Query, expired accounts, Active Directory Users and Computers

Do you know how to set query to find expired accounts on Active Directory Users and Computers?
Hiroyuki TamuraField EngineerAsked:
Who is Participating?
Kevin StanushConnect With a Mentor Application DeveloperCommented:
Technically, you can't do this in ADUC.  ADUC lacks an option to customize the display fields that it offers beyond a hard-coded set of columns.  While you can modify it to allow any column to be displayed, its not easy, and probably not a good idea.  Once modified, you can then just sort on the expiration date and look at the cutoff you are wanting.  But like I said, the mod isn't easy and is sort of a 'voids the warranty' kind of thing.

Having a list of 'expired' accounts without knowing what the account expiration date is/was is not very useful, and the LDAP query language does not have a concept of 'today', so the date is always changing.  The EE link provided by Ajit Singh discusses this in detail.

The only (easy) way to do this is to use a 3rd party tool like has been mentioned or Powershell. ADUC is not designed to be very flexible or useful outside of what Microsoft designed it for.  I also checked and ADAC isn't much better and could not find a way to do it in ADAC either.  This is why there are a lot of 3rd party AD management tools (and Powershell).
use ad info tool from CJADEV, it has everything

Klavs RConnect With a Mentor Developer, owner of AlbusBitCommented:
You need to create new custom search query in ADUC (Saved Queries -> New -> Query -> Define Query... -> Find: Custom Search -> Advanced).
Use this LDAP Query to get users whose account has expired today or earlier.

Open in new window

To customize accountExpires filter, you need to convert the date to integer8 type. You can do it in PowerShell:
PS (Get-Date "11/12/2017").ToFileTime()

PS [datetime]::FromFileTime("131574168000000000")
Monday, December 11, 2017 at 00:00:00

Open in new window

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Kevin StanushConnect With a Mentor Application DeveloperCommented:
You can use a tool like Hyena to get this information.  Hyena's query library contains a number of pre-defined queries or you can create your own to do this:

  Hyena's Query Library
Its got a 30-day fully functional trial, as well as free support.
Shaun VermaakConnect With a Mentor Technical Specialist/DeveloperCommented:
Alternatively, you can configure and schedule this tool and never worry about it again
Ajit SinghConnect With a Mentor Commented:
Dsquery can be used to get inactive users

dsquery user domainroot -name -inactive 30

Also, there are a bunch of great powershell scripts out there. Powershell is great for managing Active Directory.

However, few more Active Directory clean up solutions out there you can check like; this free ADCleanup, lepide and manageengine to find expired accounts.

Hope this helps!
Ajit SinghConnect With a Mentor Commented:
Few more informative article I would like to share:

Active Directory Saved Query Expired Accounts:

Powershell – Expiring and Expired AD Account Notification
Hiroyuki TamuraField EngineerAuthor Commented:
Thank you!
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.