Archive for July 30th, 2010

Locating obsolete users and computers

Published July 30, 2010 Active Directory , AD , AD cmdlets , Examples , PowerShell Comments

Just got easier (and faster!) in AD cmdlets 1.4! Before this release you still could manually filter user or computer records by pwdLastSet or LastLogonTimestamp – now user and computer retrieval by a bunch of attributes with an easy command like:

Get-QADUser -Inactive

or

Get-QADComputer -Inactive

This -Inactive parameter retrieves all accounts which have been in expired state, not used for logon, or with with password not being changed beyond the thresholds set by the  Set-QADInactiveAccountsPolicy cmdlet. Like this:

Set-QADInactiveAccountsPolicy -AccountExpiredPeriod 0 -AccountNotLoggedOnPeriod 30 -PasswordNotChangedPeriod 120

You can get the current settings in your environment by executing Get-QADInactiveAccountsPolicy.

In addition to -Inactive, there are other related parameters, such as -InactiveFor – which lets you specify the number of days the account has been in the inactive state:

Get-QADComputer -InactiveFor 30

Or you can go more granular and just use:

NotLoggedOnFor – to specify the number of days since last time the account was used to log on (note that LastLogonTimestamp parameter is used, which means that it is replicated between DCs and the retrieval is fast and works with any domain controller, but it requires 2003 or later AD schema and is only replicated every 9-14 days (so please don’t specify values less than 14):

Get-QADUser -NotLoggedOnFor 60

Get-QADComputer -NotLoggedOnFor 60

PasswordNotChangedFor – days since the account last changed password (computer accounts also have passwords which they are automatically rolling over):

Get-QADUser -PasswordNotChangedFor 180

Get-QADComputer -PasswordNotChangedFor 90

ExpiredFor – just for Get-QADUser – the number of days since the account expired:

Get-QADUser -ExpiredFor 30

You can also use a combination of Inactive/InactiveFor and ExpiredFor/NotLoggedOnFor/PasswordNotChangedFor – in which case the more specific parameters override the default inactivity criteria you set.

Read more about these cmdlets and their parameters in our online reference:

Advertisement

 Subscribe in a reader

Subscribe by email

My Recent Tweets

Legal

The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

July 2010
M T W T F S S
 1234
567891011
12131415161718
19202122232425
262728293031  
%d bloggers like this: