
close
close
One of the most common applications of PowerShell is with Active Directory, which makes a lot of sense. Active Directory is a huge source of information and naturally IT pros want an easy way to get that information. Perhaps you need to do something with the information or maybe you simply need a report so that someone else can make decisions. Using PowerShell to query Active Directory is not that difficult, especially if you have cmdlets at your disposal. A typical Active Directory task that can be easily automated with PowerShell is to identify disabled or inactive user accounts, which I’ll show you how to do in this PowerShell Problem Solver article.
The easiest solution is the Active Directory PowerShell module from Microsoft. This module requires at least one domain controller running Windows Server 2008 R2 or later that’s running Active Directory Web Services. On the client side you need PowerShell 3 or later and the Active Directory tools that are part of the Remote Server Administration Toolkit (RSAT) download. Get the latest version for your operating system. I am running PowerShell 4.0 on a Windows 8.1 desktop with RSAT installed. You can verify the module like this:
get-module ActiveDirectory -list
If you don’t see it, open Control Panel –Programs and select “Turn Windows Features on and off.” Scroll down to Remote Server Administration Tools, and make sure you’ve checked the box for the module.
Turning on the Active Directory Module for Windows PowerShell feature. (Image Credit: Jeff Hicks)
advertisment
search-adaccount -UsersOnly –AccountDisabled
This expression will search the entire domain for user accounts that are disabled. The result will be a user account object.
Using the Search-ADAccount cmdlet in Windows PowerShell. (Image Credit: Jeff Hicks)
search-adaccount -UsersOnly –AccountDisabled –searchbase "OU=employees,dc=globomantics,dc=local"/code>
The SearchBase will be the OU distinguishedname. It will search all child OUs as well.
Limiting our search to part of the organizational unit in Windows PowerShell with Search-ADAccount. (Image Credit: Jeff Hicks)
Search-ADAccount -UsersOnly -AccountDisabled -SearchBase "OU=Employees,DC=globomantics,dc=local" | sort LastLogonDate | Select Name,LastLogonDate,DistinguishedName | out-gridview -title "Disabled Employees"
Using Search-ADAccount to grab a list of disabled employees. (Image Credit: Jeff Hicks)
[email protected]{
UsersOnly = $True
AccountDisabled = $True
SearchBase = "OU=Employees,DC=globomantics,dc=local"
}
Search-ADAccount @paramHash |
Get-ADuser -Properties Description,Department,Title,LastLogonDate,WhenChanged |
sort LastLogonDate |
Select Name,Department,Title,Description,WhenChanged,LastLogonDate,DistinguishedName |
out-gridview -title "Disabled Employees"
With Get-ADUser, you have to specify the properties you want to see, otherwise you get a minimal set. But now my output is a bit richer.
Another example of Get-ADUser results with PowerShell. (Image Credit: Jeff Hicks)
advertisment
[email protected]{
UsersOnly = $True
AccountExpired = $True
SearchBase = "OU=Employees,DC=globomantics,dc=local"
}
Search-ADAccount @paramHash |
Get-ADuser -Properties Department,Title |
Select Name,Department,Title,DistinguishedName
Finding expired accounts in Windows PowerShell. (Image Credit: Jeff Hicks)
[email protected]{
UsersOnly = $True
AccountInactive = $True
TimeSpan = New-Timespan -Days 120
SearchBase = "OU=Employees,DC=globomantics,dc=local"
Server = "chi-dc04"
}
Search-ADAccount @paramHash | measure
Using the timespan parameter with Search-ADAccount in Windows PowerShell. (Image Credit: Jeff Hicks)
[email protected]{
UsersOnly = $True
AccountInactive = $True
DateTime = "7/1/2014"
SearchBase = "OU=Employees,DC=globomantics,dc=local"
Server = "chi-dc04"
}
Search-ADAccount @paramHash
I believe the Search-ADAccount cmdlet has changed over time since it was first released. If you don’t see these parameters, try to upgrade your client to the most current version of PowerShell and RSAT that it will support. Otherwise, post in the PowerShell forum on the site, and I’ll help you figure out the corresponding syntax with Get-ADUser. The Microsoft cmdlets are not the only solution. I’ll be back in a future article to demonstrate some alternatives.
More from Jeff Hicks
advertisment
Petri Newsletters
Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.
advertisment
More in Active Directory
Microsoft Rolls Out Azure AD Verifiable Credentials Service to More Customers
May 11, 2022 | Rabia Noureen
Best Practices for Installing Active Directory Domain Controllers in a Virtual Machine
Apr 15, 2022 | Michael Taschler
Microsoft Details Efforts to Fight Russian Cyber Attacks Targeting Ukraine
Apr 8, 2022 | Rabia Noureen
Most popular on petri
Log in to save content to your profile.
Article saved!
Access saved content from your profile page. View Saved
Join The Conversation
Create a free account today to participate in forum conversations, comment on posts and more.
Copyright ©2019 BWW Media Group