This command is a terrific way to discover troubled accounts, and it can help solve many Active Directory cleanup problems
In my past few columns, I’ve been showing you search-adaccount, a Windows Server 2008 R2 cmdlet designed to accomplish a small but oft-needed set of queries. It's one of my favorite of R2's 76 Active Directory (AD)-related cmdlets, but a couple of quirks—a 15-day date oddity in its ability to find accounts that no one has logged on to in a while, and an oversight that causes search-adaccount to find the users that you want (but not to tell you much about those users)—have engendered topics that have delayed my ability to reveal search-adaccount in all its glory. This month, I'll fix that. One of PowerShell's most-touted aspects is that "once you've invested the time to figure out a few cmdlets, learning a new one is much faster," and I hope to prove that.
Basically, most search-adaccount commands look like
search-adaccount -usersonly option [-searchbase…]
I know what you're thinking: Those are just the basics of the command? Isn't that a case of a carpal tunnel syndrome in the making? Well, you can make it a bit better. The -usersonly parameter is the only one that starts with u, so you need never write -usersonly again (unless you're getting paid by the hour)—the u will suffice. And before you ask, there isn't a short name (or alias, in PowerShell talk) for search-adaccount. For some reason, the AD folks who wrote the AD cmdlets didn't create any. There’s also a -computersonly parameter available that reports only on troubled machine accounts in AD, and you can shorten it to -co, as there's also a -credential parameter for search-adaccount.
With that out of the way, I can quickly cover search-adaccount's seven capabilities.
Disabled accounts. Add the -accountdisabled (shorten it to -accountd) parameter to, not surprisingly, see your domain's disabled accounts, as in
search-adaccount -u -accountd
You've met the -searchbase (or -searchb) parameter that lets you restrict the get-adusers command to only do its query in a part of AD, and you can use it in search-adaccount as well, so to look for disabled user accounts in an OU called Pungo, you could type
search-adaccount -u -accountd -searchb "ou=pungo,dc=bigfirm,dc=com"
Locked-out accounts. Search-adaccount's -lockedout parameter (which you can shorten to simply -l) essentially works identically to the -accountdisabled parameter. To create a table of the locked-out accounts and the last time that they logged on, you could type
search-adaccount -u -l | ft name,lastlogondate -auto
(Recall that ft is an alias for format-table.) You could even jazz it up a bit and sort the table by the last time the locked-out users were successful at logging on, and then give that to format-table:
search-adaccount -u -l | sort -pr lastlogondate | ft name,lastlogondate
The -searchbase option works with -lockedout as well.
Inactive accounts. As I've explained in previous columns, the -accountinactive parameter lets you find people who haven’t logged on since a given day (using the -DateTime parameter) or a certain number of days (using the -TimeSpan parameter). The -searchbase parameter works, and you can shorten -accountinactive to -accounti. To see the people who haven't logged on in the past 50 days, type
search-adaccount -u -accounti -timespan "50"
or, pursuing our neverending quest for the shortest commands,
search-adaccount -u -accounti -t "50"
Note that you absolutely must put the 50 in quotes; otherwise, search-adaccount will show you everyone who hasn't logged on in the past 15 or so days. (The command ignores numbers not in quotes, and you get no error message, and an absence of parameters means "in the past 15 days.") You can use the -DateTime parameter (which shortens to -da) to ask who hasn't logged on since a particular date, although recall from a previous column that search-adaccount builds in a 15-day grace period in recognition of an AD quirk about keeping "last logon time" information for a user account. Thus, the command
search-adaccount -u -accounti -da "29 oct 2011"
would intend to show you just the user accounts that last logged on before October 29, 2011, as well as those who've never logged on. Because of the built-in 15-day "slop," however, in reality you’ll see accounts whose last logon date was around mid-October. Notice that, like -TimeSpan, -DateTime requires that its date be surrounded by quotes.
Accounts whose passwords have expired. Here’s another nice simple one, employing the -passwordexpired parameter, which shortens only to -passworde. I wish I could tell you that you could add -datetime or -timespan to find accounts whose passwords are nearly expired, but the cmdlet doesn't do that, unfortunately. (Apparently, someone on the AD team agreed that it should be in the cmdlet as well, as a nonexistent parameter called -passwordexpiring is referred to in search-adaccount's Help.)
Expired or soon-to-be-expired accounts. The -accountexpired and -accountexpiring parameters do the job here. Same story: -searchbase works for both, -datetime and -timespan work for -accountexpiring. It’s a nice tool for cleaning up the long-unused accounts.
Search-adaccount is a terrific way to find troubled or suspicious accounts, and in tandem with get-aduser can help solve many AD-cleanup problems. But it doesn't do the whole job, and that's why we'll meet some more cmdlets next month.