list active and inactive AD accounts.

Posted on 2014-09-22
Last Modified: 2014-10-08
I need to read a text file which contains a list of Windows login IDs (AD accounts) which I need to determine which ones are active and which one are expired or disabled.  

Please advise the best way of doing it.

Our domain controller is running Windows 2012.

Thanks in advance.
Question by:nav2567
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 16

Expert Comment

ID: 40337711

Basically, most search-adaccount commands look like

search-adaccount -usersonly option [-searchbase…]
I know what you're thinking: Those are just the basics of the command? Isn't that a case of a carpal tunnel syndrome in the making? Well, you can make it a bit better. The -usersonly parameter is the only one that starts with u, so you need never write -usersonly again (unless you're getting paid by the hour)—the u will suffice. And before you ask, there isn't a short name (or alias, in PowerShell talk) for search-adaccount. For some reason, the AD folks who wrote the AD cmdlets didn't create any. There’s also a -computersonly parameter available that reports only on troubled machine accounts in AD, and you can shorten it to -co, as there's also a -credential parameter for search-adaccount.

With that out of the way, I can quickly cover search-adaccount's seven capabilities.

Disabled accounts. Add the -accountdisabled (shorten it to -accountd) parameter to, not surprisingly, see your domain's disabled accounts, as in

search-adaccount -u -accountd
You've met the -searchbase (or -searchb) parameter that lets you restrict the get-adusers command to only do its query in a part of AD, and you can use it in search-adaccount as well, so to look for disabled user accounts in an OU called Pungo, you could type

search-adaccount -u -accountd -searchb "ou=pungo,dc=bigfirm,dc=com"
Locked-out accounts. Search-adaccount's -lockedout parameter (which you can shorten to simply -l) essentially works identically to the -accountdisabled parameter. To create a table of the locked-out accounts and the last time that they logged on, you could type

search-adaccount -u -l | ft name,lastlogondate -auto
(Recall that ft is an alias for format-table.) You could even jazz it up a bit and sort the table by the last time the locked-out users were successful at logging on, and then give that to format-table:

search-adaccount -u -l | sort -pr lastlogondate | ft name,lastlogondate
The -searchbase option works with -lockedout as well.

Inactive accounts. As I've explained in previous columns, the -accountinactive parameter lets you find people who haven’t logged on since a given day (using the -DateTime parameter) or a certain number of days (using the -TimeSpan parameter). The -searchbase parameter works, and you can shorten -accountinactive to -accounti. To see the people who haven't logged on in the past 50 days, type

search-adaccount -u -accounti -timespan "50"
or, pursuing our neverending quest for the shortest commands,

search-adaccount -u -accounti -t "50"
Note that you absolutely must put the 50 in quotes; otherwise, search-adaccount will show you everyone who hasn't logged on in the past 15 or so days. (The command ignores numbers not in quotes, and you get no error message, and an absence of parameters means "in the past 15 days.") You can use the -DateTime parameter (which shortens to -da) to ask who hasn't logged on since a particular date, although recall from a previous column that search-adaccount builds in a 15-day grace period in recognition of an AD quirk about keeping "last logon time" information for a user account. Thus, the command

search-adaccount -u -accounti -da "29 oct 2011"
would intend to show you just the user accounts that last logged on before October 29, 2011, as well as those who've never logged on. Because of the built-in 15-day "slop," however, in reality you’ll see accounts whose last logon date was around mid-October. Notice that, like -TimeSpan, -DateTime requires that its date be surrounded by quotes.

Accounts whose passwords have expired. Here’s another nice simple one, employing the -passwordexpired parameter, which shortens only to -passworde. I wish I could tell you that you could add -datetime or -timespan to find accounts whose passwords are nearly expired, but the cmdlet doesn't do that, unfortunately. (Apparently, someone on the AD team agreed that it should be in the cmdlet as well, as a nonexistent parameter called -passwordexpiring is referred to in search-adaccount's Help.)

Expired or soon-to-be-expired accounts. The -accountexpired and -accountexpiring parameters do the job here. Same story: -searchbase works for both, -datetime and -timespan work for -accountexpiring. It’s a nice tool for cleaning up the long-unused accounts.

Search-adaccount is a terrific way to find troubled or suspicious accounts, and in tandem with get-aduser can help solve many AD-cleanup problems. But it doesn't do the whole job, and that's why we'll meet some more cmdlets next month.

Expert Comment

ID: 40337901
If you'd like to be able to do this from different computers other than the server (ie. logging in locally or remoting in to the server) install Quest Powershell Snappin to the system you would like to be able to this from.

Accepted Solution

great_gentle_man earned 500 total points
ID: 40343677

you may also like to have look at this one, it had been a great help to me,

"Retrieving Information from Active Directory with Dsquery and Dsget"

Featured Post

What, When and Where - Security Threats from Q1

Join Corey Nachreiner, CTO, and Marc Laliberte, Information Security Threat Analyst, on July 26th as they explore their key findings from the first quarter of 2017.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question