Regardless of whether you have a Windows 2000 Active Directory domain or a Windows NT 4.0 domain, the scripts on this page will
allow you to generate various user property reports, even if you have minimal scripting skills.
NOTE: The scripts MUST be run on a Windows 2000 / Windows NT 4.0 member workstation or server.
If you open a CMD prompt and type NET USER UserName /Domain, you would receive output similar to:
The request will be processed at a domain controller for domain <Domain Name> User name Test Full Name Test Tester Comment Test account User's comment A comment Country code (null) Account active Yes Account expires Never Password last set 02/12/2001 21:34 Password expires 03/13/2001 20:00 Password changeable 02/12/2001 21:34 Password required Yes User may change password Yes Workstations allowed JSI005,JSI006,JSI007 Logon script logon.bat User profile \\JSI001\Profiles\Jerry Home directory \\JSI001\Home\Jerry Last logon 02/24/2001 09:34 Logon hours allowed Monday 06:00 - 18:00 Tuesday 06:00 - 18:00 Wednesday 06:00 - 18:00 Thursday 06:00 - 18:00 Friday 06:00 - 18:00 Local Group Memberships *Users Global Group memberships *Sales *Marketing *Accounting *Domain Users *Personnel The command completed successfully.For any user, the first 18 lines of the display have the same line titles. Since Logon hours allowed, Local Group Memberships, and Global Group memberships can each have a variable number of entries, lines 19 - XX can have variable (or no) titles, but these scripts make it easy to identify the data.
To use the scripts, type:
JSIDUGet Full_Path_To_YourBat.bat File
where Full_Path_To_YourBat.bat can be as simple as:
@echo off If "%Final%" EQU "Y" goto end call jsiduser :endThis would product a report of every user, displaying the non-default data. The report, written to File, would look similar to:
User name Guest Comment Built-in account for guest access to the computer/domain Account active No Password last set 02/25/2001 06:26 Password changeable 02/25/2001 06:26 Password required No User may change password No Last logon Never Local Group Memberships *Guests Global Group memberships *Domain Guests *Domain Users _______________________________________________________________________________________________ * User name Jennifer Full Name Jennifer V. Schulman Password last set 02/12/2000 21:47 Password changeable 02/12/2000 21:47 Last logon 02/24/2001 07:14 Global Group memberships *Domain Users _______________________________________________________________________________________________ * User name Test Full Name Test Tester Comment Test account User's comment A comment Password last set 02/12/2001 21:34 Password expires 03/13/2001 20:00 Password changeable 02/12/2001 21:34 Workstations allowed JSI005,JSI006,JSI007 Logon script logon.bat User profile \\JSI001\Profiles\Jerry Home directory \\JSI001\Home\Jerry Last logon 02/24/2001 09:34 Logon hours allowed Monday 06:00 - 18:00 Tuesday 06:00 - 18:00 Wednesday 06:00 - 18:00 Thursday 06:00 - 18:00 Friday 06:00 - 18:00 Global Group memberships *Sales *Marketing *Accounting *Domain Users *Personnel _______________________________________________________________________________________________NOTE: If you prefer, You can call your own reporting script.
The following environment variables are available to Full_Path_To_YourBat.bat:
actv Y-account is active, N-not active. file The output report path. Final Y-all records have been processed, N-process the current record. First Y-a switch you can use and set. lineNN line01=User name Joe line02=Full Name Joe User line03=Comment Just a sample line04=User's comment line05=Country code 000 (System Default) line06=Account active Yes line07=Account expires Never line08=Password last set 02/12/2001 20:27 line09=Password expires 02/28/2001 19:13 line10=Password changeable 02/12/2001 20:27 line11=Password required Yes line12=User may change password Yes line13=Workstations allowed All line14=Logon script logon.bat line15=User profile profile path line16=Home directory home folder path line17=Last logon 02/27/2001 00:32 line18=Logon hours allowed All +line19=Local Group Memberships *Users +line20=Global Group memberships *Sales *Domain Users max The number of lines. NOWDD The current day. NOWHH The current hour. NOWMM The current month. NOWMX The current minute NOWYMD The current year/month/day NOWYMDHM The current year/month/day/hour/minute NOWYY The current year. UserAcnt The current UserName. XDD07 The account Expires day. XDD08 The password last set day. XDD09 The password expires day. XDD10 The password changeable day. XDD17 The last logon day. XHH07 The account Expires hour. XHH08 The password last set hour. XHH09 The password expires hour. XHH10 The password changeable hour. XHH17 The last logon hour. XMM07 The account Expires month. XMM08 The password last set month. XMM09 The password expires month. XMM10 The password changeable month. XMM17 The last logon month. XMX07 The account Expires minute. XMX08 The password last set minute. XMX09 The password expires minute. XMX10 The password changeable minute. XMX17 The last logon minute. XYMD07 The Account Expires year/month/day. XYMD08 The Password last set year/month/day. XYMD09 The password expires year/month/day. XYMD10 The password changeable year/month/day. XYMD17 The last logon year/month/day. XYMDHM07 The Account Expires year/month/day/hour/minute. XYMDHM08 The password last set year/month/day/hour/minute. XYMDHM09 The password expires year/month/day/hour/minute. XYMDHM10 The password changeable year/month/day/hour/minute. XYMDHM17 The last logon year/month/day/hour/minute. XYY07 The Account Expires year. XYY08 The password last set year. XYY09 The password expires year XYY10 The password changeable year. XYY17 The last logon year. On any lineNN, the data at the beginning of the line can be addresses as %lineNN:~0,<length> and the data in the right hand column can be address as %lineNN:~29,<length>.The JSIDUGet.bat script is responsible for retrieving all the users. For each user, it creates the environment variables and calls Full_Path_To_YourBat.bat. JSIDUGet.bat contains:
@echo off if NOT \{%1\}NOTE: If you wanted the run JSIDUGet.bat on a domain controller, you must replace the 3 occurrences of "Skip=1 Tokens=*" with "Tokens=*".\{\} goto begin :syntax @echo Syntax: JSIDUGet YourBat.bat File goto end :begin if \{%2\}
\{\} goto Syntax if not exist %1 goto Syntax setlocal set yourbat=%1 set file=%2 if exist %file% del /q %file% for /f "tokens=2,3,4* delims=/ " %%i in ('date /t') do set NOWMM=%%i&set NOWDD=%%j&set NOWYY=%%k for /f "tokens=1,2 delims=:" %%i in ('time /t') do set NOWHH=%%i&set NOWMX=%%j set NOWHH=%NOWHH: =0% set NOWYMD=%NOWYY%%NOWMM%%NOWDD% set NOWYMDHM=%NOWYMD%%NOWHH%%NOWMX% set wrk= # set blank=%wrk:~0,10% set Final=N set First=Y for /f "Skip=6 Tokens=*" %%i in ('net users /domain') do call :parse "%%i" set Final=Y set /a max=0 set actv=N call %yourbat% endlocal goto end :parse set str=#%1# set str=%str:#"=% set str=%str:"#=% if "%str%""The command completed successfully." goto end set substr=%str:~0,25%# set substr=%substr: =% set substr=%substr: #=% set substr=%substr:#=% if "%substr%"
"" goto end set /a cnt=0 set UserAcnt=%substr% for /f "Skip=1 Tokens=*" %%i in ('net user "%substr%" /domain') do call :parse1 "%%i" set substr=%str:~25,25%# set substr=%substr: =% set substr=%substr: #=% set substr=%substr:#=% if "%substr%""" goto end set /a cnt=0 set UserAcnt=%substr% for /f "Skip=1 Tokens=*" %%i in ('net user "%substr%" /domain') do call :parse1 "%%i" set substr=%str:~50,25%# set substr=%substr: =% set substr=%substr: #=% set substr=%substr:#=% if "%substr%"
"" goto end set /a cnt=0 set UserAcnt=%substr% for /f "Skip=1 Tokens=*" %%i in ('net user "%substr%" /domain') do call :parse1 "%%i" goto end :dates if "%ustr:~29,5%""Never" set XMM=12&set XDD%=31&set XYY=9999&set XHH=24&set XMX=00&goto datesf set edt=%ustr:~29,16% for /f "Tokens=1-5 Delims=/: " %%j in ('@echo %edt%') do set XMM=%%j&set XDD=%%k&set XYY=%%l&set XHH=%%m&set XMX=%%n :datesf set XHH=%XHH: =0% set XYMD=%XYY%%XMM%%XDD% set XYMDHM=%XYMD%%XHH%%XMX% set XMM%lne%=%XMM% set XDD%lne%=%XDD% set XYY%lne%=%XYY% set XHH%lne%=%XHH% set XMX%lne%=%XMX% set XYMD%lne%=%XYMD% set XYMDHM%lne%=%XYMDHM% goto end :parse1 set /a cnt=%cnt% + 1 set ustr=%1 if %ustr%
"The command completed successfully." goto User set ustr=%ustr:"=% set /a wrk=%cnt% + 100 set wrk=%wrk% set lne=%wrk:~1,2% set line=%ustr% if "%lne%" LSS "19" goto parse2 if "%line:~0,1%" EQU "*" set line=%line% if "%line:~0,8%" EQU "Local Gr" goto parse2 if "%line:~0,8%" EQU "Global G" goto parse2 set line= %line% :parse2 if "%line:~29,1%" EQU "" set line=%line%%blank%&goto parse2 set line%lne%=%line% if %cnt% EQU 6 set actv=%ustr:~29,1%&goto end if %cnt% LSS 7 goto end if %cnt% LSS 11 goto dates if %cnt% EQU 17 goto dates goto end :user set /a max=%cnt% - 1 call %yourbat% :end
The standard reporting script, JSIUser.bat, contains:
@echo off setlocal set /a seq=0 for /l %%i in (1,1,%max%) do call :parse1 @echo __________________________________________________________________________________ >> %file% @echo * >> %file% endlocal goto end :num5 if "%line:~29,3%""000" goto end if "%line:~29,3%"
"(nu" goto end goto out1 :num6 if "%line:~29,3%""Yes" goto end goto out1 :num7 if "%line:~29,3%"
"Nev" goto end goto out1 :num8 :num9 :num10 :num11 :num12 if "%line:~29,3%""Yes" goto end goto num7 :num13 if "%line:~29,3%"
"All" goto end goto out1 :num18 if "%line:~29,3%""All" goto end goto out1 :parse1 set /a seq=%seq% + 1 set /a wrk=%seq% + 100 set wrk=%wrk% set lne=%wrk:~1,2% for /f "Tokens=2 Delims
" %%i in ('set line%lne%') do @set line=%%i goto num%seq% :num2 goto out :num3 goto out :num4 goto out :num14 goto out :num15 goto out :num16 goto out :num17 goto out :num19 goto out :num20 goto out :num21 goto out :num22 goto out :num23 goto out :num24 goto out :num25 goto out :num26 goto out :num27 goto out :num28 goto out :num29 goto out :num30 goto out :num31 goto out :num32 goto out :num33 goto out :num34 goto out :num35 goto out :num36 :out if "%line:~29,1%"" " goto end :num1 :out1 @echo %line% >> %file% :end
If you wanted to report the user accounts whose passwords have expired, your Full_Path_To_YourBat.bat would contain:
@echo off If "%Final%" EQU "Y" goto end REM Select only active accounts if "%actv%" EQU "N" goto end If "%NOWYMDHM%" GTR "%XYMDHM09%" goto end REM If you wish to include the accounts whose password will expire today, use: If "%NOWYMD%" GTR "%XYMD09%" goto end call jsiduser :end
To report all expired accounts:
@echo off If "%Final%" EQU "Y" goto end If "%NOWYMDHM%" GTR "%XYMDHM07%" goto end REM If you wish to include the accounts that will expire today, use: If "%NOWYMD%" GTR "%XYMD07%" goto end call jsiduser :end
To report all accounts that do not have a logon script configured:
@echo off If "%Final%" EQU "Y" goto end if "%actv%" EQU "N" goto end if "%line14:~29,1%" GTR " " goto end call jsiduser :end
To report all active accounts that have never logged on:
@echo off If "%Final%" EQU "Y" goto end if "%actv%" EQU "N" goto end if not "%line17:~29,5%" EQU "Never" goto end call jsiduser :end
To report all active users who are members of the Domain Admins group:
@echo off If "%Final%" EQU "Y" goto end if "%actv%" EQU "N" goto end If %max% LSS 19 goto end set DA=N for /l %%i in (19,1,%max%) do call :parse %%i if "%DA%" EQU "N" goto end call jsiduser goto end :parse if "%DA%" EQU "Y" goto end set lne=%1 for /f "Tokens=2 Delims" %%j in ('set line%lne%') do @set line=%%j if "%line:~29,14%" EQU "*Domain Admins" set DA=Y&goto end if "%line:~51,14%" EQU "*Domain Admins" set DA=Y :end
To report all active accounts that have logon hour restrictions on Wednesday:
@echo off If "%Final%" EQU "Y" goto end if "%actv%" EQU "N" goto end set Wed=N for /l %%i in (18,1,%max%) do call :parse %%i if "%Wed%" EQU "N" goto end call jsiduser goto end :parse if "%Wed%" EQU "Y" goto end set lne=%1 for /f "Tokens=2 Delims" %%j in ('set line%lne%') do @set line=%%j if "%line:~29,1%" EQU "*" goto end If "%line:~29,3%" EQU "Wed" set Wed=Y :end
To report all active users that have workstation restriction who are allowed to log onto JSI006:
@echo off If "%Final%" EQU "Y" goto end if "%actv%" EQU "N" goto end if "%line13:~29,3%" EQU "All" goto end set Work=N REM A maximum of 8 workstations and a maximum computer name of 20 and up to 7 commas + 1 for good measure set worklist=%line13:~29,168% for /f "Tokens=1-8 Delims=, " %%i in ('@echo %worklist%') do call :parse %%i %%j %%k %%l %%m %%n %%o %%p if "%Work%" EQU "N" goto end call jsiduser goto end :parse :loop if \{%1\} EQU \{\} goto end set workstn=%1 If /i "%workstn:~0,6%" EQU "JSI006" set Work=Y&goto end shift goto loop :end
To report all active accounts that haven't logged on in 30 days:
@echo If "%Final%" EQU "Y" goto end if "%actv%" EQU "N" goto end Call JSIDateM %XYY% %XMM% %XDD% - %NOWYY% %NOWMM% %NOWDD% If %NDD% GTR -30 goto end call jsiduser :end
To generate a sorted report of domain group membership, your Full_Path_To_YourBat.bat would contain:
@echo off If "%Final%" EQU "Y" goto phase2 if "%First%" EQU "N" goto phase1 set First=N if exist %TEMP%\sortin.tmp del /q %TEMP%\sortin.tmp if exist %TEMP%\sortou.tmp del /q %TEMP%\sortou.tmp :phase1 if "%actv%" EQU "N" goto end If %max% LSS 19 goto end set Glob=N for /l %%i in (19,1,%max%) do call :parse %%i goto end :phase2 sort %TEMP%\sortin.tmp /O %TEMP%\sortou.tmp del /q %TEMP%\sortin.tmp set pgrp= # set blank= # set spac=%blank:~0,20% for /f "Tokens=*" %%i in (%TEMP%\sortou.tmp) do call :report "%%i" del /q %TEMP%\sortou.tmp goto end :report set line=%1 set line=%line:"=% if "%pgrp%" EQU "%line:~0,20%" goto detail set pgrp=%line:~0,20% @echo __________________________________________ >>%File% @echo * >>%File% @echo %line%>>%File% goto end :detail set data=%line:~20,99% @echo %spac%%data%>>%File% goto end :parse set lne=%1 for /f "Tokens=2 Delims" %%j in ('set line%lne%') do @set line=%%j if "%line:~0,6%" EQU "Global" set Glob=Y If "%Glob%" EQU "N" goto end if not "%line:~29,1%" EQU "*" goto end set grp=%line:~30,20% # set group=%grp:~0,25% @echo %group% %UserAcnt% >>%TEMP%\sortin.tmp if not "%line:~51,1%" EQU "*" goto end set grp=%line:~52,20% # set group=%grp:~0,25% @echo %group% %UserAcnt% >>%TEMP%\sortin.tmp :endThe sorted report would look like:
__________________________________________ * Domain Admins Administrator Jerry __________________________________________ * Domain Users Administrator Jennifer Jerry test __________________________________________ * Enterprise Admins Administrator Jerry __________________________________________ * Group Policy Creator Administrator __________________________________________ * Installers Jerry __________________________________________ * Schema Admins Administrator JerryNOTE: Other general routines include:
tip 0721 » General purpose date math routine.