Easy Way to Get a List of All Users on a Domain
Dsquery user without any further parameters should give you everything
Was this post helpful? thumb_up thumb_down
Why not just check ADUC?
Was this post helpful? thumb_up thumb_down
I would recommend using powershell for this task for a few reasons. I am currently on my phone and will update later with some examples, etc.
powershell will allow you to get all the users in active directory and store it in a flat file or XML that can later be used to do a comparison after your admin leaves.
you would also be able to analyze the properties of each account to identify any accounts that have had a recent password change or been recently created.
it would also give you the ability to change passwords in bulk for service accounts used in your environment.
active directory has built in commandlets but will have to be enabled on at least one domain controller. quest also publishes a module that I generally use over the native command let's.
let me know how I can best help you to accomplish this task, I will be more than happy to work with you or provide examples, etc.
thanks
Mike
Was this post helpful? thumb_up thumb_down
Try something like this. (be sure you are running the Active Directory Module)
Powershell
Get-ADUser -Filter * -SearchBase "DC=my,DC=domain,DC=com" | Export-CSV "Active_Directory_Users.csv" Was this post helpful? thumb_up thumb_down
In order to use the powershell command above that Jack shared you will first need to import the Active Directory module into powershell. If using Windows 7 your machine will need to have the Windows Server Remote Administration tools installed on it before it will be able to import the AD module. As long as it has the admin tools installed the command in powershell is:
Import-Module ActiveDirectory
Was this post helpful? thumb_up thumb_down
As already pointed out you could use:
Dsquery
or better yet, as Jack pointed out:
Powershell
Was this post helpful? thumb_up thumb_down
There's also software that will do it for you. Powershell would be a great tool to learn, I just find it cryptic to use.
AD Info is something I've used in the past. There is a FREE version available. Check it out at: http://www.cjwdev.com/Software/ADReportingTool/Info.html
Not sure if this will expose "HIDDEN" accounts, but worth a look.
Was this post helpful? thumb_up thumb_down
I like DumpSec - gives you a lot of nice AD reports.
http://www.systemtools.com/somarsoft/?somarsoft.com
Was this post helpful? thumb_up thumb_down
You can also use PowerGUI's Administrative Console with the Active Directory Power Pack (www.powergui.org - note it was recently bought by Dell Software but is still freeware) for a spreadsheet-type visual into your Active Directory. Pretty easy to use, too.
Was this post helpful? thumb_up thumb_down
Thanks Lauren7060 for mentioning DumpSec, which still works for getting at things like this.
I do not know of a way to create a "hidden" user account in AD. When you perform an AD query, you get everything you asked for. About the only trick I can think of would be to create an INetOrgPerson object in the directory, but ADUC, DumpSec, and Hyena all will show them.
But something to check would be the members of sensitive groups like Administrator, Domain Admins, Enterprise Admins, etc. to make sure that some 'normal' account is not part of that group and provide a back door.
Was this post helpful? thumb_up thumb_down
AD Info. And you're done.
Was this post helpful? thumb_up thumb_down
I second that. I have been using adinfo for a couple of years now, for auditors, and general user maintenance... like "show all users who have not logged on for 60 days," etc.
Can't beat the price, and it works great on my 2012R2 DCs.
Was this post helpful? thumb_up thumb_down
Shuey This person is a verified professional. Verify your account to enable IT peers to see that you are a professional. 
There are two things you can do to quickly look up this information (if you're not bent on having some super fancy report of it immediately):
1. Create a query (or import a saved one)
XML
<QUERY><NAME>Active User Accounts</NAME><DESCRIPTION>Active User Accounts of all Domain Users</DESCRIPTION><DN></DN><FILTERLASTLOGON>-1</FILTERLASTLOGON><LDAPQUERY>(&(&(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))))</LDAPQUERY><ONELEVEL>FALSE</ONELEVEL><COLUMNID>{42E1367F-36D3-4627-A0B8-0B28D3AEC982}</COLUMNID><DSQUERYUIDATA>030000000c00000043006f006d006d006f006e00510075006500720079000000020000000308000000480061006e0064006c00650072000000100000005ee6238ac231d011891c00a024ab2dbb030500000046006f0072006d00000010000000e33fee83d957d011b93200a024ab2dbb080000004400730051007500650072007900000002000000010900000056006900650077004d006f0064006500000004130000010d00000045006e00610062006c006500460069006c00740065007200000000000000170000004d006900630072006f0073006f00660074002e00500072006f0070006500720074007900570065006c006c0000000200000001060000004900740065006d007300000000000000020c0000005100750065007200790053007400720069006e00670000005c0000002800260028006f0062006a00650063007400430061007400650067006f00720079003d0070006500720073006f006e00290028006f0062006a0065006300740043006c006100730073003d00750073006500720029002800210075007300650072004100630063006f0075006e00740043006f006e00740072006f006c003a0031002e0032002e003800340030002e003100310033003500350036002e0031002e0034002e003800300033003a003d003200290029000000</DSQUERYUIDATA></QUERY> 2. Click your domain in ADUC, click the "Find" button, then click the "Find Now" button (which will search for and display all users and groups currently in AD). If you have multiple domains, you can choose "Entire Directory" from the "In:" box before searching. Be sure to add a "Published At" column to your results window so you can quickly identify where each user account is located in AD.
Was this post helpful? thumb_up thumb_down
Source: https://community.spiceworks.com/topic/586235-need-to-get-a-listing-of-all-users-in-all-ou-s-in-the-entire-domain
0 Response to "Easy Way to Get a List of All Users on a Domain"
Post a Comment