Solved

list active and inactive AD accounts.

Posted on 2014-09-22
3
177 Views
Last Modified: 2014-10-08
I need to read a text file which contains a list of Windows login IDs (AD accounts) which I need to determine which ones are active and which one are expired or disabled.  

Please advise the best way of doing it.

Our domain controller is running Windows 2012.

Thanks in advance.
0
Comment
Question by:nav2567
3 Comments
 
LVL 16

Expert Comment

by:choward16980
ID: 40337711
http://windowsitpro.com/systems-management/search-adaccount-top-bottom

Basically, most search-adaccount commands look like

search-adaccount -usersonly option [-searchbase…]
I know what you're thinking: Those are just the basics of the command? Isn't that a case of a carpal tunnel syndrome in the making? Well, you can make it a bit better. The -usersonly parameter is the only one that starts with u, so you need never write -usersonly again (unless you're getting paid by the hour)—the u will suffice. And before you ask, there isn't a short name (or alias, in PowerShell talk) for search-adaccount. For some reason, the AD folks who wrote the AD cmdlets didn't create any. There’s also a -computersonly parameter available that reports only on troubled machine accounts in AD, and you can shorten it to -co, as there's also a -credential parameter for search-adaccount.

With that out of the way, I can quickly cover search-adaccount's seven capabilities.

Disabled accounts. Add the -accountdisabled (shorten it to -accountd) parameter to, not surprisingly, see your domain's disabled accounts, as in

search-adaccount -u -accountd
You've met the -searchbase (or -searchb) parameter that lets you restrict the get-adusers command to only do its query in a part of AD, and you can use it in search-adaccount as well, so to look for disabled user accounts in an OU called Pungo, you could type

search-adaccount -u -accountd -searchb "ou=pungo,dc=bigfirm,dc=com"
Locked-out accounts. Search-adaccount's -lockedout parameter (which you can shorten to simply -l) essentially works identically to the -accountdisabled parameter. To create a table of the locked-out accounts and the last time that they logged on, you could type

search-adaccount -u -l | ft name,lastlogondate -auto
(Recall that ft is an alias for format-table.) You could even jazz it up a bit and sort the table by the last time the locked-out users were successful at logging on, and then give that to format-table:

search-adaccount -u -l | sort -pr lastlogondate | ft name,lastlogondate
The -searchbase option works with -lockedout as well.

Inactive accounts. As I've explained in previous columns, the -accountinactive parameter lets you find people who haven’t logged on since a given day (using the -DateTime parameter) or a certain number of days (using the -TimeSpan parameter). The -searchbase parameter works, and you can shorten -accountinactive to -accounti. To see the people who haven't logged on in the past 50 days, type

search-adaccount -u -accounti -timespan "50"
or, pursuing our neverending quest for the shortest commands,

search-adaccount -u -accounti -t "50"
Note that you absolutely must put the 50 in quotes; otherwise, search-adaccount will show you everyone who hasn't logged on in the past 15 or so days. (The command ignores numbers not in quotes, and you get no error message, and an absence of parameters means "in the past 15 days.") You can use the -DateTime parameter (which shortens to -da) to ask who hasn't logged on since a particular date, although recall from a previous column that search-adaccount builds in a 15-day grace period in recognition of an AD quirk about keeping "last logon time" information for a user account. Thus, the command

search-adaccount -u -accounti -da "29 oct 2011"
would intend to show you just the user accounts that last logged on before October 29, 2011, as well as those who've never logged on. Because of the built-in 15-day "slop," however, in reality you’ll see accounts whose last logon date was around mid-October. Notice that, like -TimeSpan, -DateTime requires that its date be surrounded by quotes.

Accounts whose passwords have expired. Here’s another nice simple one, employing the -passwordexpired parameter, which shortens only to -passworde. I wish I could tell you that you could add -datetime or -timespan to find accounts whose passwords are nearly expired, but the cmdlet doesn't do that, unfortunately. (Apparently, someone on the AD team agreed that it should be in the cmdlet as well, as a nonexistent parameter called -passwordexpiring is referred to in search-adaccount's Help.)

Expired or soon-to-be-expired accounts. The -accountexpired and -accountexpiring parameters do the job here. Same story: -searchbase works for both, -datetime and -timespan work for -accountexpiring. It’s a nice tool for cleaning up the long-unused accounts.

Search-adaccount is a terrific way to find troubled or suspicious accounts, and in tandem with get-aduser can help solve many AD-cleanup problems. But it doesn't do the whole job, and that's why we'll meet some more cmdlets next month.
0
 
LVL 1

Expert Comment

by:ExpertNotReally
ID: 40337901
If you'd like to be able to do this from different computers other than the server (ie. logging in locally or remoting in to the server) install Quest Powershell Snappin to the system you would like to be able to this from.
0
 
LVL 2

Accepted Solution

by:
great_gentle_man earned 500 total points
ID: 40343677
hi,

you may also like to have look at this one, it had been a great help to me,

http://www.pearsonitcertification.com/articles/article.aspx?p=1718489

"Retrieving Information from Active Directory with Dsquery and Dsget"
0

Join & Write a Comment

Set OWA language and time zone in Exchange for individuals, all users or per database.
Create and license users in Office 365 in bulk based on a CSV file. A step-by-step guide with PowerShell script examples.
In this Micro Tutorial viewers will learn how to restore their server from Bare Metal Backup image created with Windows Server Backup feature. As an example Windows 2012R2 is used.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now