Reputation: 175
In my Powershell script, why does the administrator user see the "enabled" property value for AD user object but another "admin" user doesn't?
I have a powershell script that calls Get-ADUser to create a list of user objects from Active Directory. The script processes the list of users with logic that evaluates the value of the user's Enabled property (boolean).
What I'm finding is that the evaluation of the Enabled property works when the script runs as the domain user Administrator. But when I run it as an alternate domain administrator (i.e., an account I created by copying the Administrator user), the script fails to evaluate the Enabled property. Indeed, it's like the property doesn't exist.
Here's is the code that illustrates the problem.
$users = Get-ADUser -Filter "*" -SearchBase "OU=Customers,OU=STORE1,DC=SOME,DC=COMPANY"
foreach($u in $users){
if($u.Enabled -eq $true)
{
write-host "Enabled"
}
}
If I run it as the user Administrator, the code outputs "Enabled" for the enabled AD users in the list. But if I run it as the alternate admin user (the one created by copying Administrator), I get no output at all.
To further illustrate the issue, if I run this code as Administrator
$users | ForEach-Object{$_.Enabled}
the script outputs
True
True
False
True
... etc
but it outputs nothing if I run it as the alternate admin user.
Do you have any idea why this is the case?
Upvotes: 1
Views: 862
Answers (3)
Reputation: 175
@Drew is correct that the problem is userAccountControl, but I didn't find the property on the security tab for the OU I'm querying in ADUC. I found an article describing how to set this using ADSI (https://briandesmond.com/blog/delegating-enable-disable-account-rights-in-active-directory/). Following these instructions (making allowances for different version of AD), I added my alt admin user and granted READ access for userAccessControl. Now the script works as expected.
However, I'm still confused why this was necessary. My alternate admin account belongs to all the groups to which permissions were already assigned on the OU. (As I said, the account is a copy of Administrator). For whatever reason, this permission isn't applied to this user.
Upvotes: 0
Reputation: 4030
Problem will exist with the permissions for the Alt DA Account you created.
- Confirm that it has Read/Write for
userAccountControlsettings within the ADUC security tab. - Ensure that there are no OU GPOs that would hinder it from seeing these settings. Confirm this by checking the OU GPOs applied to the original DA Account
There is no problem with the PowerShell portion of this command. You can confirm this by launching ADUC as each of the users and checking a random users settings, more stuff will be greyed out.
Upvotes: 1
Reputation: 16116
Why not just use the …
Get-Member
... cmdlet to find out what properties are there. This make little sense, for if you are cloning the default admin account, then all the privs should be there. If not the ones you need.
No real reason to use the explicit if or ForLoop to get these results either. You can just do this.
(Get-ADUser -Filter "*" -SearchBase $SearchDN.DistinguishedName) |
Select-Object -Property SamAccountName, Enabled |
Sort-Object -Property Enabled |
Format-Table -AutoSize
Also take a look at the …
... cmdlet, and test with it on both accounts.
Upvotes: 0
Related Questions
- User attribute "Enabled" is blank for some disabled users in Active Directory
- set-aduser attributes different than AD properties?
- Get-Member not showing all properties of ADUser
- Why are variables not working with Get-Aduser in powershell?
- Trying to find enabled or disabled Users in AD with Powershell
- Powershell Scripts inconsistent behavior
- why is the enabled flag false for some users?
- PowerShell: Enabled status blank for get-adgroupmember
- PowerShell: Get-Member does not reveal all available properties
- Using Get-ADUser and Select-Object is not returning specific values