List AD User Accounts Excluding Service Accounts

Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
Want to receive the latest contracting news and advice straight to your inbox? Sign up to the ContractorUK newsletter here. Every sign up will also be entered into a draw to WIN £100 Amazon vouchers!

You are not logged in or you do not have permission to access this page. This could be due to one of several reasons:

You are not logged in. If you are already registered, fill in the form below to log in, or follow the "Sign Up" link to register a new account.
You may not have sufficient privileges to access this page. Are you trying to edit someone else's post, access administrative features or some other privileged system?
If you are trying to post, the administrator may have disabled your account, or it may be awaiting activation.

Bacchus replied

20 May 2014, 21:55
Originally posted by suityou01 View Post

I realise technically this is only one minor drawback, but I thought it was such a good one it was worth mentioning twice.

Here's an interesting fact. I know the person who sang the theme tune to RD. She's the daughter of a mate who I spent last weekend drinking with. She's done ok out of it, it wasn't expected to go to a second series so she negotiated a good deal...

This might not be "technical", but contractors could learn a lot from contracts like hers...
Leave a comment:
suityou01 replied

20 May 2014, 21:46
Originally posted by Bacchus View Post

You do understand the concept of a mirror? yes?

Perhaps you should be updating the HR database from the Active Directory too?

I shall mull over the concept of "mirror" while I have a gnaw on my cuttlefish.

Good suggestion with just two minor drawbacks.

1) I would still have to find away to isolate valid user accounts, so I can update the HR database, to then use as my single source of truth for a list of valid user accounts.

2) I would still have to find away to isolate valid user accounts, so I can update the HR database, to then use as my single source of truth for a list of valid user accounts.

I realise technically this is only one minor drawback, but I thought it was such a good one it was worth mentioning twice.
Leave a comment:
Bacchus replied

20 May 2014, 21:38
Originally posted by suityou01 View Post

The bellend I sit opposite comes out with this sort of tulip all the time.

You do understand the concept of a mirror? yes?

Originally posted by suityou01 View Post

Another can of worms I suspect. If a user is not listed in the HR database, then they will not have a department <blah/>

Perhaps you should be updating the HR database from the Active Directory too?
Leave a comment:
suityou01 replied

20 May 2014, 20:53
Originally posted by Bacchus View Post

Are the service accounts associated with departments? I did a similar thing to group all people by department as clientco's HR database is a pile of tulipe*, and it hasn't pulled anything but bone fide users...

*contains incomplete data

Another can of worms I suspect. If a user is not listed in the HR database, then they will not have a department and will not be part of the data cut so this introduces yet another point of failure.

Thanks for the suggestion though, and don't feel bad. The bellend I sit opposite comes out with this sort of tulip all the time.
Leave a comment:
Bacchus replied

20 May 2014, 20:41
Originally posted by suityou01 View Post

Quite.

I did this

Code:

(&(objectClass=user)(objectCategory=person)(mail=*))

in my LDAP filter.

Since service accounts shouldn't have email addresses I'm hoping I can enforce this as a rule.

Flame away.

Are the service accounts associated with departments? I did a similar thing to group all people by department as clientco's HR database is a pile of tulipe*, and it hasn't pulled anything but bone fide users...

*contains incomplete data
Leave a comment:
eek replied

20 May 2014, 20:01
Originally posted by suityou01 View Post

Not at all. It's a very important task. So, feel like taking it on for me?

Well its important to your end client. There is not enough cash on the table for it to be important for us yet...
Leave a comment:
suityou01 replied

20 May 2014, 19:52
Originally posted by SimonMac View Post

Isn't this the sort of job that you'd normally farm out to the office lackey...... oh sorry

Not at all. It's a very important task. So, feel like taking it on for me?
Leave a comment:
SimonMac replied

20 May 2014, 16:51
Originally posted by suityou01 View Post

I need to get a list of user accounts from Active Directory using C#. This should exclude "Service Accounts". I note from Windows2008R2 + there are now "Managed Service Accounts" which are quasi user accounts masquerading as machines which means they are service level accounts that can be managed at a domain level. Got it? Well I don't want them either. Just flesh and blood users.

So here's me code

Code:

using (DirectorySearcher ds = new DirectorySearcher(_directoryEntry, "(&(objectClass=user)(objectCategory=person))")) { try { ds.PageSize = 1000; /*core data*/ ds.PropertiesToLoad.Add("sAMAccountName"); ds.PropertiesToLoad.Add("mail"); ds.PropertiesToLoad.Add("objectSid"); ds.PropertiesToLoad.Add("servicePrincipalName");

I thought I'd cracked it when I found a property called servicePrincipalName - described in the MSDN as

Except that this multivalue propery is emtpy for IUSR and IWAM accounts etc.

Any takers?

I will take a powershell example.

TIA

Humbly

The slightly less awesome

Suity

Isn't this the sort of job that you'd normally farm out to the office lackey...... oh sorry
Leave a comment:
stek replied

16 May 2014, 16:17
dir \Users\*
Leave a comment:
doodab replied

16 May 2014, 16:16
Originally posted by suityou01 View Post

You are not providing an alternative. That's an easy thing to do when criticising.

What about services which send email?

Why not use multiple tests on say address, phone number etc.
Leave a comment:
eek replied

16 May 2014, 16:14
Originally posted by suityou01 View Post

You are not providing an alternative. That's an easy thing to do when criticising.

I'm still waiting for the purchase order. I will however happily highlight problems within your current approach to emphasis why you need me....
Leave a comment:
suityou01 replied

16 May 2014, 15:58
Originally posted by eek View Post

You are making the assumption a user has an email address. That is a brave decision....

You are not providing an alternative. That's an easy thing to do when criticising.
Leave a comment:
eek replied

16 May 2014, 15:46
Originally posted by suityou01 View Post

Quite.

I did this

Code:

(&(objectClass=user)(objectCategory=person)(mail=*))

in my LDAP filter.

Since service accounts shouldn't have email addresses I'm hoping I can enforce this as a rule.

Flame away.

You are making the assumption a user has an email address. That is a brave decision....
Leave a comment:
suityou01 replied

16 May 2014, 15:05
Quite.

I did this

Code:

(&(objectClass=user)(objectCategory=person)(mail=*))

in my LDAP filter.

Since service accounts shouldn't have email addresses I'm hoping I can enforce this as a rule.

Flame away.
Leave a comment:
eek replied

16 May 2014, 14:55
Originally posted by northernladuk View Post

Do you have a project code I can book my time to please.

Surely its can you send me your purchase order, I can start work once its received...
Leave a comment: