Quite an often task of an Active Directory administrator is to make a list of disabled or inactive accounts and computers, or a list of accounts with expired passwords. To do it, you can use either the saved LDAP queries in the ADUC console, or already familiar PowerShell cmdlets, like Get-ADUser, Get-ADObject or Get-ADComputer, however, it may be difficult to create the right filters for these commands. Fortunately, in PowerShell there is a more convenient cmdlet to performing such tasks for Active Directory — Search-ADAccount. Let’s see how to use Search-ADAccount to perform typical tasks.
So in order to use Search-ADAccount, you must have PowerShell 3.0 or higher and Remote Server Administration Toolkit (RSAT) with Active Directory Module for Windows PowerShell enabled (Control Panel -> Programs-> Turn Windows Features on and off-> Remote Server Administration Tools -> Role Administration Tools -> AD DS and AD LDS Tools).
This component can also be enabled using this command:
Start the PowerShell console and import Active Directory for PowerShell module:
Here is the list of the most important keys of Search-ADAccount cmdlet
|Search of disabled accounts|
|Search of expired accounts|
|-AccountExpiring [-DateTime DateTime] [-TimeSpan TimeSpan]
|Search of the accounts to be expired in a certain period of time (-TimeSpan) or on a specific date (-DateTime)|
|-AccountInactive [-DateTime DateTime] [-TimeSpan TimeSpan]
|Search of the accounts not registered in the domain since a certain date (-DateTime) or during a certain period of time (-TimeSpan)
|-LockedOut||Search of the accounts locked by the password policy|
|-PasswordExpired||Search of the accounts with the expired passwords|
|Search of the accounts with PasswordNeverExpires attribute enabled|
For example, let’s display the list of disabled accounts in the whole domain:
Search-ADAccount -UsersOnly –AccountDisabled
You can limit the search scope to a specific Active Directory container (OU):
Search-ADAccount -UsersOnly –AccountDisabled –searchbase "OU=Admins,OU=Accounts,DC=woshub,DC=com"
The same data can be presented in a more convenient table using this command:
Search-ADAccount -UsersOnly -AccountDisabled -searchbase "OU=Admins,OU=Accounts,DC=woshub,DC=com"|ft -AutoSize
Or if you need to get the list of the locked users containing certain user attributes and present it as a graphic table to be sorted, run the following:
Search-ADAccount -UsersOnly AccountDisabled |sort LastLogonDate | Select Name,LastLogonDate,DistinguishedName |out-gridview -title "Disabled Users"
The list of locked user accounts:
Search-ADAccount -UsersOnly –LockedOut
The list of user accounts inactive in the last 60 days:
$timespan = New-Timespan –Days 60
Search-ADAccount –UsersOnly –AccountInactive –TimeSpan $timespan
To count these accounts:
Search-ADAccount –UsersOnly –AccountInactive –TimeSpan $timespan | Measure
The list of computers not registered in the network for the last 90 days:
Search-ADAccount -AccountInactive –ComputersOnly -TimeSpan 90
Or since a certain date:
Search-ADAccount -AccountInactive -ComputersOnly -DateTime ‘1/1/2017’|Select Name,LastLogonDate| ft
To export the data to CSV, use this command:
Search-ADAccount -AccountDisabled -UsersOnly| Export-Csv "c:\ps\disabled_users.csv"