- Free Edition
- Quick links
- Active Directory management
- Active Directory reporting
- Active Directory delegation
- Active Directory permissions management and reporting
- Active Directory automation
- Governance, risk, and compliance
- Microsoft 365 management and reporting
- Microsoft 365 management and reporting
- Microsoft 365 management
- Microsoft 365 reports
- Microsoft 365 user management
- Microsoft 365 user provisioning
- Microsoft 365 license managementn
- Microsoft 365 license reports
- Microsoft 365 group reports
- Dynamic distribution group creation
- Dynamic distribution group reports
- Exchange management and reporting
- Active Directory integrations
- Popular products
Managing Active Directory user accounts is a core cybersecurity and IT compliance responsibility for Windows admins. Besides giving employees access to their organization's network, admins also grant users access to resources and information by assigning appropriate permissions and software licenses. Any hiccups in managing Active Directory user accounts could not only deny access to employees but could also create holes in the organization's security and escalate IT costs. To prevent these mishaps, admins must accurately manage user accounts in their organization.
Understanding the role of the UserAccountControl attribute
A fundamental part of this management is understanding the UserAccountControl attribute—a critical property in Active Directory that encodes various account settings and statuses, including whether the account is enabled, disabled, locked, or requires a smart card for login. It uses a combination of flags to represent these states, making it essential for determining user account statuses. While it can be can be managed using Active Directory Users and Computers (ADUC) or PowerShell, these legacy tools make reporting cumbersome and time-consuming. A simpler and more powerful alternative is ManageEngine ADManager Plus, a user account status reporting tool.
How to generate Active Directory user account status reports
ADManager Plus offers over 200 prepackaged reports that fetch intricate details from Active Directory, Microsoft 365, and Exchange environments, including status-based details for user accounts such as:
- Enabled or disabled user accounts
- Locked-out users
- Expired users
- Recently expired user accounts
- Soon-to-expire user accounts
- User accounts that never expire
- Smart-card-enabled users
To generate these reports,
- Log in to ADManager Plus and navigate to Reports > User Reports.
- Select your preferred report under the Account Status Reports list.
- Choose the domain and OU, and click Generate.
Enabled or disabled user accounts
Find all Active Directory enabled or disabled users and computer accounts in your environment. From these reports, admins can easily enable, disable, move, or delete user accounts as needed or as per their company's policies.
Locked-out user accounts
Find locked-out accounts in Active Directory with details on users whose access was restricted because of failed login attempts.
Account expired users
Identify all the users whose accounts have expired in a particular domain. You can export the details of users with expired accounts in multiple formats, like CSV, PDF, XLSX HTML, CSVDE, and XLS.
Recently expired user accounts
View all the user accounts that have expired during any specified period of time. Based on the organization's policy or the current need, admins can delete these accounts, disable them, move them to a specific OU where expired accounts are held, or change the account expiration date to never—all from within the report. This report also helps admins identify expired accounts and free up licenses to save costs.
Soon-to-expire user accounts
Find all the users whose accounts will expire in the next few days, weeks, or months. Admins can prevent their employees from being denied access to their domain by proactively reviewing and extending account expiration dates as needed. Besides ensuring users have uninterrupted access to organizational resources, it also helps admins avoid frantic help desk calls from users.
User accounts that never expire
Identify all user accounts that are set to never expire. As this report also displays the account status, admins can enable disabled accounts right from the report. If needed, they can also disable or delete any account in the list using the report's built-in management options.
Smart-card-enabled users
View a report detailing all the users in the domain with smart card login permissions enabled. Use this information to ensure that only authorized users are allowed to log in using smart cards.
Effortless user status reporting and management with ADManager Plus
Actionable insights
Get over 200 prepackaged reports on user status, licenses, and activity, and perform management actions right from the reports. ADManager Plus also offers a built-in report scheduler that can automatically export and email reports to your preferred users in any format, including CSV, PDF, XLSX HTML, CSVDE, and XLS.
Automation and workflow
Automate routine Active Directory tasks, such as user provisioning and deprovisioning, cleaning up dormant accounts, and and managing NTFS and share permissions. Build a custom workflow structure to help with ticketing and compliance.
Unified administration
ADManager Plus serves as a web-based solution for all your Active Directory, Exchange, Skype for Business, Google Workspace, and Microsoft 365 management needs. Download a free trial today to explore all these features.
FAQs
To check an account's status in Active Directory, you can use native tools like ADUC and PowerShell. For a quicker and comprehensive approach, ManageEngine ADManager Plus offers prebuilt reports on account statuses to help you track which accounts are enabled, inactive, locked out, or expired. Click here to see how ADManager Plus compares to PowerShell in performing this task.
The UserAccountControl attribute in Active Directory is a single, cumulative value that defines an account's properties and status. It functions as a bitmask, where each bit represents a specific setting, such as whether an account is enabled, disabled, or locked out. For example, a disabled account has a UserAccountControl value of 514, which is a combination of the Account Disabled (2) and Normal Account (512) flags. Changing a setting in the GUI simply adds or subtracts a specific numerical value to this attribute.
Active Directory account history can be viewed by configuring a Group Policy to enable auditing. PowerShell scripts can be used to query event logs or read user attributes like lastLogon and lastLogonTimestamp for login history. However, third-party tools like ADManager Plus simplify this process by providing prebuilt reports, helping you track users' logon activities without any scripting.
Other features
Bulk User Management
Fire a shotgun-shell of AD User Management Tasks in a Single Shot. Also use csv files to manage users. Effect bulk changes in the Active Directory, including configuring Exchange attributes.
Active Directory Logon Reports
Monitor logon activities of Active Directory users on your AD environment. Filter out Inactive Users. Reporting on hourly level. Generate reports for true last logon time & recently logged on users.
Active Directory Delegation
Unload some of your workload without losing your hold. Secure & non-invasive helpdesk delegation and management from ADManager Plus! Delegate powers for technician on specific tasks in specific OUs.
Microsoft Exchange Management
Create and manage Exchange mailboxes and configure mailbox rights using ADManager Plus's Exchange Management system. Now with support for Microsoft Exchange 2010!!
Active Directory Cleanup
Get rid of the inactive, obsolete and unwanted objects in your Active Directory to make it more secure and efficient...assisted by ADManager Plus's AD Cleanup capabilities.
Active Directory Automation
A complete automation of AD critical tasks such as user provisioning, inactive-user clean up etc. Also lets you sequence and execute follow-up tasks and blends with workflow to offer a brilliant controlled-automation.
Need Features? Tell Us
If you want to see additional features implemented in ADManager Plus, we would love to hear. Click here to continue
