Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.
JSI Tip 3410. General purpose Domain User Properties reporting script.
Jerold Schulman
February 25, 2001
9 Min Read
Regardless of whether you have a Windows 2000 Active Directory domain or a Windows NT 4.0 domain, the scripts on this page will allow you to generate various user property reports, even if you have minimal scripting skills.
NOTE: The scripts MUST be run on a Windows 2000 / Windows NT 4.0 member workstation or server.
If you open a CMD prompt and type NET USER UserName /Domain, you would receive output similar to:
The request will be processed at a domain controller for domain User name TestFull Name Test TesterComment Test accountUser's comment A commentCountry code (null)Account active YesAccount expires NeverPassword last set 02/12/2001 21:34Password expires 03/13/2001 20:00Password changeable 02/12/2001 21:34Password required YesUser may change password YesWorkstations allowed JSI005,JSI006,JSI007Logon script logon.batUser profile \JSI001ProfilesJerryHome directory \JSI001HomeJerry Last logon 02/24/2001 09:34Logon hours allowed Monday 06:00 - 18:00 Tuesday 06:00 - 18:00 Wednesday 06:00 - 18:00 Thursday 06:00 - 18:00 Friday 06:00 - 18:00Local Group Memberships *Users Global Group memberships *Sales *Marketing *Accounting *Domain Users *PersonnelThe command completed successfully.For any user, the first 18 lines of the display have the same line titles. Since Logon hours allowed, Local Group Memberships, and Global Group memberships can each have a variable number of entries, lines 19 - XX can have variable (or no) titles, but these scripts make it easy to identify the data.
To use the scripts, type:
JSIDUGet Full_Path_To_YourBat.bat File
where Full_Path_To_YourBat.bat can be as simple as:
@echo offIf "%Final%" EQU "Y" goto endcall jsiduser:endThis would product a report of every user, displaying the non-default data. The report, written to File, would look similar to:
User name Guest Comment Built-in account for guest access to the computer/domain Account active No Password last set 02/25/2001 06:26 Password changeable 02/25/2001 06:26 Password required No User may change password No Last logon Never Local Group Memberships *Guests Global Group memberships *Domain Guests *Domain Users _______________________________________________________________________________________________ * User name Jennifer Full Name Jennifer V. Schulman Password last set 02/12/2000 21:47 Password changeable 02/12/2000 21:47 Last logon 02/24/2001 07:14 Global Group memberships *Domain Users _______________________________________________________________________________________________ * User name TestFull Name Test TesterComment Test accountUser's comment A commentPassword last set 02/12/2001 21:34Password expires 03/13/2001 20:00Password changeable 02/12/2001 21:34Workstations allowed JSI005,JSI006,JSI007Logon script logon.batUser profile \JSI001ProfilesJerryHome directory \JSI001HomeJerry Last logon 02/24/2001 09:34Logon hours allowed Monday 06:00 - 18:00 Tuesday 06:00 - 18:00 Wednesday 06:00 - 18:00 Thursday 06:00 - 18:00 Friday 06:00 - 18:00Global Group memberships *Sales *Marketing *Accounting *Domain Users *Personnel_______________________________________________________________________________________________NOTE: If you prefer, You can call your own reporting script.
The following environment variables are available to Full_Path_To_YourBat.bat:
actvY-account is active, N-not active.file The output report path.FinalY-all records have been processed, N-process the current record.FirstY-a switch you can use and set.lineNN line01=User name Joe line02=Full Name Joe User line03=Comment Just a sample line04=User's comment line05=Country code 000 (System Default) line06=Account active Yes line07=Account expires Never line08=Password last set 02/12/2001 20:27 line09=Password expires 02/28/2001 19:13 line10=Password changeable 02/12/2001 20:27 line11=Password required Yes line12=User may change password Yes line13=Workstations allowed All line14=Logon script logon.bat line15=User profile profile path line16=Home directory home folder path line17=Last logon 02/27/2001 00:32 line18=Logon hours allowed All +line19=Local Group Memberships *Users +line20=Global Group memberships *Sales *Domain Usersmax The number of lines.NOWDD The current day.NOWHH The current hour.NOWMM The current month.NOWMX The current minuteNOWYMD The current year/month/dayNOWYMDHM The current year/month/day/hour/minuteNOWYY The current year.UserAcnt The current UserName.XDD07 The account Expires day. XDD08 The password last set day.XDD09 The password expires day.XDD10 The password changeable day. XDD17 The last logon day.XHH07 The account Expires hour. XHH08 The password last set hour. XHH09 The password expires hour. XHH10 The password changeable hour.XHH17 The last logon hour.XMM07 The account Expires month.XMM08 The password last set month.XMM09 The password expires month.XMM10 The password changeable month.XMM17 The last logon month.XMX07 The account Expires minute.XMX08 The password last set minute.XMX09 The password expires minute.XMX10 The password changeable minute.XMX17 The last logon minute.XYMD07 The Account Expires year/month/day.XYMD08 The Password last set year/month/day. XYMD09 The password expires year/month/day.XYMD10 The password changeable year/month/day.XYMD17 The last logon year/month/day.XYMDHM07 The Account Expires year/month/day/hour/minute.XYMDHM08 The password last set year/month/day/hour/minute.XYMDHM09 The password expires year/month/day/hour/minute.XYMDHM10 The password changeable year/month/day/hour/minute.XYMDHM17 The last logon year/month/day/hour/minute.XYY07 The Account Expires year.XYY08 The password last set year.XYY09 The password expires yearXYY10 The password changeable year.XYY17 The last logon year.On any lineNN, the data at the beginning of the line can be addresses as %lineNN:~0, and the data in the right hand column can be address as %lineNN:~29,.
The JSIDUGet.bat script is responsible for retrieving all the users. For each user, it creates the environment variables and calls Full_Path_To_YourBat.bat. JSIDUGet.bat contains:
@echo offif NOT {%1}{} goto begin:syntax@echo Syntax: JSIDUGet YourBat.bat File goto end:beginif {%2}{} goto Syntaxif not exist %1 goto Syntaxsetlocalset yourbat=%1set file=%2if exist %file% del /q %file%for /f "tokens=2,3,4* delims=/ " %%i in ('date /t') do set NOWMM=%%i&set NOWDD=%%j&set NOWYY=%%kfor /f "tokens=1,2 delims=:" %%i in ('time /t') do set NOWHH=%%i&set NOWMX=%%jset NOWHH=%NOWHH: =0%set NOWYMD=%NOWYY%%NOWMM%%NOWDD%set NOWYMDHM=%NOWYMD%%NOWHH%%NOWMX%set wrk= #set blank=%wrk:~0,10%set Final=Nset First=Yfor /f "Skip=6 Tokens=*" %%i in ('net users /domain') do call :parse "%%i"set Final=Yset /a max=0set actv=Ncall %yourbat%endlocalgoto end:parseset str=#%1#set str=%str:#"=%set str=%str:"#=%if "%str%""The command completed successfully." goto endset substr=%str:~0,25%#set substr=%substr: =%set substr=%substr: #=%set substr=%substr:#=%if "%substr%""" goto endset /a cnt=0set UserAcnt=%substr%for /f "Skip=1 Tokens=*" %%i in ('net user "%substr%" /domain') do call :parse1 "%%i"set substr=%str:~25,25%#set substr=%substr: =%set substr=%substr: #=%set substr=%substr:#=%if "%substr%""" goto endset /a cnt=0set UserAcnt=%substr%for /f "Skip=1 Tokens=*" %%i in ('net user "%substr%" /domain') do call :parse1 "%%i"set substr=%str:~50,25%#set substr=%substr: =%set substr=%substr: #=%set substr=%substr:#=%if "%substr%""" goto endset /a cnt=0set UserAcnt=%substr%for /f "Skip=1 Tokens=*" %%i in ('net user "%substr%" /domain') do call :parse1 "%%i"goto end:datesif "%ustr:~29,5%""Never" set XMM=12&set XDD%=31&set XYY=9999&set XHH=24&set XMX=00&goto datesfset edt=%ustr:~29,16%for /f "Tokens=1-5 Delims=/: " %%j in ('@echo %edt%') do set XMM=%%j&set XDD=%%k&set XYY=%%l&set XHH=%%m&set XMX=%%n:datesfset XHH=%XHH: =0%set XYMD=%XYY%%XMM%%XDD%set XYMDHM=%XYMD%%XHH%%XMX%set XMM%lne%=%XMM%set XDD%lne%=%XDD%set XYY%lne%=%XYY%set XHH%lne%=%XHH%set XMX%lne%=%XMX%set XYMD%lne%=%XYMD%set XYMDHM%lne%=%XYMDHM%goto end:parse1set /a cnt=%cnt% + 1set ustr=%1if %ustr%"The command completed successfully." goto Userset ustr=%ustr:"=%set /a wrk=%cnt% + 100set wrk=%wrk%set lne=%wrk:~1,2%set line=%ustr%if "%lne%" LSS "19" goto parse2if "%line:~0,1%" EQU "*" set line=%line%if "%line:~0,8%" EQU "Local Gr" goto parse2if "%line:~0,8%" EQU "Global G" goto parse2set line= %line%:parse2if "%line:~29,1%" EQU "" set line=%line%%blank%&goto parse2set line%lne%=%line%if %cnt% EQU 6 set actv=%ustr:~29,1%&goto endif %cnt% LSS 7 goto endif %cnt% LSS 11 goto datesif %cnt% EQU 17 goto datesgoto end:userset /a max=%cnt% - 1call %yourbat%:endNOTE: If you wanted the run JSIDUGet.bat on a domain controller, you must replace the 3 occurrences of "Skip=1 Tokens=*" with "Tokens=*".
The standard reporting script, JSIUser.bat, contains:
@echo offsetlocalset /a seq=0for /l %%i in (1,1,%max%) do call :parse1@echo __________________________________________________________________________________ >> %file%@echo * >> %file%endlocalgoto end:num5if "%line:~29,3%""000" goto endif "%line:~29,3%""(nu" goto endgoto out1:num6if "%line:~29,3%""Yes" goto endgoto out1:num7if "%line:~29,3%""Nev" goto endgoto out1:num8:num9:num10:num11:num12if "%line:~29,3%""Yes" goto endgoto num7:num13if "%line:~29,3%""All" goto endgoto out1:num18if "%line:~29,3%""All" goto endgoto out1:parse1set /a seq=%seq% + 1set /a wrk=%seq% + 100set wrk=%wrk%set lne=%wrk:~1,2%for /f "Tokens=2 Delims" %%i in ('set line%lne%') do @set line=%%igoto num%seq%:num2goto out:num3goto out:num4goto out:num14goto out:num15goto out:num16goto out:num17goto out:num19goto out:num20goto out:num21goto out:num22goto out:num23goto out:num24goto out:num25goto out:num26goto out:num27goto out:num28goto out:num29goto out:num30goto out:num31goto out:num32goto out:num33goto out:num34goto out:num35goto out:num36:outif "%line:~29,1%"" " goto end:num1:out1@echo %line% >> %file%:endIf you wanted to report the user accounts whose passwords have expired, your Full_Path_To_YourBat.bat would contain:
@echo offIf "%Final%" EQU "Y" goto endREM Select only active accountsif "%actv%" EQU "N" goto endIf "%NOWYMDHM%" GTR "%XYMDHM09%" goto end REM If you wish to include the accounts whose password will expire today, use: If "%NOWYMD%" GTR "%XYMD09%" goto end call jsiduser:endTo report all expired accounts:
@echo offIf "%Final%" EQU "Y" goto endIf "%NOWYMDHM%" GTR "%XYMDHM07%" goto end REM If you wish to include the accounts that will expire today, use: If "%NOWYMD%" GTR "%XYMD07%" goto end call jsiduser:endTo report all accounts that do not have a logon script configured:
@echo offIf "%Final%" EQU "Y" goto endif "%actv%" EQU "N" goto endif "%line14:~29,1%" GTR " " goto endcall jsiduser:endTo report all active accounts that have never logged on:
@echo offIf "%Final%" EQU "Y" goto endif "%actv%" EQU "N" goto endif not "%line17:~29,5%" EQU "Never" goto endcall jsiduser:endTo report all active users who are members of the Domain Admins group:
@echo offIf "%Final%" EQU "Y" goto endif "%actv%" EQU "N" goto endIf %max% LSS 19 goto endset DA=Nfor /l %%i in (19,1,%max%) do call :parse %%iif "%DA%" EQU "N" goto endcall jsidusergoto end:parseif "%DA%" EQU "Y" goto endset lne=%1for /f "Tokens=2 Delims" %%j in ('set line%lne%') do @set line=%%jif "%line:~29,14%" EQU "*Domain Admins" set DA=Y&goto endif "%line:~51,14%" EQU "*Domain Admins" set DA=Y:endTo report all active accounts that have logon hour restrictions on Wednesday:
@echo offIf "%Final%" EQU "Y" goto endif "%actv%" EQU "N" goto endset Wed=Nfor /l %%i in (18,1,%max%) do call :parse %%iif "%Wed%" EQU "N" goto endcall jsidusergoto end:parseif "%Wed%" EQU "Y" goto endset lne=%1for /f "Tokens=2 Delims" %%j in ('set line%lne%') do @set line=%%jif "%line:~29,1%" EQU "*" goto endIf "%line:~29,3%" EQU "Wed" set Wed=Y:endTo report all active users that have workstation restriction who are allowed to log onto JSI006:
@echo offIf "%Final%" EQU "Y" goto endif "%actv%" EQU "N" goto endif "%line13:~29,3%" EQU "All" goto endset Work=NREM A maximum of 8 workstations and a maximum computer name of 20 and up to 7 commas + 1 for good measureset worklist=%line13:~29,168%for /f "Tokens=1-8 Delims=, " %%i in ('@echo %worklist%') do call :parse %%i %%j %%k %%l %%m %%n %%o %%pif "%Work%" EQU "N" goto endcall jsidusergoto end:parse:loopif {%1} EQU {} goto endset workstn=%1If /i "%workstn:~0,6%" EQU "JSI006" set Work=Y&goto endshiftgoto loop:endTo report all active accounts that haven't logged on in 30 days:
@echoIf "%Final%" EQU "Y" goto endif "%actv%" EQU "N" goto endCall JSIDateM %XYY% %XMM% %XDD% - %NOWYY% %NOWMM% %NOWDD%If %NDD% GTR -30 goto endcall jsiduser:endTo generate a sorted report of domain group membership, your Full_Path_To_YourBat.bat would contain:
@echo offIf "%Final%" EQU "Y" goto phase2if "%First%" EQU "N" goto phase1set First=Nif exist %TEMP%sortin.tmp del /q %TEMP%sortin.tmpif exist %TEMP%sortou.tmp del /q %TEMP%sortou.tmp:phase1if "%actv%" EQU "N" goto endIf %max% LSS 19 goto endset Glob=Nfor /l %%i in (19,1,%max%) do call :parse %%igoto end:phase2sort %TEMP%sortin.tmp /O %TEMP%sortou.tmpdel /q %TEMP%sortin.tmpset pgrp= #set blank= #set spac=%blank:~0,20%for /f "Tokens=*" %%i in (%TEMP%sortou.tmp) do call :report "%%i"del /q %TEMP%sortou.tmpgoto end:reportset line=%1set line=%line:"=%if "%pgrp%" EQU "%line:~0,20%" goto detailset pgrp=%line:~0,20%@echo __________________________________________ >>%File%@echo * >>%File%@echo %line%>>%File%goto end:detailset data=%line:~20,99%@echo %spac%%data%>>%File%goto end:parseset lne=%1for /f "Tokens=2 Delims" %%j in ('set line%lne%') do @set line=%%jif "%line:~0,6%" EQU "Global" set Glob=YIf "%Glob%" EQU "N" goto endif not "%line:~29,1%" EQU "*" goto endset grp=%line:~30,20% #set group=%grp:~0,25%@echo %group% %UserAcnt% >>%TEMP%sortin.tmpif not "%line:~51,1%" EQU "*" goto endset grp=%line:~52,20% #set group=%grp:~0,25%@echo %group% %UserAcnt% >>%TEMP%sortin.tmp:endThe sorted report would look like:
__________________________________________ * Domain Admins Administrator Jerry __________________________________________ * Domain Users Administrator Jennifer Jerry test __________________________________________ * Enterprise Admins Administrator Jerry __________________________________________ * Group Policy Creator Administrator __________________________________________ * Installers Jerry __________________________________________ * Schema Admins Administrator JerryNOTE: Other general routines include:
tip 0863 Time Math.
tip 0721 General purpose date math routine.
About the Author
You May Also Like
.jpg?width=700&auto=webp&quality=80&disable=upscale)
