In this blog post, we will discuss PowerShell Search-AdAccount to find inactive user accounts or expired accounts in Active Directory.
PowerShell Search-AdAccount cmdlet finds one or more user account, computer or service accounts as per the search criteria. Search criteria include account and password status.
Search-AdAccount helps you to find accounts with the below search adaccount parameters
- Expired accounts using
AccountExpired - Expiring ad accounts using
AccountExpiring - Get a list of accounts that are disabled in Active Directory using
AccountDisabled. - Retrieve inactive accounts in the active directory using
AccountInActive. - Get a list of user accounts that have been locked out using
LockedOut. - Retrieve a list of accounts whose password have expired using
PasswordExpired. - Retrieve a list of accounts whose password never expire using
PasswordNeverExpires
PowerShell Search-AdAccount Syntax
Search-ADAccount
SearchCriteria
[-AuthType <ADAuthType>]
[-ComputersOnly]
[-Credential <PSCredential>]
[-ResultPageSize <Int32>]
[-ResultSetSize <Int32>]
[-SearchBase <String>]
[-SearchScope <ADSearchScope>]
[-Server <String>]
[-UsersOnly]
[<CommonParameters>]
In the above syntax, SearchCriteria can be any of the following:
- AccountDisabled
- AccountExpiring
- AccountInactive
- AccountExpired
- LockedOut
- PasswordExpired
PowerShell Search-AdAccount Examples
Let’s understand how to use PowerShell search adaccount cmdlet to find ad user accounts based on different filter criteria.
Using PowerShell Search adaccount – Find all the users that are disabled
Search-ADAccount -AccountDisabled -UsersOnly | FT Name,ObjectClass -A
In the above example, PowerShell Search-AdAccount command gets all the users that are disabled using the UserOnly parameter.
Cool Tip: Do you know the equivalent of cat command in Windows!
Using Search AdAccount to find all users,computers and service accounts that are disabled
Search-ADAccount -AccountDisabled | FT Name,ObjectClass -A
In the above example, PowerShell Search-AdAccount command gets all the users, computers, and service accounts that are disabled.
Find all users,computers and service accounts that are expired
Search-ADAccount -AccountExpired | FT Name,ObjectClass -A
This search-adaccount command gets all users, computers, and service accounts that are expired in the active directory with PowerShell. AccountExpired parameter search for accounts that are expired.
Find all users, computers, and service accounts that will expire in the next 15 days.
Search-ADAccount -AccountExpiring -TimeSpan 15.00:00:00 | FT Name,ObjectClass -A
This PowerShell search adaccount command gets all users, computers, and service accounts that will expire in the next 15 days. AccountExpiring parameter search for accounts that are expiring.
In the above example, we have used TimeSpan parameter to specify the time period which is 15 days.
Cool Tip: Learn how to get aduser using userprincipalname!
Use search adaccount to find all accounts where password has expired
Search-ADAccount -PasswordExpired | FT Name,ObjectClass -A
The above search adaccount command returns all the users account where the password has expired. PasswordExpired parameter is used to search for accounts where the password has expired.
Use search adaccount to find all accounts that are locked out
Search-ADAccount -LockedOut | FT Name,ObjectClass -A
Above PowerShell search adaccount command returns all accounts that are locked out.
Get all accounts that have been inactive for the last 90 days
Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 | FT Name,ObjectClass -A
The above Search-AdAccount command returns all the accounts that have been inactive for the last 90 days. Here we have used TimeSpan parameter to specify the time period. AccountInactive parameter search for inactive accounts in the active directory.
Find all the users accounts that have disabled in specific OU
Search-ADAccount -UsersOnly –AccountDisabled –Searchbase "OU=Asia_Sales,dc=shellgeek,dc=com"
This PowerShell search-adaccount cmdlet finds disabled user accounts in specific OU.
Conclusion
I hope the above article on PowerShell Search-AdAccount cmdlet and examples to find user, computer, or service accounts from Active Directory are helpful to you.
You can do a lot more with Search-AdAccount cmdlet to find lastlogondate, adaccount inactive for last 90 days, account expiration date.
Cool Tip: How to use Remove-AdUser cmdlet to remove aduser using PowerShell!
You can find more topics about PowerShell Active Directory commands and PowerShell basics on ShellGeek home page.