Active Directory User Reports

Photo of author

by Robert Allen

This page provides a list of Active Directory User reports including in the Active Directory Pro Toolkit. These are pre-built PowerShell scripts that enable administrators to quickly generate reports on users from Active Directory.

The toolkit comes with over 200 pre-built PowerShell commands to generate reports on users, computers, groups, and more.

User reports provide administrators with important information about their Active Directory environment. From general user reports to security and compliance needs the AD Reporting Tool provides a comprehensive list of reports that are ready to run or can be fully customized to extract the exact user details you need.

Reports can be exported to CSV or HTML, see example reports below. Send me feedback on reports you would like to see included.

List of Built in Active Directory User Reports

1. All users

Get all users accounts in the domain. Includes first name, last name, logon name, street address, company, state, manager, email, and job title.

Get-ADUser -filter * -properties * | select @{name='First Name'; expression={$_.givenname}},@{name='Last Name'; expression={$_.surname}},@{name='Logon Name'; expression={$_.SamAccountName}},@{name='Street Address'; expression={$_.streetaddress}},@{name='State/Province'; expression={$_.st}},manager,@{name='Email'; expression={$_.mail}},@{name='Job Title'; expression={$_.title}},company

Sample HTML Report

Sample CSV Report

2. All users from an organizational unit

Get all users from an organizational unit. Includes user first name, last name, logon name, street address, company, state, manager, email and job title.

3. All users organizational unit

Get all enabled users and list their organizational unit. Includes first name, last name, logon name and Parent Container OU.

4. All users email and proxyAddresses

Get all users mail and proxyaddresses. Includes first name, last name, logon name, mail and proxyaddresses.

5. Users allowed to dial-in

Get all users that have dial in set to “Allow access”. Includes user first name, last name, logon name and msNPAllowDialin attribute.

6. Users not allowed to dial-in

Get all users that are not allowed to dial in. Includes user first name, last name, logon name and msNPAllowDialin attribute

7. Users with a home drive directory

Get all users that have a home directory set. Includes user first name, last name, logon name, homedirectory attribute.

8. Users with logon script

Get all users that have a logon script set. Includes user first name, last name, logon name, scriptpath attribute.

9. Users without logon script

Get all users that do not have a logon script, scriptpath attribute is null. Includes user first name, last name, logon name, scriptpath attribute.

10. Users without managers

Get all users that do not have a manager assigned to them. Includes user first name, last name, logon name and manager.

11. Users with managers

Get all users that have a manager assigned. Manager attribute is null. Includes user first name, last name, logon name and manager.

12. User Account Control value for all users

Get all users and the UserAccountControl attribute value. Includes user first name, last name, logon name and useraccountcontrol attribute.

13. User Account Control is not 512 (Normal Account)

Most user accounts are set to normal (512), this will list all accounts that are not set to 512. Includes user first name, last name, logon name and useraccountcontrol attribute.

14. User Principal Name value for all users

Get all users and the user principal name. Includes user first name, last name, logon name and userprincipalname attribute.

15. EmployeeID & EmployeeNumber for all users

Get all users and the employeeID & employeenumber. Includes user first name, last name, logon name, employeeID and employeeNumber attribute.

15.Find user accounts keyword search by name

Get user account by a wildcard keyword search, searches user name. Includes first name, last name, logon name and name attribute

Account Status

16. Disabled Users

Get all disabled user accounts. Includes user fist name, last name, logon name, enabled, created, modified attributes.

17. Enabled Users

Get all enabled user accounts. Includes user fist name, last name, logon name, enabled, created, modified attributes.

18. Locked out users

Get all locked user accounts. Includes user fist name, last name, logon name, enabled, created, modified attributes.

19. Users created in the last 30 days

Get users accounts created in the last 30 days. Seach is based on the whenCreated attribute.

20. Users created in the last 60 days

Get user accounts created in the last 60 days

21. Users created in the last 90 days

Get user accounts created in the last 90 days

22. Users modified in the last 30 days

Get user accounts modified in the last 30 days. Search is based on the modified attribute.

23. Users modified in the last 60 days

Get user accounts modified in the last 60 days

24. Users modified in the last 7 days

Get user accounts modified in the last 7 days

25. Users with account that does not expire

Get user accounts that do expire. Includes user fist name, last name, logon name, created and accountexpirationdate attribute.

26. Users with an account that will expire in the next 7 days

Get all user accounts that will expire in the next 7 days. Includes user name and AccountExpirationDate attribute.

27. Users with an account that will expire in the next 30 days

Get all user accounts that will expire in the next 30 days. Includes user name and AccountExpirationDate attribute.

28. Users with an expired account

Get all user accounts that have expired. Includes user name and AccountExpirationDate attribute.

29. Users protected by AdminSDHolder

Get all users protected by AdminSDHolder. Includes user first name, last name and logon name.

30. Users protected from accidental deletion

Get all users protected from accidental deletion. Includes user first name, last name logon name and ProtectedFromAccidentalDeletion attribute.

31. Users not protected from accidental deletion

Get all users not protected from accidental deletion. Includes user first name, last name logon name and ProtectedFromAccidentalDeletion attribute.

32. Account is sensitive and cannot be delegated

Get user accounts that AccountNotDelegated is set to true. Includes user name and AccountNotDelegated attribute.

33. Users with account set to “Do not require Kerberos perauthentication”

Get all user account that are set to “Do not require Kerberos perauthentication”. Includes user fist name, last name, logon name, and DoesNotRequirePreAuth attribute.

Password Reports

34. Get Domain Password Policy

Get the domain password policy details.

35. Users that must change password at next logon

Gets users that must change password at next logon. Includes user first name, last name, logon name, user must change password value.

36. Users that changed their password in the last 30 days

Get all users that changed their passwords in the last 30 days. Includes user first name, last name, logon name and passwordlastset attribute.

37. Users that changed their password in the last 60 days

Get all users that changed their passwords in the last 60 days

38. Users that don’t require a password

Get all users that do not require a password. Includes user first name, last name, logon name and passwordnotrequired attribute.

39. Users that cannot change their password

Get all users that cannot change their password is set. Includes user first name, last name, logon name and cannotchangepassword attribute.

40. All users password expiration date

Get all users and their password expiration date. Includes user displayname and password expiration date.

41. Users with password that expires in 7 days

Get users that require a password change in the next 7 days. Includes user first name, last name, logon name and passwordlastset attribute.

42. Users with Password that expires in 1 day

Get users that require a password change in the next 1 days. Includes user first name, last name, logon name and passwordlastset attribute.

43. Users set with a password never expire

Get all users that are configured with a password that will never expire. Includes user first name, last name, logon name and passwordneverexpires attribute.

44. Users with expired passwords

Get all users accounts that their password has expired. Includes user first name, last name, logon name and passwordexpired attribute.

45. Users with bad password attempts in the last 30 days

Get users with bad password attempts in the last 30 days. Includes user first name, last name, logon name and LastBadPasswordAttempt attribute.

46. Users with bad password attempts in the last 7 days

Get users with bad password attempts in the last 7 days. Includes user first name, last name, logon name and LastBadPasswordAttempt attribute.

47. Users with bad password attempt int last 1 day

Get users with bad password attempts in the last 1 days. Includes user first name, last name, logon name and LastBadPasswordAttempt attribute.

48. Users with password stored using reversible encryption

Get all users that are configured with “Store password using reversible encryption”. Includes user name

49. Users last bad password attempt date/time

Get all users last bad password date and time. Includes user first name, last name, logon name and LastBadPasswordAttempt attribute

Logon Reports

50. Inactive users (lastlogontimestamp is blank)

Get all user accounts that have no value for the lastlogontimestamp attribute. These are most likely accounts that have never been used. Searches both enabled and disabled accounts.

51. Inactive users who are enabled

Get all user accounts that have no value for the lastlogontimestamp attribute. Searches only enabled accounts

52. Users that require a smart card for logon

Get all users that are set to “Smart card is required for interactive logon”. Includes user first name, last name, logon name, UserAccountControl attribute.

53. Users who can log on to all computers

Get users who can log on to all computers. Includes user first name, last name, logon name and logonworkstations attribute.

54. Users who can log on to selected computers (Log on to)

Get users that are configured to log on to selected computers. Includes user first name, last name, logon name and logonworkstations attribute.

55. Users who logged on last 30 days

Get users that have logged on in the last 30 days. Includes user first name, last name, logon name and LastLogonDate attribute.

56. Users who logged on last 7 days

Get users that have logged on in the last 7 days

57. Users who logged on today

Get users that have logged on in the last day

58. Users who logged last 24 hours

Users that have logged on in the last 24 hours

59. Users and their last logon date

Get all users and list their last logon date. Includes user first name, last name, logon name and LastLogonDate attribute.

Recommended Tool: Permissions Analyzer for Active Directory

This FREE tool lets you get instant visibility into user and group permissions and allows you to quickly check user or group permissions for files, network, and folder shares.

You can analyze user permissions based on an individual user or group membership.

This is a Free tool, download your copy here.

2 thoughts on “Active Directory User Reports”

  1. Hello!
    I am unable to see any command here, is there an additional step to do?

    Reply

    • Its a list of what is included with the AD Pro Toolkit.

      Reply

Leave a Comment