Platform: Windows 2012
Module Required: activedirectory
Here are some quick and dirty ways to find locked out, disabled, expired, expiring, inactive, locked out, password expired, password never expires.
Using Get-Aduser with a little more scripting
get-aduser -filter * -properties * | select-object name, @{name=”lastlogon”;expression={[datetime]::fromfiletime($_.lastlogon)}} | s
ort-object lastlogon
The rest of the examples are from Search-ADAccount get-help -examples
Search-ADAccount -parameter
Here are some examples from the help:
Gets Active Directory user, computer, or service accounts.
C:\PS>Search-ADAccount -AccountDisabled | FT Name,ObjectClass -A
Name ObjectClass
—- ———–
Guest user
krbtgt user
krbtgt_51399 user
AmyAl-LPTOP computer
DeepakAn-DSKTOP computer
C:\PS>Search-AdAccount -AccountDisabled -SearchBase “DC=AppNC” -Server “FABRIKAM-SRV1:60000”
Enabled : False
Name : SanjayPatel
UserPrincipalName :
PasswordNeverExpires :
LockedOut : False
ObjectGUID : d671de28-6e40-42a7-b32c-63d336de296d
ObjectClass : user
SID : S-1-510474493-936115905-2231798853-1260534229-4171027843-767619944
PasswordExpired : False
LastLogonDate :
DistinguishedName : CN=SanjayPatel,OU=AccountDeptOU,DC=AppNC
AccountExpirationDate :
Description
———–
Returns all users, computers and service accounts that are disabled in the LDS instance: “FABRIKAM-SRV1:60000”.
C:\PS>Search-ADAccount -AccountExpiring -DateTime “3/18/2009” | FT Name,ObjectClass -A
Name ObjectClass
—- ———–
Anders Riis user
Description
———–
Returns all accounts which expire on the 18th of March, 2009.
C:\PS>Search-ADAccount -LockedOut | FT Name,ObjectClass -A
Name ObjectClass
—- ———–
Toni Poe user
Description
———–
Returns all accounts that have been locked out.
C:\PS>Search-ADAccount -PasswordNeverExpires | FT Name,ObjectClass -A
Name ObjectClass
—- ———–
Guest user
Toni Poe user
Anders Riis user
Fabien Hernoux user
Description
———–
Returns all accounts with a password that will never expire.