Reporting on Active Directory users involves gathering information about user accounts, their properties, and attributes within an Active Directory environment. This can be accomplished using various methods, including PowerShell scripts and native Active Directory tools, but their limited GUI and inability to generate complex Active Directory reports make them a less optimal choice for this task. ADManager Plus, with its user-friendly interface and more than 200 predefined reports makes it easier to report on Active Directory users and their attributes. Unlike PowerShell, ADManager Plus' Active Directory reports do not require scripting knowledge and can be generated by non-IT admin personnel and on the go from its mobile apps, making it the optimal choice for Active Directory reporting.

  • All users report

    Obtaining a list of all the Active Directory users helps with meeting audit requirements and gaining visibility into the dormant and inactive accounts.

     

  • Enabled and disabled users

    Regularly reporting on enabled or disabled users helps administrators monitor and appropriately manage them.

     

  • Active and inactive users

    User account status must be continuously monitored, and inactive users must be promptly disabled or deleted to mitigate potential security risks.

     

  • Locked-out users

    Locked-out users must be continuously monitored to identify unauthorized access attempts, compromized accounts, or potential password attacks.

     

  • Account expiration

    Account expiry reports help IT administrators track user account life cycles, including when accounts are due to expire.

     

  • Last logon report

    Monitoring last logon reports helps administrators gain insights on user activity and analyze them over time for potential data breaches and malicious activity.

     

  • Manager-based reports

    By generating manager-based reports, administrators can identify managers responsible for specific teams or departments. This is vital for delegating administrative tasks, assigning responsibilities, and granting appropriate permissions based on organizational hierarchy.

     

  • Nested reports

    Nested reports enables administrators to gain insights on the intricacies of Active Directory groups and its members.

     

  • Custom reports

    Every organization will have its own policies and procedures on how Active Directory objects are managed throughout the life cycle. By selecting and presenting data that is directly applicable to the Active Directory environment, IT administrators gain insights that are actionable and meaningful, and that is when custom reports come into play.

     

Listing Active Directory users using

Powershell

A list of all Active Directory users can be obtained using the Get-ADUsers cmdlet in PowerShell. Here's a sample script that you can use to fetch all the Active Directory users using PowerShell: 

Get-ADUser -Filter $filter -Name
 Copied
Click to copy entire script

The New-ADUser cmdlet can also be used to create multiple Active Directory users. The following is a sample command to create Active Directory users in bulk using PowerShell:

ADManager Plus

ADManager Plus has an All Users report to retrieve all the Active Directory users in an Active Directory domain. This report can be scheduled and automatically generated at a set time. In addition to this, here are a few benefits for getting Active Directory users using ADManager Plus' All Users reports:

  • Comprehensive reporting: Gain insights on users' account status, group memberships, and other attributes through detailed reporting.
  • On-the-fly user management: Manage users directly from the report itself, allowing for efficient user management.
  • Customized reporting: Apply filters and customize reports as per your organization's needs.

Getting enabled and disabled users report using

Powershell

To get a list of all the enabled and disabled users using PowerShell, execute the Get-ADUser cmdlet along with the enabled and disabled filters. Here are some sample scripts that you can use to fetch enabled and disabled users using PowerShell.

To get a list of all the enabled Active Directory users, execute this command:

Get-ADUser -Filter {Enabled -eq $true}
 Copied
Click to copy entire script

To get a list of all the disabled Active Directory users, execute this command: 

Get-ADUser -Filter {Enabled -eq $false}
 Copied
Click to copy entire script

ADManager Plus

ADManager Plus' preconfigured reports can be instantly generated to fetch the enabled and disabled Active Directory users. Additionally, automations can be configured to take appropriate actions on user accounts based on these reports. Here's how you can benefit from choosing ADManager Plus over the Get-ADUser cmdlet:

  • Compliance demonstration: Generate these reports, export them, and meet audit requirements effortlessly.
  • Scheduled reporting: Automatically generate reports by scheduling them, ensuring stakeholders receive timely updates via email.
  • Tailored reporting: Customize what attributes of the fetched users you would like to view and export.

Fetching active and inactive users using

Powershell

Administrators can use the Get-ADUser cmdlet with certain filters to fetch the active and inactive users in Active Directory. Below are a few sample scripts.

To get a list of all the users who have logged in over the past 90 days, execute this command:

Get-ADUser -Filter {(LastLogonDate -gt (Get-Date).AddDays(-90)) -and (Enabled -eq $true)}
 Copied
Click to copy entire script

To get a list of all the users who have been inactive over the last 90 days, execute this command: 

Get-ADUser -Filter {(LastLogonDate -lt (Get-Date).AddDays(-90)) -and (Enabled -eq $true)}
 Copied
Click to copy entire script

ADManager Plus

The list of active and inactive users can be instantly obtained with the click of a button and exported in PDF, XLSX, CSV, and more in ADManager Plus. These users can also be obtained from the All Users report itself by filtering the results based on users' account status. Here are some benefits from ADManager Plus to accomplish this task:

  • Risk assessment: Identify inactive users affecting your security stature and take immediate actions, such as disabling or deleting them.
  • Scheduled reporting: Schedule reports to be automatically generated at specified time intervals, ensuring regular updates on active and inactive user status.
  • Automated cleanup: Set up automations to remove inactive users and move them to different OUs using predefined reports, streamlining cleanup tasks and maintaining directory hygiene.

Generating locked-out users report using

Powershell

The account lockout status of users in Active Directory can be obtained using the Search-ADAccount cmdlet and certain filters. Here's a sample script that can be used to get the account lockout status using PowerShell: 

Search-ADAccount -LockedOut | Select-Object Name, SamAccountName, LockedOut
 Copied
Click to copy entire script

ADManager Plus

ADManager Plus' locked-out users report fetches and displays all the users who have been locked out. Here are a few benefits for using ADManager Plus to get the account lockout status of users:

  • On-the-fly account unlock : Quickly unlock user accounts directly from the report to enablethe immediate resolution of lockout issues.
  • Workflow management: Trigger workflows to unlock sensitive or privileged locked-out accounts, ensuring proper authorization and oversight.
  • Compliance-friendly reporting: Meet audit requirements by automating this report and continuously monitoring locked-out user accounts, thereby ensuring compliance readiness.

Generating account expiration reports using

Powershell

To generate a report of expired, soon-to-expire, and never-expire users in Active Directory using PowerShell, you can use the commands mentioned below.

To get Active Directory user accounts and their account expiration date, use this command:

Get-ADUser -Filter {AccountExpirationDate -le (Get-Date)} | Select-Object Name, SamAccountName, AccountExpirationDate
 Copied
Click to copy entire script

To get Active Directory user accounts that are about to expire in the next 30 days, use this command:

Get-ADUser -Filter {AccountExpirationDate -ne $null -and AccountExpirationDate -le (Get-Date).AddDays(30)} | Select-Object Name, SamAccountName, AccountExpirationDate
 Copied
Click to copy entire script

To get Active Directory user accounts that will never expire, use this command:

Get-ADUser -Filter {AccountExpirationDate -eq $null} | Select-Object Name, SamAccountName
 Copied
Click to copy entire script

ADManager Plus

ADManager Plus' account expired users, recently expired users, and soon-to-expire user account reports enables IT administrators to report on user accounts based on the user account expiration status. The account expired users' report fetches and lists all the user accounts that have expired, whereas the recently expired users report allows administrators to narrow down expired users' results based on the expiration date. The soon-to-expire users reports allows administrators to analyze and determine what will happen to user accounts that will expire soon. Here are a few benefits for the account expiration reports in ADManager Plus:

  • Spontaneous management: Manage expire user accounts immediately by moving them to different OUs or deleting them.
  • Customized reporting: Customize report filters and save them as new reports for easy access.
  • Exportable reports: Export reports in desired formats, meeting audit requirements efficiently.

Fetching the last logon time of Active Directory users with

Powershell

The last logon report can be generated using the Get-ADUser cmdlet in PowerShell along with some filters. Here is a sample script that can be used: 

Get-ADUser -Filter * -Properties LastLogonDate | Select-Object Name, SamAccountName, LastLogonDate
 Copied
Click to copy entire script

ADManager Plus

ADManager Plus provides a real last logon report that fetches and displays the real last logon details of users in the desired domains, groups, or OUs based on the last logon time stamp value in the domain controllers. Here are a few benefits for choosing ADManager Plus for generating the last logon details of users over PowerShell:

  • Ready-to-generate report: Select the desired domains, groups or OUs and desired users and obtain results at the click of a button.
  • Active Directory cleanup: Identify and clean up obsolete or stale accounts based on their last logon time stamp, ensuring improved hygiene and security.
  • Attribute customization: Customize which attributes have to be displayed in the reports' results, allowing for tailored reporting based on organizational requirements.

Obtaining manager-based reports using

Powershell

Manager based reports can be obtained using the following PowerShell script: 

Get-ADUser -Filter * -Properties Manager | Select-Object Name, SamAccountName, @{Name="Manager"; Expression={(Get-ADUser $_.Manager).Name}}"
 Copied
Click to copy entire script

ADManager Plus

ADManager Plus provides a manager-based users' report that allows you to get a list of all the direct reports of managers. Here are a few benefits of this report:

  • CSV-based reporting: Upload a list of all the managers and get their direct reports instantly, streamlining the entire reporting process.
  • Group membership management: Manage the group membership of the generated users on the fly, ensuring efficient user and permission management.
  • Active Directory cleanup: Customize columns and view the account status of all the users and promptly remove disabled accounts, enhancing directory health and hygiene.

Finding members of Active Directory groups using

Powershell

PowerShell uses the Get-ADGroupMember cmdlet to get the members of an Active Directory group. Here's a sample script: 

Get-ADGroupMember -Identity "Managers" | Select-Object Name, SamAccountName
 Copied
Click to copy entire script

Additionally, to get a users group membership details, the Get-ADPrincipalGroupMembership cmdlet can be used. Here's a sample script:

Get-ADPrincipalGroupMembership -Identity "Harry"
 Copied
Click to copy entire script

ADManager Plus

ADManager Plus group membership reports enables administrators to easily find members of Active Directory groups including nested groups without scripting. The reports also come with built-in filtering options to narrow down results. Here a few benefits for choosing ADManager Plus over PowerShell for finding members of Active Directory groups:

  • Comprehensive reports: Get a list of all the members and their attributes, providing detailed insights into group memberships.
  • Graphical reports: Add group membership reports to the dashboard and view reports in graphical formats for easier interpretation.
  • Advanced filters: Filter reports based on attributes or customize how you would like to view them.

Generating custom reports using

Powershell

Custom reports in PowerShell can be generated by using filters along with their cmdlets. For instance, the Get-ADUser cmdlet that is used to fetch Active Directory users can be used along with the Username filter to get a list of all the Active Directory users along with their usernames. Here are a few sample scripts that can be used to generate customized user reports:

To get a list of all Active Directory users based on their department attribute, execute the command:

Get-ADUser -Filter "Department -eq '$Sales'"
 Copied
Click to copy entire script

To get a list of all Active Directory users and their sAMAccountName attributes using a CSV file, execute this command:

import-module activedirectory Get-ADUser -Filter * -SearchBase "OU=Abc, DC=example, DC=com" | Select sAMAccountName, name | export-csv -Path c:\Scripts\Users.csv
 Copied
Click to copy entire script

To get a list of all Active Directory users and their displayName attribute using a CSV file, execute this command:

Get-ADUser -Filter * -SearchBase "OU=Abc, DC=example, DC=com" | Select sAMAccountName, givenName, displayName, mail, telephoneNumber | export-csv -Path
 Copied
Click to copy entire script

To get a list of all Active Directory users with empty telephoneNumber attribute, execute this command:

Get-ADUser -LDAPFilter '(!(telephoneNumber=*))'| Select sAMAccountName, givenName |  export-csv -path c:\Scripts\Emptyattrib.csv 
                                c:\Scripts\Users.csv
 Copied
Click to copy entire script

ADManager Plus

ADManager Plus enables administrators to create custom reports with required details tailored to the organizational requirements. Custom reports can be built from scratch using filters and can be automatically generated like any other report in ADManager Plus. Here are few benefits for choosing ADManager Plus to build and generate custom reports:

  • Custom attribute - based reporting: Create custom attributes and customize reports based on them, allowing for tailored reporting.
  • LDAP query - based reporting: Construct customized LDAP queries using LDAP attributes to efficiently retrieve data.
  • Advanced filtering: Refine reports' results further by configuring conditions to further narrow down reports' results.
Start your free trial

Over 280,000 organizations across 190 countries
trust ManageEngine to manage their IT.

Over 100,000 technicians
trust ADManager Plus to manage their Windows environment.

  • ADManager Plus provides us a single point for our Active Directory Reports. For a small IT department this is crucial for saving time and being able to apply our energy to keeping things running smooth. I foresee this being in our arsenal of network tools for a long time to come.

    Mark Anderson

    IT Support, ET Investments

  • ADManager Plus - The Swiss Army Knife for AD Administrator It has made managing and administrating Active Directory easy, fast and efficient. Everyday tasks which earlier required us to write Powershell scripts are now easily achievable using an workflow like interface.

    Deputy Chief IT Engineer

    Company Size: 1B - 3B, Energy and Utilities

  • ADManager Plus is head and shoulders above the other products that we have used or evaluated. ADManager Plus allows us to keep up with the changes in AD, keep it clean and up to date with minimal effort. ADManager Plus is a tremendous time saver for our support engineers.

    Donald Storm

    Systems Engineer, American Association for Cancer Research

Here are a few more capabilities of ADManager Plus to enhance productivity and save time:

AD User Management

Create and manage AD user accounts in bulk using CSV files and customizable templates.

Learn More

AD Automation

Automate routine AD tasks like creating users, deleting inactive users, and more. Track the status of automated tasks whenever required.

Learn More

AD Delegation

Delegate AD administration and management securely to your help desk and HR teams. Offload repetitive tasks like password resets and user creation.

Learn More

Evaluate this unified Active Directory, Exchange, and Microsoft 365 Management and Reporting solution.

Try ADManager Plus today! 30-day, free trial. No credit card required. No strings attached.

2022, Zoho Corporation Pvt. Ltd. All Rights Reserved.

×

Start your 30-day free trial

Thanks!

Your download is in progress and it will be completed in just a few seconds!
If you face any issues, download manually here

  •  
  • *
     
  •  
  •  
  • By clicking 'Submit' you agree to processing of personal data according to the Privacy Policy.