Im trying to grab a AD listing, with the enabled/disabled status for all AD users (with some minor excpetions)

in 4.000 users more than 140 shows the Enabled/Disabled status as NULL

The powershell command, and even targeting a diferent DC, the result is the same

Get-ADUser -server srv-dtc-018 -Filter 'samaccountname -ne "administrator" -and samaccountname -ne "krbtgt" -and samaccountname -like "*" -and samaccountname -notlike "svc-*" -and samaccountname -notlike "*-adm"' -properties samaccountname,enabled,name | ft samaccountname,enabled,name -A

The other Get-ADUSer command, but using Select-Object, shows the same problem:

Get-ADUser -server srv-dtc-018 -Filter 'samaccountname -ne "administrator" -and samaccountname -ne "krbtgt" -and samaccountname -like "*" -and samaccountname -notlike "svc-*" -and samaccountname -notlike "*-adm"' -properties samaccountname,enabled | Select-Object -Property samaccountname,enabled 

I noticed that most of the NULL users are DISABLED users, but the Get-ADuser cant detecte the user was disabled?

EXAMPLE OF THE OUTPUT:

samaccountname	enabled
lcaldas	False
aaheleno
ABARBOZA
acaraujo
ACOMERIO
acronis
ALARIBEIRO
fcarneiro	False
shipolito	True
acgois	True
voliveira	True

...

...

• Edited by KayZerSoze 16 hours 57 minutes ago typo error

Get-Aduser -Filter * -Properties *|select name,SamAccountName,whenCreated,DisplayName,PasswordExpired,Enabled,PasswordLastSet,LastLogonDate,DistinguishedName|export-csv C:\output.csv

I have given the above command which gives Enable = True means account is enabled & Enabled=False means account is disabled.

Things are getting worst, i found a DC where the results are different AND your example shows other (different) users as "NULL, very weird

Get-Aduser -Filter * -Properties * | select SamAccountName,Enabled | Export-Csv -Path c:\temp\lista6.txt -NoTypeInformation

hi,

Are you running on which DC? if it is on PDC is better to run from there. Also if you are not getting correct result it might be the case where you have issue with AD replication check running below command.

REPADMIN /SHOWREPL

REPADMIN /REPLSUM /ERRORSONLY  

This is the second time someone has recently reported that Get-ADUser retrieved nothing for the Enabled property for some users. As I noted in this thread:

https://social.technet.microsoft.com/Forums/en-US/f9b86610-7dbb-49ed-90a0-1b319ac07241/question-on-getaduser-and-properties?forum=winserverpowershell#217e8ffb-ad83-4657-a69d-b718e09d78af

it should not be possible. I quote from that thread:

==== quote ====

The Enabled property exposed by the Get-ADUser cmdlet returns True or False based on the value of the userAccountControl attribute of the user, which is a flag attribute. The value is an integer where each bit represents a different setting. ... The bit mask for ADS_UF_ACCOUNTDISABLE is 2. If (userAccountControl -band 2) is non-zero (True), then the account is disabled and Enabled should be False. If (userAccountControl -band 2) is zero (False), then the account is enabled and Enabled will be True.

....

The system requires that userAccountControl have an integer value. It cannot be missing or null. As such, the binary AND of this value with 2 will always be either True or False. The result cannot be missing or null.

==== end quote ====

Replication should not be a factor here. Even if a DC is not replicating, it may have a different value for userAccountControl, but I don't see how the value could possibly be missing or invalid. So any code behind the Enabled property should only return True or False.

Can you report the value of userAccountControl for users where Enabled is missing? I find no user and no value for userAccountControl that results in Enabled missing. But maybe there is some value I haven't seen where the code behind the PowerShell Enabled property fails. ADUC reports userAccountControl in hexadecimal, PowerShell returns the value in decimal. Get-ADUser will retrieve the value if you list userAccountControl with the -Properties parameter.

The DCs showing diff results:

Destination DSA     largest delta    fails/total %%

 SRV-DTC-018               31m:14s    0 /  10    0
 SRV-DTC-059               26m:42s    0 /  30    0

really weird, im avoiding to "rebuild" the 018 DC because we have "integrated" applications (IDM and others)

really weird!

the command:

Using standard user (theorical, read permission on all objects)

Get-ADUser -server srv-dtc-059 -Filter 'samaccountname -ne "administrator" -and samaccountname -ne "krbtgt" -and samaccountname -like "*" -and samaccountname -notlike "svc-*" -and samaccountname -notlike "*-adm"' -properties samaccountname,enabled,UserAccountControl | select-object  samaccountname,enabled,UserAccountControl | Sort-Object -Property samaccountname | export-csv -path c:\temp\059V1.txt -notypeinformation

154 users WITH EMPTY USERACCOUNTCONTROL!!!!!!!!!!!!!! (and emptry/null status on ENABLED)

But, doing the same command using local DC admin privilegie (not domain admins, only local DC admin) all data was returned with no problem.

So i saw several users with diferent permissions, so im trying to figure out if demoting and promoting the DC could solve the problem

150 users are returning other vales, besides 512/514:

66050 Disabled, Password Doesn't Expire 66176 546 Disabled, Password Not Required 4194816 66082 Disabled, Password Doesn't Expire & Not Required 66048 Enabled, Password Doesn't Expire

• Edited by KayZerSoze 13 hours 53 minutes ago typo error

I tested users with all of the values you gave for userAccountControl, and the Enabled property was fine for all. It sounds like it is a permission problem, where the userAccountControl attribute is protected. I would not demote the DC.

In ADUC view the properties of a problem user, select the "Security" tab, then "Advanced" and look at "Effective permissions". Near the bottom you will see read and write "userAccountControl".

Then on the "Security" tab in "Advanced", select a trustee (user or group) and click "Edit". Again, under "Properties" you will find "userAccountControl". I suspect that your domain account cannot read userAccountControl.