Some time ago, I was asked to provide a list of all enabled user accounts in Active Directory. My thoughts immediately went to PowerShell, assuming that there would be tools available to achieve that task. I knew that the Get-ADUser query, combined with a parameter, would likely be the ticket.
Using the -ldapfilter parameter to only return results that had a useraccountcontrol value of 512, I omitted the other values, and opted to send the results to a text file. As per this article, useraccountcontrol values are cumulative, meaning that a value of512 means a “normal” user account, which is not disabled.
My query looked like this: get-aduser -ldapfilter "(useraccountcontrol=512)))", and returned the results we wanted.
By posting a comment, you consent to our collecting the information you enter. See privacy policy for more information.