« Custom script header and other snippets
Best PowerShell Editor & Debugger »

Locating obsolete users and computers

Published July 30, 2010 Active Directory , AD , AD cmdlets , Examples , PowerShell Comments

Just got easier (and faster!) in AD cmdlets 1.4! Before this release you still could manually filter user or computer records by pwdLastSet or LastLogonTimestamp – now user and computer retrieval by a bunch of attributes with an easy command like:

Get-QADUser -Inactive

or

Get-QADComputer -Inactive

This -Inactive parameter retrieves all accounts which have been in expired state, not used for logon, or with with password not being changed beyond the thresholds set by the  Set-QADInactiveAccountsPolicy cmdlet. Like this:

Set-QADInactiveAccountsPolicy -AccountExpiredPeriod 0 -AccountNotLoggedOnPeriod 30 -PasswordNotChangedPeriod 120

You can get the current settings in your environment by executing Get-QADInactiveAccountsPolicy.

In addition to -Inactive, there are other related parameters, such as -InactiveFor – which lets you specify the number of days the account has been in the inactive state:

Get-QADComputer -InactiveFor 30

Or you can go more granular and just use:

NotLoggedOnFor – to specify the number of days since last time the account was used to log on (note that LastLogonTimestamp parameter is used, which means that it is replicated between DCs and the retrieval is fast and works with any domain controller, but it requires 2003 or later AD schema and is only replicated every 9-14 days (so please don’t specify values less than 14):

Get-QADUser -NotLoggedOnFor 60

Get-QADComputer -NotLoggedOnFor 60

PasswordNotChangedFor – days since the account last changed password (computer accounts also have passwords which they are automatically rolling over):

Get-QADUser -PasswordNotChangedFor 180

Get-QADComputer -PasswordNotChangedFor 90

ExpiredFor – just for Get-QADUser – the number of days since the account expired:

Get-QADUser -ExpiredFor 30

You can also use a combination of Inactive/InactiveFor and ExpiredFor/NotLoggedOnFor/PasswordNotChangedFor – in which case the more specific parameters override the default inactivity criteria you set.

Read more about these cmdlets and their parameters in our online reference:

About these ads

6 Responses to “Locating obsolete users and computers”

Feed for this Entry Trackback Address
  1. 1 Shay Levy August 1, 2010 at 10:39 am

    > and is only replicated every 9-14 days (so please don’t specify values less than 14)

    It would be better if the cmdlet will write a warning to the screen when the caller specifies a value that is less than 14.

    Reply
  2. 3 Rick Sheikh August 24, 2010 at 5:39 pm

    It is interesting that below I have three different results for something that should be pretty accurate.

    [PS] C:\PS>$old=(get-date).adddays(-60)
    [PS] C:\PS>Get-QADUser -enabled -sl 0 | where{$_.lastlogontimestamp -lt $old} | Measure-Object

    Count : 265
    Average :
    Sum :
    Maximum :
    Minimum :
    Property :

    [PS] C:\PS>Get-QADUser -enabled -Inactivefor 60 -sl 0 | Measure-Object

    Count : 255
    Average :
    Sum :
    Maximum :
    Minimum :
    Property :

    [PS] C:\PS>Get-QADUser -enabled -notloggedonfor 60 -sl 0 | Measure-Object

    Count : 245
    Average :
    Sum :
    Maximum :
    Minimum :
    Property :

    Reply
  3. 4 CocoB August 11, 2011 at 9:24 am

    Hi, is it possible to combine the two commands in one to find inactive computers and the users that used this computers?

    Reply

  1. 1 Locate obsolete computer records in AD « Dmitry’s PowerBlog: PowerShell and beyond Trackback on July 30, 2010 at 5:23 pm
  2. 2 11 Essential AD Tools replaced with PowerShell « Dmitry’s PowerBlog: PowerShell and beyond Trackback on July 30, 2010 at 5:25 pm

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Cancel

Connecting to %s

« Custom script header and other snippets
Best PowerShell Editor & Debugger »

 Subscribe in a reader

Subscribe by email

Add to Technorati Favorites

My Recent Tweets

RSS My company’s blog

  • Meet our iPad2 Winner, Bruce Burke
    Last month we ran our first sweeps contest and received over 30,000 entries in just 4 weeks! Below is a screenshot of the Facebook entries: After announcing the winner, Bruce Burke, I decided to get in touch and find out more about him and how he is using Jelastic for his projects. Hi Bruce, thanks [...]The post Meet our iPad2 Winner, Bruce Burke appeared fi […]
  • MongoDB Master Slave Replication
    As we’ve already told you in our previous post about MySQL master-slave replication the database replication offers various benefits depending on its type and the options you choose, but the common benefit of replication is the availability of data when and where it is needed.  As a result, your customers will experience improved availability of replicated d […]
  • Integration with NetBeans IDE
    Like millions of developers out there we really love NetBeans IDE, which lets you quickly and easily develop Java desktop, mobile, and web applications, while also providing great tools for PHP developers. That’s why we have created a Jelastic plugin for this platform. With the new Jelastic plugin for NetBeans IDE, you can work with your development, [...]Th […]
  • New Version of Jelastic – 1.9.1 Launched
    Today we announced the launch of a major new version of Jelastic. The new version, 1.9.1, features a CRON scheduler, the ability to schedule database backups, new notifications about running out of resources and the latest versions of software stacks (including PostgreSQL 9.2.4). The newly launched Jelastic 1.9.1 includes: CRON job scheduler, Scheduled datab […]
  • Jelastic Released Commercially by innofield!
    Switzerland is well know for chocolate, their army knives and creating fabulous watches. Thanks to innofield,  the Swiss will forever be known as the providers of the first Swiss based PaaS solution with their Flow App Engine (powered by Jelastic). This week, innofield came out of beta and launched commercially with Jelastic 1.9.1. “As Platform-as-a-Service […]
  • Play 1 vs Play 2 Framework
    Today’s guest post comes to you from our friend and user, Dane Marcelo, JArchitect product manager. He points out some interesting differences between the Play 1 and the Play 2 frameworks. So, let’s dive into this great post! Play is an open source web application framework, written in Scala and Java, which follows the model–view–controller (MVC) architectur […]
  • Cloud Software Stacks Market Share: April 2013
    It’s that time where we can share with you the updated statistics on databases, Java and PHP application servers as well as Java and PHP version popularity. Last month was hot here at Jelastic: we launched Jelastic in the Netherlands with the most technically advanced hoster in the country – info.nl and in Switzerland with our very [...]The post Cloud Softwa […]

Legal

The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my former employer - Quest Software, or my current employer - Jelastic or anyone else for that matter. All trademarks acknowledged.

© 2007-2013 Dmitry Sotnikov

Pages

July 2010
M T W T F S S
« Jun   Aug »
 1234
567891011
12131415161718
19202122232425
262728293031  
Follow

Get every new post delivered to your Inbox.

Join 65 other followers

%d bloggers like this: