Finding Users with No Logon Script or being alerted when one is created in real-time is an important part of sound maintenance of Active Directory. The quicker you know about users with this condition, the more calls to the helpdesk you can head off. Users created or configured without a logon script may be missing valuable application configuration information, may not have access to network drives and printers, and may also miss critcal updates and patches. This becomes a security and productivity problem.

Find Users with No Logon Script Using PowerShell

When you run the following scripts on a machine with RSAT installed, they will fetch users who are locked out on a particular domain.

Method #1

import-module activedirectory
Get-ADUser -LDAPFilter "(&(objectCategory=Person)(objectClass=User)(!scriptPath=*)(!isCriticalSystemObject=TRUE))"


This first method uses an LDAP query on the “scriptPath” attribute in Active Directory.

Method #2:

import-module activedirectory
Get-ADUser -filter {-not (scriptpath -like "*")}

You might also want to use a service account (“-Credentials” on your PowerShell commands) to keep things more secure. There are several other methods that don’t require RSAT (and the “activedirectory” module).  These are some convenient techniques to start.

Web Active Directory’s PeopleAudit

Web Active Directory’s PeopleAudit allows you to run a report like this on demand. Also, you can delegate it safely to others in your organization to run via their web browser. Users can filter and sort the results on the fly, and with a single button press print the results or export to your clipboard, PDF, Excel, or CSV.

Safely and securely specify the service account to use to perform the reporting tasks. Customize the report results and filters without scripting or coding.

Schedule these reports for delivery to you or others in your organization via configurable emails.  This is especially important when you want to be notified that users are missing logon scripts without opening a browser to check.  You can also employ real-time monitoring to receive an alert if a user gets created without a logon script.

Web Active Directory’s PeopleProvision can ensure that newly provisioned users always have a logon script if you want.