What would be the easiest way to list disabled accounts, inactive accounts or expired accounts from AD. You could use Get-ADUser or Get-ADObject, but they are more complicated & dealing with User attributes.
I found Search-ADAccount, it’s been much easier and generating reports from AD on the fly pretty much. Search-ADAccount description and help is at HERE.
Here is the sample commands. Note the number of days is set to 90 days in these commands. Change the day from 90 to your suitable number. You can remove Export-Csv command to show the results in the PowerShell window.
- Search AD for Inactive Computer Accounts for more than 90 days.
Search-ADAccount -ComputersOnly -AccountInactive | ? { $_.LastLogonDate -lt (get-date).AddDays(-90) } | Select-Object Name,LastLogonDate,DistinguishedName | Export-Csv -Path .\Inactive-Computers-morethan-90days.csv –NoTypeInformation
- Search AD for Inactive User accounts for more than 90 days
Search-ADAccount -AccountInactive -UsersOnly | ? { $_.LastLogonDate -lt (get-date).AddDays(-90) } | Select-Object Name,SAMAccountName,LastLogonDate,Enabled,LockedOut,PasswordExpired | Export-Csv -Path .\Inactive-Users-morethan-90days.csv –NoTypeInformation
- Search AD for Expired User accounts for more than 90 days
Search-ADAccount -AccountExpired -UsersOnly | Select-Object Name,SAMAccountName,AccountExpirationDate,LastLogonDate,DistinguishedName | Export-Csv -Path .\Expired-UserAccounts.csv –NoTypeInformation
I believe you get the idea. Tweak the cmdlet or filter to get more combination of reports.
Anand, the Architect 