JSI Tip 3410. General purpose Domain User Properties reporting script.

Regardless of whether you have a Windows 2000 Active Directory domain or a Windows NT 4.0 domain, the scripts on this page will allow you to generate various user property reports, even if you have minimal scripting skills.

NOTE: The scripts MUST be run on a Windows 2000 / Windows NT 4.0 member workstation or server.

If you open a CMD prompt and type NET USER UserName /Domain, you would receive output similar to:

The request will be processed at a domain controller for domain User name                    TestFull Name                    Test TesterComment                      Test accountUser's comment               A commentCountry code                 (null)Account active               YesAccount expires              NeverPassword last set            02/12/2001 21:34Password expires             03/13/2001 20:00Password changeable          02/12/2001 21:34Password required            YesUser may change password     YesWorkstations allowed         JSI005,JSI006,JSI007Logon script                 logon.batUser profile                 \JSI001ProfilesJerryHome directory               \JSI001HomeJerry  Last logon                   02/24/2001 09:34Logon hours allowed          Monday 06:00 - 18:00                             Tuesday 06:00 - 18:00                             Wednesday 06:00 - 18:00                             Thursday 06:00 - 18:00                             Friday 06:00 - 18:00Local Group Memberships      *Users               Global Group memberships     *Sales                *Marketing                             *Accounting           *Domain Users                             *PersonnelThe command completed successfully.

For any user, the first 18 lines of the display have the same line titles. Since Logon hours allowed, Local Group Memberships, and Global Group memberships can each have a variable number of entries, lines 19 - XX can have variable (or no) titles, but these scripts make it easy to identify the data.

To use the scripts, type:

JSIDUGet Full_Path_To_YourBat.bat File

where Full_Path_To_YourBat.bat can be as simple as:

@echo offIf "%Final%" EQU "Y" goto endcall jsiduser:end

This would product a report of every user, displaying the non-default data. The report, written to File, would look similar to:

User name                    Guest Comment                      Built-in account for guest access to the computer/domain Account active               No Password last set            02/25/2001 06:26 Password changeable          02/25/2001 06:26 Password required            No User may change password     No Last logon                   Never Local Group Memberships      *Guests                Global Group memberships     *Domain Guests        *Domain Users          _______________________________________________________________________________________________                                                                                               * User name                    Jennifer Full Name                    Jennifer V. Schulman Password last set            02/12/2000 21:47 Password changeable          02/12/2000 21:47 Last logon                   02/24/2001 07:14 Global Group memberships     *Domain Users          _______________________________________________________________________________________________                                                                                               * User name                    TestFull Name                    Test TesterComment                      Test accountUser's comment               A commentPassword last set            02/12/2001 21:34Password expires             03/13/2001 20:00Password changeable          02/12/2001 21:34Workstations allowed         JSI005,JSI006,JSI007Logon script                 logon.batUser profile                 \JSI001ProfilesJerryHome directory               \JSI001HomeJerry  Last logon                   02/24/2001 09:34Logon hours allowed          Monday 06:00 - 18:00                             Tuesday 06:00 - 18:00                             Wednesday 06:00 - 18:00                             Thursday 06:00 - 18:00                             Friday 06:00 - 18:00Global Group memberships     *Sales                *Marketing                             *Accounting           *Domain Users                             *Personnel_______________________________________________________________________________________________

NOTE: If you prefer, You can call your own reporting script.

The following environment variables are available to Full_Path_To_YourBat.bat:

actvY-account is active, N-not active.file         The output report path.FinalY-all records have been processed, N-process the current record.FirstY-a switch you can use and set.lineNN       line01=User name                    Joe             line02=Full Name                    Joe User             line03=Comment                      Just a sample             line04=User's comment             line05=Country code                 000 (System Default)             line06=Account active               Yes             line07=Account expires              Never             line08=Password last set            02/12/2001 20:27             line09=Password expires             02/28/2001 19:13             line10=Password changeable          02/12/2001 20:27             line11=Password required            Yes             line12=User may change password     Yes             line13=Workstations allowed         All             line14=Logon script                 logon.bat             line15=User profile                 profile path             line16=Home directory               home folder path             line17=Last logon                   02/27/2001 00:32             line18=Logon hours allowed          All             +line19=Local Group Memberships      *Users             +line20=Global Group memberships     *Sales                *Domain Usersmax          The number of lines.NOWDD        The current day.NOWHH        The current hour.NOWMM        The current month.NOWMX        The current minuteNOWYMD       The current year/month/dayNOWYMDHM     The current year/month/day/hour/minuteNOWYY        The current year.UserAcnt     The current UserName.XDD07        The account Expires day. XDD08        The password last set day.XDD09        The password expires day.XDD10        The password changeable day. XDD17        The last logon day.XHH07        The account Expires hour. XHH08        The password last set hour. XHH09        The password expires hour.   XHH10        The password changeable hour.XHH17        The last logon hour.XMM07        The account Expires month.XMM08        The password last set month.XMM09        The password expires month.XMM10        The password changeable month.XMM17        The last logon month.XMX07        The account Expires minute.XMX08        The password last set minute.XMX09        The password expires minute.XMX10        The password changeable minute.XMX17        The last logon minute.XYMD07       The Account Expires year/month/day.XYMD08       The Password last set year/month/day. XYMD09       The password expires year/month/day.XYMD10       The password changeable year/month/day.XYMD17       The last logon year/month/day.XYMDHM07     The Account Expires year/month/day/hour/minute.XYMDHM08     The password last set year/month/day/hour/minute.XYMDHM09     The password expires year/month/day/hour/minute.XYMDHM10     The password changeable year/month/day/hour/minute.XYMDHM17     The last logon year/month/day/hour/minute.XYY07        The Account Expires year.XYY08        The password last set year.XYY09        The password expires yearXYY10        The password changeable year.XYY17        The last logon year.On any lineNN, the data at the beginning of the line can be addresses as %lineNN:~0, and the data in the right hand column can be address as %lineNN:~29,.

The JSIDUGet.bat script is responsible for retrieving all the users. For each user, it creates the environment variables and calls Full_Path_To_YourBat.bat. JSIDUGet.bat contains:

@echo offif NOT {%1}

{} goto begin:syntax@echo Syntax: JSIDUGet YourBat.bat File goto end:beginif {%2}

{} goto Syntaxif not exist %1 goto Syntaxsetlocalset yourbat=%1set file=%2if exist %file% del /q %file%for /f "tokens=2,3,4* delims=/ " %%i in ('date /t') do set NOWMM=%%i&set NOWDD=%%j&set NOWYY=%%kfor /f "tokens=1,2 delims=:" %%i in ('time /t') do set NOWHH=%%i&set NOWMX=%%jset NOWHH=%NOWHH: =0%set NOWYMD=%NOWYY%%NOWMM%%NOWDD%set NOWYMDHM=%NOWYMD%%NOWHH%%NOWMX%set wrk=           #set blank=%wrk:~0,10%set Final=Nset First=Yfor /f "Skip=6 Tokens=*" %%i in ('net users /domain') do call :parse "%%i"set Final=Yset /a max=0set actv=Ncall %yourbat%endlocalgoto end:parseset str=#%1#set str=%str:#"=%set str=%str:"#=%if "%str%"

"The command completed successfully." goto endset substr=%str:~0,25%#set substr=%substr: =%set substr=%substr: #=%set substr=%substr:#=%if "%substr%"

"" goto endset /a cnt=0set UserAcnt=%substr%for /f "Skip=1 Tokens=*" %%i in ('net user "%substr%" /domain') do call :parse1 "%%i"set substr=%str:~25,25%#set substr=%substr:  =%set substr=%substr: #=%set substr=%substr:#=%if "%substr%"

"" goto endset /a cnt=0set UserAcnt=%substr%for /f "Skip=1 Tokens=*" %%i in ('net user "%substr%" /domain') do call :parse1 "%%i"set substr=%str:~50,25%#set substr=%substr: =%set substr=%substr: #=%set substr=%substr:#=%if "%substr%"

"" goto endset /a cnt=0set UserAcnt=%substr%for /f "Skip=1 Tokens=*" %%i in ('net user "%substr%" /domain') do call :parse1 "%%i"goto end:datesif "%ustr:~29,5%"

"Never" set XMM=12&set XDD%=31&set XYY=9999&set XHH=24&set XMX=00&goto datesfset edt=%ustr:~29,16%for /f "Tokens=1-5 Delims=/: " %%j in ('@echo %edt%') do set XMM=%%j&set XDD=%%k&set XYY=%%l&set XHH=%%m&set XMX=%%n:datesfset XHH=%XHH: =0%set XYMD=%XYY%%XMM%%XDD%set XYMDHM=%XYMD%%XHH%%XMX%set XMM%lne%=%XMM%set XDD%lne%=%XDD%set XYY%lne%=%XYY%set XHH%lne%=%XHH%set XMX%lne%=%XMX%set XYMD%lne%=%XYMD%set XYMDHM%lne%=%XYMDHM%goto end:parse1set /a cnt=%cnt% + 1set ustr=%1if %ustr%

"The command completed successfully." goto Userset ustr=%ustr:"=%set /a wrk=%cnt% + 100set wrk=%wrk%set lne=%wrk:~1,2%set line=%ustr%if "%lne%" LSS "19" goto parse2if "%line:~0,1%" EQU "*" set line=%line%if "%line:~0,8%" EQU "Local Gr" goto parse2if "%line:~0,8%" EQU "Global G" goto parse2set line=                             %line%:parse2if "%line:~29,1%" EQU "" set line=%line%%blank%&goto parse2set line%lne%=%line%if %cnt% EQU 6 set actv=%ustr:~29,1%&goto endif %cnt% LSS 7 goto endif %cnt% LSS 11 goto datesif %cnt% EQU 17 goto datesgoto end:userset /a max=%cnt% - 1call %yourbat%:end

NOTE: If you wanted the run JSIDUGet.bat on a domain controller, you must replace the 3 occurrences of "Skip=1 Tokens=*" with "Tokens=*".

The standard reporting script, JSIUser.bat, contains:

@echo offsetlocalset /a seq=0for /l %%i in (1,1,%max%) do call :parse1@echo __________________________________________________________________________________ >> %file%@echo                                                                                  * >> %file%endlocalgoto end:num5if "%line:~29,3%"

"000" goto endif "%line:~29,3%"

"(nu" goto endgoto out1:num6if "%line:~29,3%"

"Yes" goto endgoto out1:num7if "%line:~29,3%"

"Nev" goto endgoto out1:num8:num9:num10:num11:num12if "%line:~29,3%"

"Yes" goto endgoto num7:num13if "%line:~29,3%"

"All" goto endgoto out1:num18if "%line:~29,3%"

"All" goto endgoto out1:parse1set /a seq=%seq% + 1set /a wrk=%seq% + 100set wrk=%wrk%set lne=%wrk:~1,2%for /f "Tokens=2 Delims

" %%i in ('set line%lne%') do @set line=%%igoto num%seq%:num2goto out:num3goto out:num4goto out:num14goto out:num15goto out:num16goto out:num17goto out:num19goto out:num20goto out:num21goto out:num22goto out:num23goto out:num24goto out:num25goto out:num26goto out:num27goto out:num28goto out:num29goto out:num30goto out:num31goto out:num32goto out:num33goto out:num34goto out:num35goto out:num36:outif "%line:~29,1%"

" " goto end:num1:out1@echo %line% >> %file%:end

If you wanted to report the user accounts whose passwords have expired, your Full_Path_To_YourBat.bat would contain:

@echo offIf "%Final%" EQU "Y" goto endREM Select only active accountsif "%actv%" EQU "N" goto endIf "%NOWYMDHM%" GTR "%XYMDHM09%" goto end  REM If you wish to include the accounts whose password will expire today, use: If "%NOWYMD%" GTR "%XYMD09%" goto end call jsiduser:end

To report all expired accounts:

@echo offIf "%Final%" EQU "Y" goto endIf "%NOWYMDHM%" GTR "%XYMDHM07%" goto end  REM If you wish to include the accounts that will expire today, use: If "%NOWYMD%" GTR "%XYMD07%" goto end call jsiduser:end

To report all accounts that do not have a logon script configured:

@echo offIf "%Final%" EQU "Y" goto endif "%actv%" EQU "N" goto endif "%line14:~29,1%" GTR " " goto endcall jsiduser:end

To report all active accounts that have never logged on:

@echo offIf "%Final%" EQU "Y" goto endif "%actv%" EQU "N" goto endif not "%line17:~29,5%" EQU "Never" goto endcall jsiduser:end

To report all active users who are members of the Domain Admins group:

@echo offIf "%Final%" EQU "Y" goto endif "%actv%" EQU "N" goto endIf %max% LSS 19 goto endset DA=Nfor /l %%i in (19,1,%max%) do call :parse %%iif "%DA%" EQU "N" goto endcall jsidusergoto end:parseif "%DA%" EQU "Y" goto endset lne=%1for /f "Tokens=2 Delims" %%j in ('set line%lne%') do @set line=%%jif "%line:~29,14%" EQU "*Domain Admins" set DA=Y&goto endif "%line:~51,14%" EQU "*Domain Admins" set DA=Y:end

To report all active accounts that have logon hour restrictions on Wednesday:

@echo offIf "%Final%" EQU "Y" goto endif "%actv%" EQU "N" goto endset Wed=Nfor /l %%i in (18,1,%max%) do call :parse %%iif "%Wed%" EQU "N" goto endcall jsidusergoto end:parseif "%Wed%" EQU "Y" goto endset lne=%1for /f "Tokens=2 Delims

" %%j in ('set line%lne%') do @set line=%%jif "%line:~29,1%" EQU "*" goto endIf "%line:~29,3%" EQU "Wed" set Wed=Y:end

To report all active users that have workstation restriction who are allowed to log onto JSI006:

@echo offIf "%Final%" EQU "Y" goto endif "%actv%" EQU "N" goto endif "%line13:~29,3%" EQU "All" goto endset Work=NREM A maximum of 8 workstations and a maximum computer name of 20 and up to 7 commas + 1 for good measureset worklist=%line13:~29,168%for /f "Tokens=1-8 Delims=, " %%i in ('@echo %worklist%') do call :parse %%i %%j %%k %%l %%m %%n %%o %%pif "%Work%" EQU "N" goto endcall jsidusergoto end:parse:loopif {%1} EQU {} goto endset workstn=%1If /i "%workstn:~0,6%" EQU "JSI006" set Work=Y&goto endshiftgoto loop:end

To report all active accounts that haven't logged on in 30 days:

@echoIf "%Final%" EQU "Y" goto endif "%actv%" EQU "N" goto endCall JSIDateM %XYY% %XMM% %XDD% - %NOWYY% %NOWMM% %NOWDD%If %NDD% GTR -30 goto endcall jsiduser:end

To generate a sorted report of domain group membership, your Full_Path_To_YourBat.bat would contain:

@echo offIf "%Final%" EQU "Y" goto phase2if "%First%" EQU "N" goto phase1set First=Nif exist %TEMP%sortin.tmp del /q %TEMP%sortin.tmpif exist %TEMP%sortou.tmp del /q %TEMP%sortou.tmp:phase1if "%actv%" EQU "N" goto endIf %max% LSS 19 goto endset Glob=Nfor /l %%i in (19,1,%max%) do call :parse %%igoto end:phase2sort %TEMP%sortin.tmp /O %TEMP%sortou.tmpdel /q %TEMP%sortin.tmpset pgrp= #set blank=                      #set spac=%blank:~0,20%for /f "Tokens=*" %%i in (%TEMP%sortou.tmp) do call :report "%%i"del /q %TEMP%sortou.tmpgoto end:reportset line=%1set line=%line:"=%if "%pgrp%" EQU "%line:~0,20%" goto detailset pgrp=%line:~0,20%@echo __________________________________________ >>%File%@echo                                          * >>%File%@echo %line%>>%File%goto end:detailset data=%line:~20,99%@echo %spac%%data%>>%File%goto end:parseset lne=%1for /f "Tokens=2 Delims" %%j in ('set line%lne%') do @set line=%%jif "%line:~0,6%" EQU "Global" set Glob=YIf "%Glob%" EQU "N" goto endif not "%line:~29,1%" EQU "*" goto endset grp=%line:~30,20%                          #set group=%grp:~0,25%@echo %group% %UserAcnt% >>%TEMP%sortin.tmpif not "%line:~51,1%" EQU "*" goto endset grp=%line:~52,20%                          #set group=%grp:~0,25%@echo %group% %UserAcnt% >>%TEMP%sortin.tmp:end

The sorted report would look like:

__________________________________________                                          * Domain Admins             Administrator                           Jerry __________________________________________                                          * Domain Users              Administrator                           Jennifer                           Jerry                           test __________________________________________                                          * Enterprise Admins         Administrator                           Jerry __________________________________________                                          * Group Policy Creator      Administrator __________________________________________                                          * Installers                Jerry __________________________________________                                          * Schema Admins             Administrator                           Jerry

NOTE: Other general routines include:

tip 0863 Time Math.

tip 0721 General purpose date math routine.