
close
close
Chance to win $250 in Petri 2023 Audience Survey
One of the most common applications of PowerShell is with Active Directory, which makes a lot of sense. Active Directory is a huge source of information and naturally IT pros want an easy way to get that information. Perhaps you need to do something with the information or maybe you simply need a report so that someone else can make decisions. Using PowerShell to query Active Directory is not that difficult, especially if you have cmdlets at your disposal. A typical Active Directory task that can be easily automated with PowerShell is to identify disabled or inactive user accounts, which I’ll show you how to do in this PowerShell Problem Solver article.
The easiest solution is the Active Directory PowerShell module from Microsoft. This module requires at least one domain controller running Windows Server 2008 R2 or later that’s running Active Directory Web Services. On the client side you need PowerShell 3 or later and the Active Directory tools that are part of the Remote Server Administration Toolkit (RSAT) download. Get the latest version for your operating system. I am running PowerShell 4.0 on a Windows 8.1 desktop with RSAT installed. You can verify the module like this:
get-module ActiveDirectory -list
If you don’t see it, open Control Panel –Programs and select “Turn Windows Features on and off.” Scroll down to Remote Server Administration Tools, and make sure you’ve checked the box for the module.
Turning on the Active Directory Module for Windows PowerShell feature. (Image Credit: Jeff Hicks)
search-adaccount -UsersOnly –AccountDisabled
This expression will search the entire domain for user accounts that are disabled. The result will be a user account object.
Using the Search-ADAccount cmdlet in Windows PowerShell. (Image Credit: Jeff Hicks)
search-adaccount -UsersOnly –AccountDisabled –searchbase "OU=employees,dc=globomantics,dc=local"/code>
The SearchBase will be the OU distinguishedname. It will search all child OUs as well.
Limiting our search to part of the organizational unit in Windows PowerShell with Search-ADAccount. (Image Credit: Jeff Hicks)
Search-ADAccount -UsersOnly -AccountDisabled -SearchBase "OU=Employees,DC=globomantics,dc=local" | sort LastLogonDate | Select Name,LastLogonDate,DistinguishedName | out-gridview -title "Disabled Employees"
Using Search-ADAccount to grab a list of disabled employees. (Image Credit: Jeff Hicks)
$paramhash=@{
UsersOnly = $True
AccountDisabled = $True
SearchBase = "OU=Employees,DC=globomantics,dc=local"
}
Search-ADAccount @paramHash |
Get-ADuser -Properties Description,Department,Title,LastLogonDate,WhenChanged |
sort LastLogonDate |
Select Name,Department,Title,Description,WhenChanged,LastLogonDate,DistinguishedName |
out-gridview -title "Disabled Employees"
With Get-ADUser, you have to specify the properties you want to see, otherwise you get a minimal set. But now my output is a bit richer.
Another example of Get-ADUser results with PowerShell. (Image Credit: Jeff Hicks)
$paramhash=@{
UsersOnly = $True
AccountExpired = $True
SearchBase = "OU=Employees,DC=globomantics,dc=local"
}
Search-ADAccount @paramHash |
Get-ADuser -Properties Department,Title |
Select Name,Department,Title,DistinguishedName
Finding expired accounts in Windows PowerShell. (Image Credit: Jeff Hicks)
$paramhash=@{
UsersOnly = $True
AccountInactive = $True
TimeSpan = New-Timespan -Days 120
SearchBase = "OU=Employees,DC=globomantics,dc=local"
Server = "chi-dc04"
}
Search-ADAccount @paramHash | measure
Using the timespan parameter with Search-ADAccount in Windows PowerShell. (Image Credit: Jeff Hicks)
$paramhash=@{
UsersOnly = $True
AccountInactive = $True
DateTime = "7/1/2014"
SearchBase = "OU=Employees,DC=globomantics,dc=local"
Server = "chi-dc04"
}
Search-ADAccount @paramHash
I believe the Search-ADAccount cmdlet has changed over time since it was first released. If you don’t see these parameters, try to upgrade your client to the most current version of PowerShell and RSAT that it will support. Otherwise, post in the PowerShell forum on the site, and I’ll help you figure out the corresponding syntax with Get-ADUser. The Microsoft cmdlets are not the only solution. I’ll be back in a future article to demonstrate some alternatives.
More in Active Directory
Microsoft Releases Update to Streamline Exchange Online License Assignments
Jan 24, 2023 | Rabia Noureen
How to Export Active Directory Users to CSV With PowerShell and ADUC
Jan 23, 2023 | Michael Reinders
ManageEngine ADSelfService Plus: Protect On-Premises and Cloud Services from Password Attacks with Multi-factor Authentication
Jan 12, 2023 | Michael Reinders
Microsoft 365 to Launch New $1.99/Month Basic Subscription with 100 GB of OneDrive Storage
Jan 11, 2023 | Rabia Noureen
Most popular on petri