Reporting on Smart Card Logon in Active Directory

Yesterday, the higher-ups needed a report of all users in Active Directory whose accounts required Smart Cards to log into the Domain (and those that did not). Most things I have needed to retrieve out of Active Directory have been quick to find and usually obvious, but this particular information was a bit more elusive. Any AD guru would certainly know exactly where to look, but alas, I did not. As I looked around Google and on all the properties on the User object in AD, nothing obvious came up – then I stumbled across this KB article: kb305144.

The Smart Card Required for Interactive Logon check box located in the property pane for a User in Active Directory Users and Computers mmc snap-in is stored as a bit field in the UserAccountControl property of the User object in Active Directory. Once I saw it was a bit field and I had all the possible values, the rest is simple.

Here the quick and dirty code I wrote to run the report:
<br />using System.DirectoryServices;<br /><br />namespace AdSmartCardReport<br />{<br /> public class AdUtility<br /> {<br /> // This retrieves the root entry point for AD for <br /> // current DOMAIN<br /> internal static string ADsDomainName<br /> {<br /> get<br /> {<br /> DirectoryEntry rootEntry = <br /> new DirectoryEntry("LDAP://RootDSE");<br /> return "LDAP://" +<br /> (string)rootEntry.Properties<br /> ["defaultNamingContext"][0];<br /> }<br /> }<br /><br /> public void RunReport()<br /> {<br /> DirectoryEntry _entry = <br /> new DirectoryEntry(AdUtility.ADsDomainName);<br /><br /> _entry.AuthenticationType = <br /> AuthenticationTypes.FastBind |<br /> AuthenticationTypes.ReadonlyServer;<br /><br /> DirectorySearcher searcher = <br /> new DirectorySearcher(_entry);<br /><br /> searcher.SearchScope = SearchScope.Subtree;<br /> searcher.Filter = "(&(objectCategory=person)" +<br /> "(objectClass=user)(!" +<br /> "useraccountcontrol:1.2.840.113556.1.4.803:=2))";<br /> searcher.PropertiesToLoad.Add("UserAccountControl");<br /> searcher.PropertiesToLoad.Add("samAccountName");<br /> searcher.PropertiesToLoad.Add("DisplayName");<br /> searcher.PropertiesToLoad.Add("mail");<br /><br /> try<br /> {<br /> SearchResultCollection results =<br /> searcher.FindAll();<br /> int counter = 0;<br /><br /> foreach (SearchResult result in results)<br /> {<br /> ResultPropertyCollection collection = <br /> result.Properties;<br /><br /> string displayName = <br /> (string)collection["DisplayName"][0];<br /> string email = (string)collection["mail"][0];<br /> string samAccountName = <br /> (string)collection["samAccountName"][0];<br /><br /> UserAccountControl userAccountControl =<br /> (UserAccountControl)collection<br /> ["UserAccountControl"][0];<br /><br /> if ((userAccountControl & <br /> UserAccountControl.SMARTCARD_REQUIRED)<br /> == UserAccountControl.SMARTCARD_REQUIRED)<br /> {<br /> counter++;<br /> }<br /><br /> // Write out to console in csv format<br /> System.Console.Write("\"");<br /> System.Console.Write(displayName);<br /> System.Console.Write("\",\"");<br /> System.Console.Write(email);<br /> System.Console.Write("\",\"");<br /> System.Console.Write(samAccountName);<br /> System.Console.Write("\",\"");<br /> System.Console.Write(userAccountControl);<br /> System.Console.WriteLine("\"");<br /> }<br /><br /> System.Console.WriteLine("There are " + counter +<br /> "users required to use a Smart Card to logon " + <br /> "in the domain.")<br /> );<br /> }<br /> finally<br /> {<br /> if (_entry != null)<br /> {<br /> _entry.Close();<br /> _entry.Dispose();<br /> }<br /> }<br /> }<br /> }<br /><br /> // See: http://support.microsoft.com/kb/305144/ for more<br /> // info on UserAccountControl flag in Active Directory<br /> [Flags()]<br /> public enum UserAccountControl<br /> {<br /> SCRIPT = 0x1,<br /> ACCOUNTDISABLE = 0x2,<br /> HOMEDIR_REQUIRED = 0x8,<br /> LOCKOUT = 0x10,<br /> PASSWD_NOTREQD = 0x20,<br /> PASSWD_CANT_CHANGE = 0x40,<br /> ENCRYPTED_TEXT_PWD_ALLOWED = 0x80,<br /> TEMP_DUPLICATE_ACCOUNT = 0x100,<br /> NORMAL_ACCOUNT = 0x200,<br /> INTERDOMAIN_TRUST_ACCOUNT = 0x800,<br /> WORKSTATION_TRUST_ACCOUNT = 0x1000,<br /> SERVER_TRUST_ACCOUNT = 0x2000,<br /> DONT_EXPIRE_PASSWORD = 0x10000,<br /> MNS_LOGON_ACCOUNT = 0x20000,<br /> SMARTCARD_REQUIRED = 0x40000,<br /> TRUSTED_FOR_DELEGATION = 0x80000,<br /> NOT_DELEGATED = 0x100000,<br /> USE_DES_KEY_ONLY = 0x200000<br /> DONT_REQ_PREAUTH = 0x400000,<br /> PASSWORD_EXPIRED = 0x800000,<br /> TRUSTED_TO_AUTH_FOR_DELEGATION = 0x1000000<br /> }<br />}<br />
I hope others may find this helpful.

UPDATE: You can also filter the search results using the same UserAccountControl enum.

Let's inspect the following expression:

(&(objectCategory=person)(objectClass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=262144))

decodes to:

Filter on AD Records where (objectCategory = Person) && (objectClass=user) && (UserAccountControl & 0x40000)

The number sequence 1.2.840.113556.1.4.803 tells AD to to a bitwise AND operation on the value in useraccountcontrol and 262144 (0x40000 hex). See kb269181 on how to query Active Directory by using a bitwise filter.

Using a bitwise AND (&) on UserAccountControl and 0x40000 will return true (bit 1) if that bit field is set.

If you found this article helpful: