Custom Report Showing UserAccountControl Extended Attribute

Would like a report that shows the value for the UserAccountControl attribute for User accounts in Active Directory.  

Would really only need the username, dn, and the field.

  • Good Day

    Thank you for your request and providing the link.

    Please answer a few questions for us.- 

    What version of Enterprise Reporter are you using? 

    Of the User attributes on the linked page, within your request- which are you specifically looking to include in the report?

    Have you had a look at the Active Directory, Domain Users report to see if it may fit your needs or have the fields you are looking for?

    Thank you


  • Version 3.2.1 

    The linked page has all the possible values for the UserAccountControl Attribute

    I have looked in Active Directory, Domain Users, and did not find the field. It lists URL, then User Privilege level, it does not show UserAccountControl

  • To expand a bit on Tracey's comments...

    I'm not sure what specific flags you are after from the many bits in User Account Control (per the link you provided) or if you really just want the whole raw value. 

    Regardless, I would point out that a good number of the bits within UAC are available in Reporter in "translated" form as Boolean fields.

    Just two examples are:

    Password Never Expires
    Cannot Change Password

    For example, if you want to find users who have "Password Never Expires" set, just add this field to a report (it's part of the "Domain Users" report by default) and filter on "Password Never Expires" = True.

    By using these translated fields, it saves you the need to do bitwise arithmetic on the raw version of UAC (unless of course you are looking for a flag that is not part of the Reporter-translated ones).

  • Password Never Expires is already covered by the report:  Users With Password Set to Never Expire found under Report Library -> Active Directory -> Health Check -> Password Set to Never Expire

    Cannot Change Password is covered by the report in the same place named: Users With Password Set to Never Expire under Report Library -> Active Directory -> Health Check -> User Cannot Change Password

    We are trying to get a report of any user account that is not 0x0200 

  • We will investigate the report and get back to you soon.

    Thank you


  • Good day Stephen

    I have included the link to the zip file containing the report as well as the directions of what will need to be done prior to the report being run. Please let me know if this works for you or you have any questions.