Jump to content
Kevin Finnegan

Get Domain User's full name locally despite being removed from AD?

Recommended Posts

Hi all,

I'm currently writing a backup script to automate the process of storing and compressing data for any member leaving the firm I work at. Ideally I would like to pull the user's display name or full name, for instance, a WMI query selecting FullName WHERE Win32_NetworkLoginProfile Name equals "Domain\kefinnegan" would bring back "Kevin Finnegan" or whatever naming convention your company uses.

Although this solution seems ideal as long as you log in as a user with privileged access, it won't work if the domain user you wish to backup has been purged from the Active Directory system entirely as the WMIService seems to query it in some shape or form (thousands of members in our firm, need to trim the fat every now and then). I was wondering if it's possible to query an API, service or possibly even scan registry entries stored on the leaver's machine while logged in as the local administrator (can run the script with privileged domain credentials if needs be) that could give me a domain user's full name, who logged onto this machine, without the use of Active Directory?

Edited by Kevin Finnegan
for clarity

Share this post

Link to post
Share on other sites

Kevin Finnegan, welcome to AutoIt and to the forum!

once a user account is removed from AD, then not only the full name is removed - the entire record is lost. you won't be able to retrieve the email address, office address, or whatever other fields AD have that you use. what you can do is query the event log for login events to determine the account short name ("kefinnegan" in your example), and devise some other way of matching that to the full name. one likely way would involve HR - they can match the short name with a (hopefully not too long) list of recently departed users.

oh, and JohnOne does make a good point - do all that before removal from AD. you can disable the account in AD while you remove it from various systems in your firm, and remove it completely from AD once all other removal steps have been completed.

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Similar Content

    • By argumentum
      ..was looking for UserName from SessionID so I put this together
      #include <Debug.au3> ; for _DebugArrayDisplay() ; all you can get from _WTSQuerySessionInformation() Global $i = _WTSQuerySessionInformation(-1, 4) ; current user's SessionId Global $__a_WTS_INFO_CLASS = StringSplit("WTSInitialProgram,WTSApplicationName,WTSWorkingDirectory,WTSOEMId,WTSSessionId,WTSUserName," & _ "WTSWinStationName,WTSDomainName,WTSConnectState,WTSClientBuildNumber,WTSClientName,WTSClientDirectory,WTSClientProductId,WTSClientHardwareId," & _ "WTSClientAddress,WTSClientDisplay,WTSClientProtocolType,WTSIdleTime,WTSLogonTime,WTSIncomingBytes,WTSOutgoingBytes,WTSIncomingFrames," & _ "WTSOutgoingFrames,WTSClientInfo,WTSSessionInfo,WTSSessionInfoEx,WTSConfigInfo,WTSValidationInfo,WTSSessionAddressV4,WTSIsRemoteSession", ",", 2) For $n = 0 To UBound($__a_WTS_INFO_CLASS) -1 ConsoleWrite($n & @TAB & StringLeft($__a_WTS_INFO_CLASS[$n] & ' ________________', 24) & " " & _WTSQuerySessionInformation($i, $n, 1) & @CRLF) Next Global $a = ListUserSessions() _DebugArrayDisplay($a, "ListUserSessions()") Func ListUserSessions() ; mod. of https://www.autoitscript.com/forum/topic/139774-dllcall-and-returned-pointers/?do=findComment&comment=980850 Local $_Self_SessionId = _WTSQuerySessionInformation(-1, 4) ; -1 = current user ; 4 = WTSSessionId Local Enum $e_IsSelf_SessionId, $e_SessionName, $e_UserName, $e_SessionId, $e_StateName, $e_StateInt, $e_ClientName, $e_ClientIp, $e_Domain, $e_UBound Local Const $tagWTS_SESSION_INFO = 'dword SessionId;ptr WinStationName;uint State' Local $aResult = DllCall('wtsapi32.dll', 'int', 'WTSEnumerateSessionsW', 'ptr', 0, 'dword', 0, 'dword', 1, 'ptr*', 0, 'dword*', 0) If @error Or $aResult[0] = 0 Then Return SetError(1, 0, "") ; https://docs.microsoft.com/en-us/windows/desktop/api/wtsapi32/ne-wtsapi32-_wts_connectstate_class Local $aConnectionState = StringSplit("Active,Connected,ConnectQuery,Shadow,Disconnected,Idle,Listen,Reset,Down,Init", ",", 2) Local $tInfo, $Offset = 0, $c = 0, $aReturn[$aResult[5] + 1][$e_UBound] ; $e_UBound is the last enumerator, just to determine the size of the array $aReturn[0][$e_SessionId] = "ID" $aReturn[0][$e_SessionName] = "SessionName" $aReturn[0][$e_StateInt] = "StateInt" $aReturn[0][$e_StateName] = "State" $aReturn[0][$e_UserName] = "UserName" $aReturn[0][$e_ClientName] = "ClientName" $aReturn[0][$e_ClientIp] = "ClientIp" $aReturn[0][$e_Domain] = "Domain" For $i = 1 To $aResult[5] $tInfo = DllStructCreate($tagWTS_SESSION_INFO, $aResult[4] + $Offset) $Offset += DllStructGetSize($tInfo) $c += 1 $aReturn[$c][$e_SessionId] = DllStructGetData($tInfo, 'SessionId') $aReturn[$c][$e_SessionName] = DllStructGetData(DllStructCreate('wchar[1024]', DllStructGetData($tInfo, 'WinStationName')), 1) $aReturn[$c][$e_StateInt] = DllStructGetData($tInfo, 'State') If UBound($aConnectionState) > $aReturn[$c][$e_StateInt] Then $aReturn[$c][$e_StateName] = $aConnectionState[$aReturn[$c][$e_StateInt]] $aReturn[$c][$e_UserName] = _WTSQuerySessionInformation($aReturn[$c][$e_SessionId], 5) ; WTSUserName $aReturn[$c][$e_ClientName] = _WTSQuerySessionInformation($aReturn[$c][$e_SessionId], 10) ; WTSClientName $aReturn[$c][$e_ClientIp] = _WTSQuerySessionInformation($aReturn[$c][$e_SessionId], 14) ; WTSClientAddress $aReturn[$c][$e_Domain] = _WTSQuerySessionInformation($aReturn[$c][$e_SessionId], 7) ; WTSDomainName $aReturn[0][$e_IsSelf_SessionId] = $c If $_Self_SessionId = $aReturn[$c][$e_SessionId] Then $aReturn[$c][$e_IsSelf_SessionId] = 1 Else $aReturn[$c][$e_IsSelf_SessionId] = 0 EndIf Next DllCall('wtsapi32.dll', 'none', 'WTSFreeMemory', 'ptr', $aResult[4]) Return $aReturn EndFunc ;==>ListUserSessions Func _WTSQuerySessionInformation($SessionId, $WTSInfoClass = 10, $iReturnAsIs = 0) ; mod. of https://www.autoitscript.com/forum/topic/134679-get-hostname-of-the-client-connected-to-the-terminalserver-session/ Local $aResult = DllCall("Wtsapi32.dll", "int", "WTSQuerySessionInformation", "Ptr", 0, "int", $SessionId, "int", $WTSInfoClass, "ptr*", 0, "dword*", 0) If @error Or $aResult[0] = 0 Then Return SetError(1, 0, "") Local $ip = DllStructGetData(DllStructCreate("byte[" & $aResult[5] & "]", $aResult[4]), 1) DllCall("Wtsapi32.dll", "int", "WTSFreeMemory", "ptr", $aResult[4]) If $iReturnAsIs Then Return $ip Switch $WTSInfoClass ; https://docs.microsoft.com/en-us/windows/desktop/api/wtsapi32/ns-wtsapi32-_wts_client_address Case 4 ; WTSSessionId Return Int('0x' & StringTrimRight(StringReverse($ip), 3)) Case 14 ; WTSClientAddress If Not (Int(StringLeft($ip, 4)) = 2) Then ; IPv4 $ip = "" Else $ip = Dec(StringMid($ip, 15, 2)) & '.' & Dec(StringMid($ip, 17, 2)) & '.' & Dec(StringMid($ip, 19, 2)) & '.' & Dec(StringMid($ip, 21, 2)) EndIf EndSwitch Return StringReplace(BinaryToString($ip), Chr(0), "") EndFunc ;==>_GetWTSClientName  
    • By Chimp
      Is there an AD way to search if and where (the hostname) an userid is (or on what host was last time) logged?
    • By Dwalfware
      Another head scratched
      Anyone solve how to get the IPV6 from WMI?
      I followed the usual SELECT * FROM Win32_NetworkAdapter WHERE NetConnectionID='" & GUICtrlRead($cboAdapters) & "'
      get the index 
      port it to 
      Local $query = $objWMIService.ExecQuery("SELECT * FROM Win32_NetworkAdapterConfiguration WHERE Index = " & _GetSelectedNIC(), "WQL", 0x30 )
      All i can see is IPv4 addresses
      My question is is there another place the IPv6 information is hiding? I configured my LAN with IPV6 and my wireless with IPv4 so I can see what shows.
      Thanks in Advance.
      PS. I did try google
    • By Dwalfware
      Hi Folks
      Can not get my head around this one.
      This function gets the DNS object s
      If you have two DNS entries fine. but if you have only one! Trouble
      $objItem.DNSServerSearchOrder[0] = Primary DNS
      $objItem.DNSServerSearchOrder[1] = Secondry DNS not always there. I need a way to return 0 if not there or the IP if its there.
      Or is there a way to tell how many objects there are in the "[?]"
      I'm terrible at WMI errors, thanks for help in advance.
      Func _GETcurrentNICinfo2() $oErrors = ObjEvent("AutoIt.Error", "Error_Handle") Local $DnsSecondry Local $objWMIService = ObjGet( "winmgmts:\\" & @ComputerName & "\root\CIMV2" ) Local $query = $objWMIService.ExecQuery("SELECT DNSServerSearchOrder FROM Win32_NetworkAdapterConfiguration WHERE Index = " & _GetSelectedNIC(), "WQL", 0x30 ) If @error Then Return 0 If NOT IsObj($query) Then Return 0 Else For $objItem In $query Return $objItem.DNSServerSearchOrder[1] next Endif EndFunc  
    • By water
      Extensive library to control and manipulate Microsoft Active Directory.

      Threads: Development - General Help & Support - Example Scripts - Wiki
      Previous downloads: 30467
      Known Bugs: (last changed: 2018-12-03)
        Things to come: (last changed: 2018-12-03)
      BTW: If you like this UDF please click the "I like this" button. This tells me where to next put my development effort
  • Create New...