Getting AD Users

I’m trying to get an analysis that pulls AD users by name. The analysis is only relevant to domain controllers which treats all accounts like local accounts.

I found this analysis which successful pulls inactive users from the domain.
(name of it) of users whose ((now - (last logon of it) > 30 * day) and name of it does not contain “$”)

I tried to tweak it and I get back random numbers instead of account name
(name of it) of users whose (name of it contains “Alves”)

That returns a different number every time.

How can I make this work to pull the account name?

What is the use case for this when the RSAT tools will do this perfectly well?

We are a MSP. It’s multiple customers.

Are you truly getting random numbers back, or are you getting back SID strings (“S-1-5-####”)?

It’s an interesting problem…I’d expect a DC’s LocalSystem account to resolve domain accounts but can’t say I’ve actually tried.

And I’m not sure whether the ‘last logon’ property will work as expected. In my days as a Windows admin, a common issue was that each DC kept a separate ‘login time’ for each account, when it authenticated to this domain controller - the value was not replicated. So they added a new attribute, (I think it was lastLoginTimeStamp) that gets replicate, I’m not sure which attribute BigFix queries but I’d expect it to be the “local” version.

Maybe better to run an action to run dsquery to get the list, save output to a file, and pull back the results in an analysis.

It returns random numbers that change every time I run it. The one with last logon returns the account name, but I don’t need the last logon. I’m wondering why when I edit it I can’t get back the account name.