Tuesday, 6 January 2009

Powershell Active Directory One-Liners

Recently I blogged about some scripts I left behind in my previous employment for managing AD - really a lot of them were just quick one liners. Not that that is necessarily a bad thing, one of the best things for me about Powershell is the way you can get great information with very little effort. Of course I am using my good friend the Quest AD cmdlets.

I thought I'd share a few of them:

Find Expired Users:

On the theme of cleaning out AD, find user accounts which have expired.

Get-QADUser -searchroot 'domain.local/resources/users' -SizeLimit 0 -ldapFilter '(pwdlastset=0)' | ft name,passwordlastset

Find Users Not Logged in Since X Days:

On the same theme, supply X 'how many days to go back' and find users who haven't logged in during that time. (OK I cheated on the one line a bit on this one)

$now=get-date; $daysSinceLastLogon = X; Get-QADUser -sizeLimit 0 -SearchRoot 'domain.local/resources/users' | where {$_.lastlogontimestamp.value -and (($now-$_.lastlogontimestamp.value).days -gt $daysSinceLastLogon)} | ft name,lastlogontimestamp

Note: X needs to be more than 14 days to allow for the lastlogontimestamp attribute to have replicated.

Find Users Whose Password is set to Not Expire:

Keep tabs on those naughty administrators who think they can exempt themselves from the corporate password policy - you know who you are!

Get-QADUser -Sizelimit 0 -SearchRoot 'domain.local/resources/users' -PasswordNeverExpires $True | ft name

How Many Users in Active Directory?

Need to keep track on an expanding user population? Need to figure out how many CAL's you need? Easy.

Get-QADUser -DontUseDefaultIncludedProperties -SearchRoot 'domain.local/resources/users' -SizeLimit 0 | Measure-Object



TK said...

It appears that the -PasswordNeverExpires option does not accept a boolean flag ($True or $False), but rather just assumes $True. I'd actually like to use $False, so that I can filter by "normal" accounts with an expiring password.

TK said...

I'm back :-)

Looks like you can use a parameter in this format: -PasswordNeverExpires:$False

The colon was the missing link.

Jonathan Medd said...


Thanks for the info!

This blog can now be found over at http://jonathanmedd.net