Validate the existence of user account in AD using Powershell

Check for user AD account existing with PowerShell script.

Once I needed to check if AD user account exists on server and is enabled.

There are two option to do that.

The first option is to use  Get-ADUser.

Make sure you install the module Active Directory.  

More info about the module http://technet.microsoft.com/en-us/library/ee617195.aspx

How to install and use Active Directory Module

http://blogs.technet.com/b/heyscriptingguy/archive/2011/08/30/install-active-directory-management-service-for-easy-powershell-access.aspx

The following example shows how to use the function:

Import-Module ActiveDirectory

$AccountName = $profile[[Microsoft.Office.Server.UserProfiles.PropertyConstants]::AccountName].Value ;

$SplitUserName = ($AccountName.Split("\")[1])

$UserExists = Get-ADUser -Filter {sAMAccountName -eq $UserName}

$UserName = $splitusername;

if ($UserExists -eq $null)

{

      Write-Host "User $AccountName does not exist in AD "

}

else 

{

   if (!$UserExists.Enabled)

     {

       Write-Host "User $AccountName is disabled"

     }

     Else

     {

        Write-Host "AD account  $AccountName is ok";

     }

 }

In my case I didn’t have the module Active Directory installed on production server, so I need to find the second way. I couldn’t use the function Get-ADUser from module ActiveDirectory. My opinion is to better to install the module because it has a lot of usefull functions that will makes yourlife easear. I didn’t have such opotunaty because installing module means to restart production server, but this approach I needed to escape, so I found the second option and wrote function.

# function Check-ADUser gets user name as a parametr # return two properties: # Status #              return "0" if AD account doesn't exist in Active directory or was deleted #              return "1" if the user exists. # AccountEnable #              return "0" if AD account is disabled #          return "1" if AD account is enabled #Example: # $UserStatus = (Check-ADUser -Username "testuser1").Status; # $UserAccountEnabled = (Check-ADUser -Username "$SplitUserName").AccountEnable; function Check-ADUser { Param ($Username)     $ADRoot = [ADSI]''     $ADSearch = New-Object System.DirectoryServices.DirectorySearcher($ADRoot);     $SAMAccountName = "$Username"; $ADSearch.Filter = "(&(objectClass=user(sAMAccountName=$SAMAccountName))";     $Result = $ADSearch.FindAll();             $Status = "-1";       $Enabled = "-1";     if($Result.Count -eq 0)     { # "No such user on the Server"         $Status = "0";     }     Else     { #"User exist on the Server"         $Status = "1";             foreach ($objResult in $Result)       {             $objResult = $objResult.GetDirectoryEntry()              if ($objResult.accountdisabled)              {              #"Account diabled"              $Enabled = "0";       }             else             {  # "Account enabled"             $Enabled = "1";             }                   }     }     $Results = New-Object Psobject     $Results | Add-Member Noteproperty Status $Status       $Results | Add-Member Noteproperty AccountEnable $Enabled     Write-Output $Results    }

Example how to use the function Check-ADUser:

$AccountName = $profile[[Microsoft.Office.Server.UserProfiles.PropertyConstants]::AccountName] .Value  $SplitUserName = ($AccountName.Split("\")[1]) $UserName = $splitusername; # check if user exists in AD $UserExists = (Check-ADUser -Username $SplitUserName).Status; $UserAccountEnabled = (Check-ADUser -Username $SplitUserName).AccountEnable; if ($UserExists -ne 1)  {    #"User does not exist in AD"  } else  {    if ($UserAccountEnabled -eq 0)     {              #"Account is disabled"     }     else     {            #"Account is ok"      }

I hope you will help this information.

Have a good day. :)