-
PowerShell One-Liner for Finding Users with a Home Drive Configured in Active Directory Users and Computers
November 28, 2017
On a recent project, I needed to generate a report of all users who had a Home Drive configured on the Profile tab in Active Directory Users and Computers (ADUC).
Something most IT Pros do not know is that if anything is configured on the Profile tab in ADUC (Figure 1), Group Policy optimization is disabled for that user.
A few years ago, I did not know this either until a very long discussion took place on the NTSysAdmin mailing list. Microsoft describes this in Understand the Effect of Fast Logon Optimization and Fast Startup on Group Policy.
The synopsis is this:
Fast Logon Optimization and Group Policy processing
By default in Windows 8.1, Windows 8, Windows 7, Windows Vista, and Windows XP, the Fast Logon Optimization feature is set for domain and workgroup members. Policy settings apply asynchronously when the computer starts and when the user signs in. As a result, these operating systems do not wait for the network to be fully initialized at startup and sign-in. Existing users are signed in by using cached credentials. This results in shorter sign-in times. Group Policy is applied after the network becomes available.Fast Logon Optimization is always off during sign-in when a user:
- First signs in to a computer.
- Has a roaming user profile or a home directory for sign-in purposes.
- Has synchronous sign-in scripts.
Bullet points 2 and 3 are what you see in the Profile tab in ADUC. This also applies to all versions of Windows 10.
Bottom line, do not configure any of these items in ADUC, use Group Policy. Setting any of these items in ADUC forces the user to use legacy (NT4) logon processes.
The PowerShell you can use to find these users is:
Get-ADUser -Filter 'HomeDrive -ne "$Null"' ` -Property Name,CanonicalName,CN,DisplayName,DistinguishedName,HomeDirectory,` HomeDrive,SamAccountName,UserPrincipalName | ` export-csv -path (Join-Path $pwd HomeDrive.csv) -encoding ascii -NoTypeInformation
You may not need all those properties. SamAccountName, HomeDirectory, and HomeDrive should be enough for you.
The Get-ADUser cmdlet will automatically add several other properties like Enabled, GivenName, ObjectClass, ObjectGUID, SID, and Surname.
Figure 2 shows the results of running the one-liner and Figure 3 shows the contents of the CSV file.
Once you have the CSV, you can open the CSV in Excel and analyze the data any way you choose.
Now you can clean up all those home drive users and move the home drive setting to a Group Policy and get back your Group Policy logon optimizations.
But what about Profile path and Logon script? Don’t those also disable the optimizations? Yes, they do. A simple adjustment to the one-liner will find users with those settings.
Get-ADUser -Filter 'ProfilePath -ne "$Null"' ` -Property Name,CanonicalName,CN,DisplayName,DistinguishedName,ProfilePath,` SamAccountName,UserPrincipalName | ` export-csv -path (Join-Path $pwd ProfilePath.csv) -encoding ascii -NoTypeInformation
Get-ADUser -Filter 'ScriptPath -ne "$Null"' ` -Property Name,CanonicalName,CN,DisplayName,DistinguishedName,ScriptPath,` SamAccountName,UserPrincipalName | ` export-csv -path (Join-Path $pwd ScriptPath.csv) -encoding ascii -NoTypeInformation
Or combine all three searches into one one-liner.
Get-ADUser -Filter {HomeDrive -ne "$Null" -or ProfilePath -ne "$Null" -or ScriptPath -ne "$Null"}` -Property Name,CanonicalName,CN,DisplayName,DistinguishedName,` HomeDirectory,HomeDrive,ProfilePath,ScriptPath,SamAccountName,UserPrincipalName | ` export-csv -path (Join-Path $pwd ADUC.csv) -encoding ascii -NoTypeInformation
Hope these one-liners help.
Thanks
Webster
4 Responses to “PowerShell One-Liner for Finding Users with a Home Drive Configured in Active Directory Users and Computers”
May 10, 2020 at 11:51 pm
You just saved my final project for school! Oh my gosh! Thank you!
December 5, 2017 at 1:33 pm
So let me see if I’ve got this straight … I shouldn’t list the home folder in ADUC, because that results in slower logons. And instead I should use folder re-direction in a GP to specify the various parts of the profile (documents, desktop, etc), and drive mappings in a GP to assign it a drive letter?
We list the home folder in ADUC, and assign it as drive Z:, for consistency. We also do folder re-direction via GP. You’re saying doing all this via GP only speeds up logon speeds? And just leave the home folder section alone and blank?
December 5, 2017 at 2:28 pm
I am talking only about setting the user’s home drive via GPO.
Computer Configuration/Adminstrative Templates/System/User Profiles/Set user home folder.
I would rather make a change to one GPO setting than try to change any user setting in ADUC.
Webster
December 5, 2017 at 6:48 am
Hi Carl,
thank you for your post!
A small improvement would be to set encoding to UTF8, ascii doesn’t know üöäß etc.