that have an email address and the account is NOT disabled. I'd also be interested in learning how to filter out service accounts somehow. This is something I now have to do monthly and it's pretty time consuming to manually remove all the disabled accounts and service accounts from the list I get from ADUC.

If you mean in ADUC, on the "View" menu when you select "Filter Options...", you can use a custom filter. Select "Create Custom", then select "Customize", then click the "Advanced" tab and enter the following LDAP filter for enabled users with an email address (on the "General" tab of ADUC): (&(objectCategory=person)(objectClass=user)(mail=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)) I don't know how to filter out service accounts, off hand. This same LDAP syntax filter can be used with the utility dsquery at a command prompt: dsquery * -filter "(&(objectCategory=person)(objectClass=user)(mail=*)(!userAccountControl:1.2.840.113556.1.4.803:=2))" Does this help? Richard Mueller - MVP Directory Services

I have not implemented Managed Service Accounts, but there might be some attribute that could filter for these. However, I have created domain user service accounts for SQL Server, and I see nothing that could be used to identify them, other than the description I add to make their purpose clear to anyone looking at them. If you modify all of your service accounts in AD to have a specific string in the description, like "service account", you could add a clause to the LDAP syntax filter for this. For example (one line): (&(objectCategory=person)(objectClass=user)(mail=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)(description=*service account*)) The "&" character is the "AND" operator, the "*" is the wildcard, and "!" is the "NOT" operator. The unusual clause involving userAccountControl filters on objects where the Disabled bit is not set. Richard Mueller - MVP Directory Services

If you mean in ADUC, on the "View" menu when you select "Filter Options...", you can use a custom filter. Select "Create Custom", then select "Customize", then click the "Advanced" tab and enter the following LDAP filter for enabled users with an email address (on the "General" tab of ADUC): (&(objectCategory=person)(objectClass=user)(mail=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)) I don't know how to filter out service accounts, off hand. This same LDAP syntax filter can be used with the utility dsquery at a command prompt: dsquery * -filter "(&(objectCategory=person)(objectClass=user)(mail=*)(!userAccountControl:1.2.840.113556.1.4.803:=2))" Does this help? Richard Mueller - MVP Directory Services

I have not implemented Managed Service Accounts, but there might be some attribute that could filter for these. However, I have created domain user service accounts for SQL Server, and I see nothing that could be used to identify them, other than the description I add to make their purpose clear to anyone looking at them. If you modify all of your service accounts in AD to have a specific string in the description, like "service account", you could add a clause to the LDAP syntax filter for this. For example (one line): (&(objectCategory=person)(objectClass=user)(mail=*)(!userAccountControl:1.2.840.113556.1.4.803:=2)(description=*service account*)) The "&" character is the "AND" operator, the "*" is the wildcard, and "!" is the "NOT" operator. The unusual clause involving userAccountControl filters on objects where the Disabled bit is not set. Richard Mueller - MVP Directory Services