List all users in AD

[antmar904]

Hello.

Long time since I've posted.  I am trying to list all users with two attributes in my whole domain and sub-domains however that script just hangs.

#include <AD.au3>

; Open Connection to the Active Directory
_AD_Open()
If @error Then Exit MsgBox(16, "Active Directory Error", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)

$aUserObjects = _AD_GetObjectsInOU ("", "", 2, "sAMAccountName,displayname")
    _ArrayDisplay ($aUserObjects)

 

[water]

How many users do you expect to get listed?

[antmar904]

2 maybe 3k

[antmar904]

maybe it's better to output to a file

[water]

The problem might be caused by the default Page Size limit of 1000.
You could use function _AD_SetAdoProperties to lift this limit. Please see the _AD_SetAdoProperties-au3 example script.

 

[antmar904]

So writing the array to a file worked fast, how can I return just user objects, by using a LDAP filter?

Edited June 22, 2022 by antmar904

[antmar904]

Disregard the last comment. 

[water]

So everything works now?

[antmar904]

Yes but on to the next part.  I'm trying to search the whole AD for all user accounts that contain "contractor or consultant" in different attributes but can't seem to get it working.

#include <AD.au3>
#include <File.au3>

Global $LogFileUsers = @ScriptDir & "\ADUsers.txt"

; Open Connection to the Active Directory
_AD_Open()
If @error Then Exit MsgBox(16, "Active Directory Error", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)

$aUserObjects = _AD_GetObjectsInOU ("", "(&(objectcategory=person)(objectclass=user)(title=*contractor*) (title=*consultant*) (description=*contractor*) (description=*consultant*))", 2, "sAMAccountName,displayName")
    $hADUsers = FileOpen ($LogFileUsers, $FO_APPEND)
    _FileWriteFromArray ($hADUsers, $aUserObjects)
    _AD_Close()

 

[antmar904]

My end goal is to search the whole AD for non-FTE (Contractors) and check to see if a 30 day expiration date was set on their account from the account creation date.  Unfortunately there is no easy way to search for just Contractors as they can be located in AD anywhere.

Edited June 23, 2022 by antmar904

[antmar904]

Getting there.  Looks like I had to use the pipe "|" character for OR

 

$aUserObjects = _AD_GetObjectsInOU ("", "(&(objectcategory=person)(objectclass=user)(|(title=*contractor*) (title=*consultant*)(description=*contractor*) (description=*consultant*)))", 2, "sAMAccountName,displayName")

 

[antmar904]

I'm unable to return the "accountExpires" attribute.

#include <AD.au3>
#include <File.au3>

Global $Users = @ScriptDir & "\ADUsers.txt"

_GetUsers()

Func _GetUsers()

; Open Connection to the Active Directory
_AD_Open()
If @error Then Exit MsgBox(16, "Active Directory Error", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)

$aUserObjects = _AD_GetObjectsInOU ("", "(&(objectcategory=person)(objectclass=user)(|(title=*contractor*) (title=*consultant*)(description=*contractor*) (description=*consultant*)))", 2, "sAMAccountName,displayName,createTimeStamp,accountExpires")
    $hADUsers = FileOpen ($Users, $FO_APPEND)
    _FileWriteFromArray ($hADUsers, $aUserObjects)
    _AD_Close()

EndFunc

 

[antmar904]

Ok, still having issues returning a users "accountexpire" data:

#include <AD.au3>
#include <File.au3>

Global $Users = @ScriptDir & "\ADUsers.txt"

_GetUsers()

Func _GetUsers()

    ; Open Connection to the Active Directory.
    _AD_Open()
    If @error Then Exit MsgBox(16, "Active Directory Error", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)

    ; Search all of AD for contractors and exclude _DT accounts.
    $aUserObjects = _AD_GetObjectsInOU("", "(&(objectcategory=person)(objectclass=user) (!(sAMAccountName=*_dt)(|(title=*contractor*) (title=*consultant*)(description=*contractor*) (description=*consultant*))))", 2, "sAMAccountName")
    ;$hADUsers = FileOpen ($Users, $FO_APPEND)
    ;_FileWriteFromArray ($hADUsers, $aUserObjects)
    _ArrayDisplay($aUserObjects)

    For $i = 0 To UBound($aUserObjects) - 1
        ;MsgBox(0, "", $aUserObjects[$i])
        $aExpires = _AD_GetObjectProperties($aUserObjects[$i], "accountexpires", "", True)
    Next

    _ArrayDisplay ($aExpires)

    _AD_Close()

EndFunc   ;==>_GetUsers

 

[water]

What is the value of @error and @extended after calling _AD_GetObjectProperties?
Could you please try "accountExpires"  with upper case "E"?

[antmar904]

 

From the doc: 

1 - $vObject could not be found

[Subz]

This is normally what I use to get account expiry date:

expandcollapse popup

#include <AD.au3>

_GetUsers()

Func _GetUsers()
    _AD_Open()
        If @error Then Exit MsgBox(16, "Active Directory Error", "Function _AD_Open encountered a problem. @error = " & @error & ", @extended = " & @extended)

    ; Search all of AD for contractors and exclude _DT accounts.
    $aUserObjects = _AD_GetObjectsInOU("", "(&(objectcategory=person)(objectclass=user) (!(sAMAccountName=*_dt)(|(title=*contractor*) (title=*consultant*)(description=*contractor*) (description=*consultant*))))", 2, "sAMAccountName,accountExpires")
    For $i = 0 To UBound($aUserObjects) - 1
        If IsObj($aUserObjects[$i][1]) Then $aUserObjects[$i][1] = _GetADDateTime($aUserObjects[$i][1], 1)
    Next

    _ArrayDisplay($aUserObjects)

    _AD_Close()

EndFunc   ;==>_GetUsers

Func _GetADDateTime($_oADObject, $_iFlag = 0)
    Local $sAD_DTStruct, $sTemp3
    If $_iFlag = 1 Then
        If $_oADObject.LowPart = -1 Then Return 0
        If $_oADObject.LowPart > 0 And $_oADObject.HighPart > 0 Then
            $sAD_DTStruct = DllStructCreate("dword low;dword high")
            DllStructSetData($sAD_DTStruct, "Low", $_oADObject.LowPart)
            DllStructSetData($sAD_DTStruct, "High", $_oADObject.HighPart)
            $sAD_Temp = _Date_Time_FileTimeToSystemTime(DllStructGetPtr($sAD_DTStruct))
            $sTemp3 = _Date_Time_SystemTimeToTzSpecificLocalTime(DllStructGetPtr($sAD_Temp))
            Return _Date_Time_SystemTimeToDateTimeStr($sTemp3, 1)
        EndIf
    EndIf
 ; Convert IADsLargeInteger parts to 100ns count
 $iLowPart = $_oADObject.LowPart
 $iHighPart = $_oADObject.HighPart
 If $iLowPart < 0 Then $iHighPart += 1; Compensate for IADsLargeInteger interface error
 $iDateParts= $iHighPart * 2 ^ 32
 $iDateParts+= $iLowPart

 ; Check if user ever logged in
 If $iDateParts= 0 Then
    Return "n/a"
 Else
 ; Convert 100ns count to integer seconds
 $iSeconds = Floor($iDateParts/ 10000000)

 ; Convert seconds since 12:00AM January 01, 1601 to date string
 $sDateTime = _DateAdd("S", $iSeconds, "1601/01/01 00:00:00")

 ; Display result
 Return $sDateTime
 EndIf
EndFunc

 

[Subz]

Also unsure why your script hangs we have several thousand users and usually takes several seconds to display the full list of users, although I always use filtered list e.g.:

_AD_GetObjectsInOU("", "(&(objectcategory=person)(objectclass=user)(sAMAccountName=*))", 2, "sAMAccountName,accountexpires")

 

[antmar904]

I'm not sure why I can't return the "accountExpires" attribute using "_AD_GetObjectsInOU"?  It returns blank.

 

[Subz]

Did you use my script above?   The accountExpires returns an object which will not be displayed within the array, which is why I loop through the results and convert the object into a readable date/time.

[antmar904]

Doesn't "_AD_GetObjectProperties" $bTranslate = True do the same?  I can't even get that to work.