Posted on September 6, 2017 · Posted in Active Directory, Powershell

How to Find Blocked, Disabled or Inactive Objects in AD Using Search-ADAccount

Quite an often task of an Active Directory administrator is to make a list of disabled or inactive accounts and computers, or a list of accounts with expired passwords. To do it, you can use either the saved LDAP queries in the ADUC console, or already familiar PowerShell cmdlets, like Get-ADUser, Get-ADObject or Get-ADComputer, however, it may be difficult to create the right filters for these commands. Fortunately, in PowerShell there is a more convenient cmdlet to performing such tasks for Active Directory — Search-ADAccount. Let’s see how to use Search-ADAccount to perform typical tasks.

So in order to use Search-ADAccount, you must have PowerShell 3.0 or higher and Remote Server Administration Toolkit (RSAT) with Active Directory Module for Windows PowerShell enabled (Control Panel -> Programs-> Turn Windows Features on and off-> Remote Server Administration Tools -> Role Administration Tools -> AD DS and AD LDS Tools).

RSAT Win 10 - enable Active Directory Module for Windows PowerShell

This component can also be enabled using this command:

Add-WindowsFeature RSAT-AD-PowerShell

Start the PowerShell console and import Active Directory for PowerShell module:

Import-Module ActiveDirectory

Here is the list of the most important keys of Search-ADAccount cmdlet

Search-ADAccount Key Description
-AccountDisabled

 

Search of disabled accounts
-AccountExpired

 

Search of expired accounts
-AccountExpiring [-DateTime DateTime] [-TimeSpan TimeSpan]

 

Search of the accounts to be expired in a certain period of time (-TimeSpan) or on a specific date (-DateTime)
-AccountInactive [-DateTime DateTime] [-TimeSpan TimeSpan]

 

Search of the accounts not registered in the domain since a certain date (-DateTime) or during a certain period of time (-TimeSpan)

 

-LockedOut Search of the accounts locked by the password policy
-PasswordExpired Search of the accounts with the expired passwords
-PasswordNeverExpires

 

Search of the accounts with PasswordNeverExpires attribute enabled

Note. We should note that by default Search-ADAccount searches users or computers at the same time. To search only users or only computers, use one of the following keys: ComputersOnly or UsersOnly.

For example, let’s display the list of disabled accounts in the whole domain:

Search-ADAccount -UsersOnly –AccountDisabled

You can limit the search scope to a specific Active Directory container (OU):

Search-ADAccount -UsersOnly –AccountDisabled –searchbase "OU=Admins,OU=Accounts,DC=woshub,DC=com"

list disabled account in AD using Search-ADAccount

The same data can be presented in a more convenient table using this command:

Search-ADAccount -UsersOnly -AccountDisabled -searchbase "OU=Admins,OU=Accounts,DC=woshub,DC=com"|ft -AutoSize

Or if you need to get the list of the locked users containing certain user attributes and present it as a graphic table to be sorted, run the following:

Search-ADAccount -UsersOnly AccountDisabled |sort LastLogonDate | Select Name,LastLogonDate,DistinguishedName |out-gridview -title "Disabled Users"

Search-ADAccount out-gridview

The list of locked user accounts:

Search-ADAccount -UsersOnly –LockedOut

The list of user accounts inactive in the last 60 days:

$timespan = New-Timespan –Days 60
Search-ADAccount –UsersOnly –AccountInactive –TimeSpan $timespan

To count these accounts:

Search-ADAccount –UsersOnly –AccountInactive –TimeSpan $timespan | Measure

The list of computers not registered in the network for the last 90 days:

Search-ADAccount -AccountInactive –ComputersOnly -TimeSpan 90

Or since a certain date:

Search-ADAccount -AccountInactive -ComputersOnly -DateTime ‘1/1/2017’|Select Name,LastLogonDate| ft

Search-ADAccount list Inactive computers in domain

To export the data to CSV, use this command:

Search-ADAccount -AccountDisabled -UsersOnly| Export-Csv "c:\ps\disabled_users.csv"

Previous:
Next:
Related Articles