PowerShell Search-AdAccount cmdlet with Examples

In this blog post, we will discuss PowerShell Search-AdAccount to find inactive user accounts or expired accounts in Active Directory.

PowerShell Search-AdAccount cmdlet finds one or more user account, computer or service accounts as per the search criteria. Search criteria include account and password status.

Search-AdAccount helps you to find accounts with the below search adaccount parameters

  • Expired accounts using AccountExpired
  • Expiring ad accounts using AccountExpiring
  • Get a list of accounts that are disabled in Active Directory using AccountDisabled.
  • Retrieve inactive accounts in the active directory using AccountInActive.
  • Get a list of user accounts that have been locked out using LockedOut.
  • Retrieve a list of accounts whose password have expired using PasswordExpired.
  • Retrieve a list of accounts whose password never expire using PasswordNeverExpires

PowerShell Search-AdAccount Syntax

Search-ADAccount
     SearchCriteria
      [-AuthType <ADAuthType>]
      [-ComputersOnly]
      [-Credential <PSCredential>]
      [-ResultPageSize <Int32>]
      [-ResultSetSize <Int32>]
      [-SearchBase <String>]
      [-SearchScope <ADSearchScope>]
      [-Server <String>]
      [-UsersOnly]
      [<CommonParameters>]

In the above syntax, SearchCriteria can be any of the following:

  • AccountDisabled
  • AccountExpiring
  • AccountInactive
  • AccountExpired
  • LockedOut
  • PasswordExpired

PowerShell Search-AdAccount Examples

Let’s understand how to use PowerShell search adaccount cmdlet to find ad user accounts based on different filter criteria.

Using PowerShell Search adaccount – Find all the users that are disabled

Search-ADAccount -AccountDisabled -UsersOnly | FT Name,ObjectClass -A

In the above example, PowerShell Search-AdAccount command gets all the users that are disabled using the UserOnly parameter.

Cool Tip: Do you know the equivalent of cat command in Windows!

Using Search AdAccount to find all users,computers and service accounts that are disabled

Search-ADAccount -AccountDisabled | FT Name,ObjectClass -A

In the above example, PowerShell Search-AdAccount command gets all the users, computers, and service accounts that are disabled.

Find all users,computers and service accounts that are expired

Search-ADAccount -AccountExpired | FT Name,ObjectClass -A

This search-adaccount command gets all users, computers, and service accounts that are expired in the active directory with PowerShell. AccountExpired parameter search for accounts that are expired.

Find all users, computers, and service accounts that will expire in the next 15 days.

Search-ADAccount -AccountExpiring -TimeSpan 15.00:00:00 | FT Name,ObjectClass -A

This PowerShell search adaccount command gets all users, computers, and service accounts that will expire in the next 15 days. AccountExpiring parameter search for accounts that are expiring.

In the above example, we have used TimeSpan parameter to specify the time period which is 15 days.

Cool Tip: Learn how to get aduser using userprincipalname!

Use search adaccount to find all accounts where password has expired

Search-ADAccount -PasswordExpired | FT Name,ObjectClass -A

The above search adaccount command returns all the users account where the password has expired. PasswordExpired parameter is used to search for accounts where the password has expired.

Use search adaccount to find all accounts that are locked out

Search-ADAccount -LockedOut | FT Name,ObjectClass -A

Above PowerShell search adaccount command returns all accounts that are locked out.

Get all accounts that have been inactive for the last 90 days

Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 | FT Name,ObjectClass -A

The above Search-AdAccount command returns all the accounts that have been inactive for the last 90 days. Here we have used TimeSpan parameter to specify the time period. AccountInactive parameter search for inactive accounts in the active directory.

Find all the users accounts that have disabled in specific OU

Search-ADAccount -UsersOnly –AccountDisabled –Searchbase "OU=Asia_Sales,dc=shellgeek,dc=com"

This PowerShell search-adaccount cmdlet finds disabled user accounts in specific OU.

Conclusion

I hope the above article on PowerShell Search-AdAccount cmdlet and examples to find user, computer, or service accounts from Active Directory are helpful to you.

You can do a lot more with Search-AdAccount cmdlet to find lastlogondate, adaccount inactive for last 90 days, account expiration date.

Cool Tip: How to use Remove-AdUser cmdlet to remove aduser using PowerShell!

You can find more topics about PowerShell Active Directory commands and PowerShell basics on ShellGeek home page.

Leave a Comment