PowerShell: How to get local users and local groups, but exclude disabled accounts

localpowershellusers

I got a PowerShell command that gives me a list of users and the groups those users are members of. The only problem is that is gives me every user including those that are disabled. I need to be able to list just the active users and their respective groups. Any help would be appreciated.

$adsi = [ADSI]"WinNT://$env:COMPUTERNAME"
$adsi.Children | where {$_.SchemaClassName -eq 'user'} | Foreach-Object {    $groups = $_.Groups() | Foreach-Object {$_.GetType().InvokeMember('Name', 'GetProperty', $null, $_, $null)} ; $_ | Select-Object @{n='UserName';e={$_.Name}},@{n='Groups';e={$groups -join ';'}} } | Format-Table -autosize -wrap

Best Answer

You might use a WMI query to get AccountType (512 = Enabled, 514 = Disabled):

Edit: there are other flags which indicate enabled accounts, but the basic enabled/disabled is 512/514. Refer to this list.

Third try:

Function Check-Enabled ($Username) {
   -not (Get-WmiObject Win32_UserAccount -filter "LocalAccount=True AND Name='$Username'").disabled
}

Then add the property to your Select-Object. I also formatted it for my own readability, but still the same code:

$adsi = [ADSI]"WinNT://$env:COMPUTERNAME"
$adsi.Children | where { $_.SchemaClassName -eq 'user' } | Foreach-Object {
   $groups = $_.Groups() | Foreach-Object {
      $_.GetType().InvokeMember('Name', 'GetProperty', $null, $_, $null)
   }
   $_ | Select-Object @{n='UserName';e={$_.Name}},
                      @{n='Groups';e={$groups -join ';'}},
                      @{n='Enabled';e={Check-Enabled $_.Name}}
} | Format-Table -autosize -wrap

Related Solutions

Active Directory – How to List All Active Directory Users and Their Group Membership

Install the Quest CMDlets and then run this code:

Add-PSSnapin Quest.ActiveRoles.ADManagement
$memberships = @()

Get-QADGroup -SizeLimit 0 | Foreach-Object {
        $NameGroup = $_.Name
        Write-Host "Working with $NameGroup"
        $membership = Get-QADGroupMember $_.DN -Enabled -SizeLimit 0
        if ($membership -ne $null ) {
        $membership | Add-Member -type NoteProperty -name AuditGroupUserIsMemberOf -value $_.Name
        $memberships += $membership
        }
    }

$memberships | Select-Object AuditGroupUserIsMemberOf, NTAccountname | Export-Csv "GroupsWithUsers.csv"

This will give you a 1 record per group-user connection so expect multiple occurrences of users and groups. If you wan't other fields, you can just edit the Select-Object statement. Use $memberships | gm to see all the possibilities for the users. If you want more fields for the groups, use Get-QADGroup | gm, you will then need to add these by adding a new NoteProperty.

If you don't really care about more options, here is a one-liner you can just mash in the terminal:

Get-QADGroup -sizeLimit 0 | select @{name="Group";expression={$_.name}} -expand members | select Group,@{n='User';e={ (Get-QADObject $_).NTAccountName}} | Export-Csv "MyUsersAndGroups.csv"

Powershell – (Powershell) Method to return a list of groups where a specific user has ‘write member’ security

There are two problems here.

The CMDlet Get-QADPermission is writing directly to the console during execution which is why you're seeing Permissions for: .... Since your pipeline is writing to the same output, it all gets mixed together. Store the output from your pipeline to a variable instead.
When you pipe the group into Get-QADPermission, you're throwing away the group object and getting a permissions object instead. If you want to keep the original object, you need to filter with Where-Object.

Also, be careful with Get-QADPermission. If you only query for WriteProperty, it won't return results with both Read+Write access. Usually you want to query for both. And in most cases, you also want to use -Inherited to get permissions granted from parent OU's. If you're really looking for once-off permissions, then you can ignore this switch.

function Test-UserCanModifyGroupsInOU ($Username, $OU)
{
  $results = Get-QADGroup -SearchScope 'OneLevel' -SearchRoot $OU |
    Where-Object {
      $_ | Get-QADPermission -Rights ReadProperty,WriteProperty -Property member -Account $username
    } |
    Select @{Name="User";Expression={$username}}, @{Name="Group";Expression={$_.Name}}
  $results | Write-Output
  $results | Export-Csv "$username.csv"
}

@("bob","sally") |
  ForEach-Object {
    Test-UserCanModifyGroupsInOU -Username $_ -OU 'domain.org.com/path/to/OU'
  }

Also note that this only works for permissions on specific properties. It won't return results for a user that has "Full Control" on the group, even though they're stil allowed to modify the member attribute.

Best Answer

Related Solutions

Active Directory – How to List All Active Directory Users and Their Group Membership

Powershell – (Powershell) Method to return a list of groups where a specific user has ‘write member’ security

Related Topic