list active and inactive AD accounts.

Posted on 2014-09-22
Last Modified: 2014-10-08
I need to read a text file which contains a list of Windows login IDs (AD accounts) which I need to determine which ones are active and which one are expired or disabled.  

Please advise the best way of doing it.

Our domain controller is running Windows 2012.

Thanks in advance.
Question by:nav2567
LVL 16

Expert Comment

ID: 40337711

Basically, most search-adaccount commands look like

search-adaccount -usersonly option [-searchbase…]
I know what you're thinking: Those are just the basics of the command? Isn't that a case of a carpal tunnel syndrome in the making? Well, you can make it a bit better. The -usersonly parameter is the only one that starts with u, so you need never write -usersonly again (unless you're getting paid by the hour)—the u will suffice. And before you ask, there isn't a short name (or alias, in PowerShell talk) for search-adaccount. For some reason, the AD folks who wrote the AD cmdlets didn't create any. There’s also a -computersonly parameter available that reports only on troubled machine accounts in AD, and you can shorten it to -co, as there's also a -credential parameter for search-adaccount.

With that out of the way, I can quickly cover search-adaccount's seven capabilities.

Disabled accounts. Add the -accountdisabled (shorten it to -accountd) parameter to, not surprisingly, see your domain's disabled accounts, as in

search-adaccount -u -accountd
You've met the -searchbase (or -searchb) parameter that lets you restrict the get-adusers command to only do its query in a part of AD, and you can use it in search-adaccount as well, so to look for disabled user accounts in an OU called Pungo, you could type

search-adaccount -u -accountd -searchb "ou=pungo,dc=bigfirm,dc=com"
Locked-out accounts. Search-adaccount's -lockedout parameter (which you can shorten to simply -l) essentially works identically to the -accountdisabled parameter. To create a table of the locked-out accounts and the last time that they logged on, you could type

search-adaccount -u -l | ft name,lastlogondate -auto
(Recall that ft is an alias for format-table.) You could even jazz it up a bit and sort the table by the last time the locked-out users were successful at logging on, and then give that to format-table:

search-adaccount -u -l | sort -pr lastlogondate | ft name,lastlogondate
The -searchbase option works with -lockedout as well.

Inactive accounts. As I've explained in previous columns, the -accountinactive parameter lets you find people who haven’t logged on since a given day (using the -DateTime parameter) or a certain number of days (using the -TimeSpan parameter). The -searchbase parameter works, and you can shorten -accountinactive to -accounti. To see the people who haven't logged on in the past 50 days, type

search-adaccount -u -accounti -timespan "50"
or, pursuing our neverending quest for the shortest commands,

search-adaccount -u -accounti -t "50"
Note that you absolutely must put the 50 in quotes; otherwise, search-adaccount will show you everyone who hasn't logged on in the past 15 or so days. (The command ignores numbers not in quotes, and you get no error message, and an absence of parameters means "in the past 15 days.") You can use the -DateTime parameter (which shortens to -da) to ask who hasn't logged on since a particular date, although recall from a previous column that search-adaccount builds in a 15-day grace period in recognition of an AD quirk about keeping "last logon time" information for a user account. Thus, the command

search-adaccount -u -accounti -da "29 oct 2011"
would intend to show you just the user accounts that last logged on before October 29, 2011, as well as those who've never logged on. Because of the built-in 15-day "slop," however, in reality you’ll see accounts whose last logon date was around mid-October. Notice that, like -TimeSpan, -DateTime requires that its date be surrounded by quotes.

Accounts whose passwords have expired. Here’s another nice simple one, employing the -passwordexpired parameter, which shortens only to -passworde. I wish I could tell you that you could add -datetime or -timespan to find accounts whose passwords are nearly expired, but the cmdlet doesn't do that, unfortunately. (Apparently, someone on the AD team agreed that it should be in the cmdlet as well, as a nonexistent parameter called -passwordexpiring is referred to in search-adaccount's Help.)

Expired or soon-to-be-expired accounts. The -accountexpired and -accountexpiring parameters do the job here. Same story: -searchbase works for both, -datetime and -timespan work for -accountexpiring. It’s a nice tool for cleaning up the long-unused accounts.

Search-adaccount is a terrific way to find troubled or suspicious accounts, and in tandem with get-aduser can help solve many AD-cleanup problems. But it doesn't do the whole job, and that's why we'll meet some more cmdlets next month.

Expert Comment

ID: 40337901
If you'd like to be able to do this from different computers other than the server (ie. logging in locally or remoting in to the server) install Quest Powershell Snappin to the system you would like to be able to this from.

Accepted Solution

great_gentle_man earned 500 total points
ID: 40343677

you may also like to have look at this one, it had been a great help to me,

"Retrieving Information from Active Directory with Dsquery and Dsget"

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Windows 10 came with  a lot of built in applications, Some organisations leave them there, some will control them using GPO's. This Article is useful for those who do not want to have any applications in their image (example:me).
This tutorial will walk an individual through the process of configuring basic necessities in order to use the 2010 version of Data Protection Manager. These include storage, agents, and protection jobs. Launch Data Protection Manager from the deskt…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

791 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question