list active and inactive AD accounts.

Posted on 2014-09-22
Medium Priority
Last Modified: 2014-10-08
I need to read a text file which contains a list of Windows login IDs (AD accounts) which I need to determine which ones are active and which one are expired or disabled.  

Please advise the best way of doing it.

Our domain controller is running Windows 2012.

Thanks in advance.
Question by:nav2567
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 16

Expert Comment

ID: 40337711

Basically, most search-adaccount commands look like

search-adaccount -usersonly option [-searchbase…]
I know what you're thinking: Those are just the basics of the command? Isn't that a case of a carpal tunnel syndrome in the making? Well, you can make it a bit better. The -usersonly parameter is the only one that starts with u, so you need never write -usersonly again (unless you're getting paid by the hour)—the u will suffice. And before you ask, there isn't a short name (or alias, in PowerShell talk) for search-adaccount. For some reason, the AD folks who wrote the AD cmdlets didn't create any. There’s also a -computersonly parameter available that reports only on troubled machine accounts in AD, and you can shorten it to -co, as there's also a -credential parameter for search-adaccount.

With that out of the way, I can quickly cover search-adaccount's seven capabilities.

Disabled accounts. Add the -accountdisabled (shorten it to -accountd) parameter to, not surprisingly, see your domain's disabled accounts, as in

search-adaccount -u -accountd
You've met the -searchbase (or -searchb) parameter that lets you restrict the get-adusers command to only do its query in a part of AD, and you can use it in search-adaccount as well, so to look for disabled user accounts in an OU called Pungo, you could type

search-adaccount -u -accountd -searchb "ou=pungo,dc=bigfirm,dc=com"
Locked-out accounts. Search-adaccount's -lockedout parameter (which you can shorten to simply -l) essentially works identically to the -accountdisabled parameter. To create a table of the locked-out accounts and the last time that they logged on, you could type

search-adaccount -u -l | ft name,lastlogondate -auto
(Recall that ft is an alias for format-table.) You could even jazz it up a bit and sort the table by the last time the locked-out users were successful at logging on, and then give that to format-table:

search-adaccount -u -l | sort -pr lastlogondate | ft name,lastlogondate
The -searchbase option works with -lockedout as well.

Inactive accounts. As I've explained in previous columns, the -accountinactive parameter lets you find people who haven’t logged on since a given day (using the -DateTime parameter) or a certain number of days (using the -TimeSpan parameter). The -searchbase parameter works, and you can shorten -accountinactive to -accounti. To see the people who haven't logged on in the past 50 days, type

search-adaccount -u -accounti -timespan "50"
or, pursuing our neverending quest for the shortest commands,

search-adaccount -u -accounti -t "50"
Note that you absolutely must put the 50 in quotes; otherwise, search-adaccount will show you everyone who hasn't logged on in the past 15 or so days. (The command ignores numbers not in quotes, and you get no error message, and an absence of parameters means "in the past 15 days.") You can use the -DateTime parameter (which shortens to -da) to ask who hasn't logged on since a particular date, although recall from a previous column that search-adaccount builds in a 15-day grace period in recognition of an AD quirk about keeping "last logon time" information for a user account. Thus, the command

search-adaccount -u -accounti -da "29 oct 2011"
would intend to show you just the user accounts that last logged on before October 29, 2011, as well as those who've never logged on. Because of the built-in 15-day "slop," however, in reality you’ll see accounts whose last logon date was around mid-October. Notice that, like -TimeSpan, -DateTime requires that its date be surrounded by quotes.

Accounts whose passwords have expired. Here’s another nice simple one, employing the -passwordexpired parameter, which shortens only to -passworde. I wish I could tell you that you could add -datetime or -timespan to find accounts whose passwords are nearly expired, but the cmdlet doesn't do that, unfortunately. (Apparently, someone on the AD team agreed that it should be in the cmdlet as well, as a nonexistent parameter called -passwordexpiring is referred to in search-adaccount's Help.)

Expired or soon-to-be-expired accounts. The -accountexpired and -accountexpiring parameters do the job here. Same story: -searchbase works for both, -datetime and -timespan work for -accountexpiring. It’s a nice tool for cleaning up the long-unused accounts.

Search-adaccount is a terrific way to find troubled or suspicious accounts, and in tandem with get-aduser can help solve many AD-cleanup problems. But it doesn't do the whole job, and that's why we'll meet some more cmdlets next month.

Expert Comment

ID: 40337901
If you'd like to be able to do this from different computers other than the server (ie. logging in locally or remoting in to the server) install Quest Powershell Snappin to the system you would like to be able to this from.

Accepted Solution

great_gentle_man earned 2000 total points
ID: 40343677

you may also like to have look at this one, it had been a great help to me,


"Retrieving Information from Active Directory with Dsquery and Dsget"

Featured Post

10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this post we will be converting StringData saved within a text file into a hash table. This can be further used in a PowerShell script for replacing settings that are dynamic in nature from environment to environment.
How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
In this Micro Tutorial viewers will learn how to use Boot Corrector from Paragon Rescue Kit Free to identify and fix the boot problems of Windows 7/8/2012R2 etc. As an example is used Windows 2012R2 which lost its active partition flag (often happen…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

719 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question