Active Directory User Report

I needed a quick way to audit Active Directory accounts, the powershell script dumps the following active directory attributes:

samaccountname	 
DistiguishedName	 
whenCreated 
lastLogonDate 
pwdLastSet 
accountExpires 
userAccountControl
Enabled

For the audit the userAccountControl attribute is very useful, this attribute contains a code that maps back to the users account status and password change requirements. These are the codes we are interested in:

    512 =  "NORMAL_ACCOUNT"
    514 = "ACCOUNT_DISABLE_NORMAL_ACCESSS"
    544 = "NORMAL_ACCOUNT_PASSWORD_NOT_REQUIRED"
    546 = "ACCOUNT_DISABLED_NORMAL_ACCOUNT_PASSWORD_NOT_REQUIRED"
    66048 = "NORMAL_ACCOUNT_DONT_EXPIRE_PASSWORD"
    66050 = "ACCOUNT_DISABLED_NORMAL_ACCOUNT_DONT_EXPIRE_PASSOWRD"
    66080 = "PASSWORD_NOT_REQUIRED_NORMAL_ACCOUNT_DONT_EXPIRE_PASSWORD"
    590336 = "NORMAL_ACCOUNT_DONT_EXPIRE_PASSWORD_TRUSTED_FOR_DELEGATION"

Here is some more information on the codes from Microsoft:
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties


Here is the powershell script we use to extract this data for analysis, it creates a csv file which we import to excel for analysis.
https://github.com/zs1rcm/powershell-scripts/blob/main/ExtractAccountData.ps1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s