

$currentDate = [System.DateTime]::Now
$currentDateUtc = $currentDate.ToUniversalTime()
$lltstamplimit = $currentDateUtc.AddDays(- $NumDays)
$lltIntLimit = $lltstampLimit.ToFileTime()
$adobjroot = [adsi]‘’
$objstalesearcher = New-Object System.DirectoryServices.DirectorySearcher($adobjroot)
$objstalesearcher.filter = "(&(objectCategory=person)(objectClass=user)(lastLogonTimeStamp<=" + $lltIntLimit + "))"

$users = $objstalesearcher.findall() | select <br>@{e={$_.properties.cn};n='Display Name'},
@{e={$.properties.samaccountname};n=‘Username’},<br>@{e={[datetime]]$_.properties.lastlogontimestamp[0])};n='Last Logon'},
@{e={[string]$adspath=$
.properties.adspath;$account=[ADSI]$adspath;$account.psbase.invokeget(‘AccountDisabled’)};n=‘Account Is Disabled’}

$users | Export-CSV -NoType $LogDir

Any help is much appreciated. I am as n00b as it gets when it comes to Powershell, but I can follow instructions to the letter.
by DexterPOSH at 2013-02-23 22:11:22
If the above code works correctly for you then if you are looking only for the 2 piece of information then you need to make the following changes:


$NumDays = 0
$LogDir = ".\User-Accounts.csv"

$currentDate = [System.DateTime]::Now
$currentDateUtc = $currentDate.ToUniversalTime()
$lltstamplimit = $currentDateUtc.AddDays(- $NumDays)
$lltIntLimit = $lltstampLimit.ToFileTime()
$adobjroot = [adsi]‘’
$objstalesearcher = New-Object System.DirectoryServices.DirectorySearcher($adobjroot)
$objstalesearcher.filter = "(&(objectCategory=person)(objectClass=user)(lastLogonTimeStamp<=" + $lltIntLimit + "))"

$users = $objstalesearcher.findall() | select <br>@{e={$_&#46;properties&#46;samaccountname};n='Username'},
@{e={[string]$adspath=$_.properties.adspath;$account=[ADSI]$adspath;$account.psbase.invokeget(‘AccountDisabled’)};n=‘Account Is Disabled’}

$users | Export-CSV -NoType $LogDir


This is the simplest thing that can get you started, I hope so.
What I have done is removed from the select portion, things that you don’t want .

Hope it helps
Regards,
~Dexter~
by Jod_Lan at 2013-02-25 06:24:30
That does clean it up, thanks. The one thing I noticed on yours and the original is that the export stops at 1000 rows, minus the top header. There are about 3100 users in the group I’m trying to gather information about. Is there anything in the script that would limit this?

Also, what will I need to add to the script to narrow it down to a specific security group?
by DexterPOSH at 2013-03-07 03:46:07
Sorry Jod_Lan it took me a while to look into this,

By default the DirectorySearcher will give you only 1000 objects you need to set a property called the ‘sizelimit’ .
But that may not solve your problem as the documentation says
The server stops searching after the size limit is reached and returns the results accumulated up to that point.

If you set SizeLimit to a value that is larger than the server-determined default of 1000 entries, the server-determined default is used.


I would advice better to use Quest AD Cmdlets or Microsoft AD Cmdlets to fulfill your purpose.

P.S. - To narrow the script to a specific security group, probably you will have to modify the filter
Hope that helps