List AD User Accounts Excluding Service Accounts

**SimonMac** · 20 May 2014, 16:51

Originally posted by suityou01 View Post

I need to get a list of user accounts from Active Directory using C#. This should exclude "Service Accounts". I note from Windows2008R2 + there are now "Managed Service Accounts" which are quasi user accounts masquerading as machines which means they are service level accounts that can be managed at a domain level. Got it? Well I don't want them either. Just flesh and blood users.

So here's me code

Code:

using (DirectorySearcher ds = new DirectorySearcher(_directoryEntry, "(&(objectClass=user)(objectCategory=person))"))
            {

                try
                {
                    ds.PageSize = 1000;

                    /*core data*/
                    ds.PropertiesToLoad.Add("sAMAccountName");
                    ds.PropertiesToLoad.Add("mail");
                    ds.PropertiesToLoad.Add("objectSid");
                    ds.PropertiesToLoad.Add("servicePrincipalName");

I thought I'd cracked it when I found a property called servicePrincipalName - described in the MSDN as

Except that this multivalue propery is emtpy for IUSR and IWAM accounts etc.

Any takers?

I will take a powershell example.

TIA

Humbly

The slightly less awesome

Suity

Isn't this the sort of job that you'd normally farm out to the office lackey...... oh sorry

**suityou01** · 20 May 2014, 19:52

Originally posted by SimonMac View Post

Isn't this the sort of job that you'd normally farm out to the office lackey...... oh sorry

Not at all. It's a very important task. So, feel like taking it on for me?

**eek** · 20 May 2014, 20:01

Originally posted by suityou01 View Post

Not at all. It's a very important task. So, feel like taking it on for me?

Well its important to your end client. There is not enough cash on the table for it to be important for us yet...

**Bacchus** · 20 May 2014, 20:41

Originally posted by suityou01 View Post

Quite.

I did this

Code:

(&(objectClass=user)(objectCategory=person)(mail=*))

in my LDAP filter.

Since service accounts shouldn't have email addresses I'm hoping I can enforce this as a rule.

Flame away.

Are the service accounts associated with departments? I did a similar thing to group all people by department as clientco's HR database is a pile of tulipe*, and it hasn't pulled anything but bone fide users...

*contains incomplete data

**suityou01** · 20 May 2014, 20:53

Originally posted by Bacchus View Post

Are the service accounts associated with departments? I did a similar thing to group all people by department as clientco's HR database is a pile of tulipe*, and it hasn't pulled anything but bone fide users...

*contains incomplete data

Another can of worms I suspect. If a user is not listed in the HR database, then they will not have a department and will not be part of the data cut so this introduces yet another point of failure.

Thanks for the suggestion though, and don't feel bad. The bellend I sit opposite comes out with this sort of tulip all the time.

**Bacchus** · 20 May 2014, 21:38

Originally posted by suityou01 View Post

The bellend I sit opposite comes out with this sort of tulip all the time.

You do understand the concept of a mirror? yes?

Originally posted by suityou01 View Post

Another can of worms I suspect. If a user is not listed in the HR database, then they will not have a department <blah/>

Perhaps you should be updating the HR database from the Active Directory too?

**suityou01** · 20 May 2014, 21:46

Originally posted by Bacchus View Post

You do understand the concept of a mirror? yes?

Perhaps you should be updating the HR database from the Active Directory too?

I shall mull over the concept of "mirror" while I have a gnaw on my cuttlefish.

Good suggestion with just two minor drawbacks.

1) I would still have to find away to isolate valid user accounts, so I can update the HR database, to then use as my single source of truth for a list of valid user accounts.

2) I would still have to find away to isolate valid user accounts, so I can update the HR database, to then use as my single source of truth for a list of valid user accounts.

I realise technically this is only one minor drawback, but I thought it was such a good one it was worth mentioning twice.

**Bacchus** · 20 May 2014, 21:55

Originally posted by suityou01 View Post

I realise technically this is only one minor drawback, but I thought it was such a good one it was worth mentioning twice.

Here's an interesting fact. I know the person who sang the theme tune to RD. She's the daughter of a mate who I spent last weekend drinking with. She's done ok out of it, it wasn't expected to go to a second series so she negotiated a good deal...

This might not be "technical", but contractors could learn a lot from contracts like hers...

List AD User Accounts Excluding Service Accounts

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Partners

Advertisers

Contractor Services

CUK News

List AD User Accounts Excluding Service Accounts

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Partners

Advertisers

Contractor Services

CUK News

Tag Cloud