Locating obsolete users and computers

Just got easier (and faster!) in AD cmdlets 1.4! Before this release you still could manually filter user or computer records by pwdLastSet or LastLogonTimestamp – now user and computer retrieval by a bunch of attributes with an easy command like:

Get-QADUser -Inactive

or

Get-QADComputer -Inactive

This -Inactive parameter retrieves all accounts which have been in expired state, not used for logon, or with with password not being changed beyond the thresholds set by the  Set-QADInactiveAccountsPolicy cmdlet. Like this:

Set-QADInactiveAccountsPolicy -AccountExpiredPeriod 0 -AccountNotLoggedOnPeriod 30 -PasswordNotChangedPeriod 120

You can get the current settings in your environment by executing Get-QADInactiveAccountsPolicy.

In addition to -Inactive, there are other related parameters, such as -InactiveFor – which lets you specify the number of days the account has been in the inactive state:

Get-QADComputer -InactiveFor 30

Or you can go more granular and just use:

NotLoggedOnFor – to specify the number of days since last time the account was used to log on (note that LastLogonTimestamp parameter is used, which means that it is replicated between DCs and the retrieval is fast and works with any domain controller, but it requires 2003 or later AD schema and is only replicated every 9-14 days (so please don’t specify values less than 14):

Get-QADUser -NotLoggedOnFor 60

Get-QADComputer -NotLoggedOnFor 60

PasswordNotChangedFor – days since the account last changed password (computer accounts also have passwords which they are automatically rolling over):

Get-QADUser -PasswordNotChangedFor 180

Get-QADComputer -PasswordNotChangedFor 90

ExpiredFor – just for Get-QADUser – the number of days since the account expired:

Get-QADUser -ExpiredFor 30

You can also use a combination of Inactive/InactiveFor and ExpiredFor/NotLoggedOnFor/PasswordNotChangedFor – in which case the more specific parameters override the default inactivity criteria you set.

Read more about these cmdlets and their parameters in our online reference:

About these ads

9 Responses to “Locating obsolete users and computers”


  1. 1 Shay Levy August 1, 2010 at 10:39 am

    > and is only replicated every 9-14 days (so please don’t specify values less than 14)

    It would be better if the cmdlet will write a warning to the screen when the caller specifies a value that is less than 14.

  2. 3 Rick Sheikh August 24, 2010 at 5:39 pm

    It is interesting that below I have three different results for something that should be pretty accurate.

    [PS] C:\PS>$old=(get-date).adddays(-60)
    [PS] C:\PS>Get-QADUser -enabled -sl 0 | where{$_.lastlogontimestamp -lt $old} | Measure-Object

    Count : 265
    Average :
    Sum :
    Maximum :
    Minimum :
    Property :

    [PS] C:\PS>Get-QADUser -enabled -Inactivefor 60 -sl 0 | Measure-Object

    Count : 255
    Average :
    Sum :
    Maximum :
    Minimum :
    Property :

    [PS] C:\PS>Get-QADUser -enabled -notloggedonfor 60 -sl 0 | Measure-Object

    Count : 245
    Average :
    Sum :
    Maximum :
    Minimum :
    Property :

  3. 4 CocoB August 11, 2011 at 9:24 am

    Hi, is it possible to combine the two commands in one to find inactive computers and the users that used this computers?

  4. 5 wexen November 18, 2013 at 3:35 pm

    Hi Dmitry.
    I am using the get-Qaduser -notloggedonfor 60, but the results are not correct.
    Maybe it is something with the AD where i am running the query, but i cannot find the reason.

    the query returns very old lastLoggedOnDate …
    Maybe you have an idea why this could happen?


  1. 1 Locate obsolete computer records in AD « Dmitry’s PowerBlog: PowerShell and beyond Trackback on July 30, 2010 at 5:23 pm
  2. 2 11 Essential AD Tools replaced with PowerShell « Dmitry’s PowerBlog: PowerShell and beyond Trackback on July 30, 2010 at 5:25 pm
  3. 3 AD 2008/R2: How to monitor inactive (stale) accounts? | Jacques DALBERA's IT world Trackback on June 14, 2013 at 9:08 am

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s




My Recent Tweets

Legal

The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

July 2010
M T W T F S S
« Jun   Aug »
 1234
567891011
12131415161718
19202122232425
262728293031  

Follow

Get every new post delivered to your Inbox.

Join 93 other followers

%d bloggers like this: