Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Question
Monday, April 11, 2011 1:54 AM
Hi everyone,
I'm wanting to generate a report of inactive users for the past 90 days using PowerShell, and being a PowerShell newbie need a bit of help getting it over the line. In addition to 90 day inactive condition, no disabled user accounts should be included in the report. This is the command I'm using, however the select on the givenname and surname fields is not returning any data.
Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 | ?{$_.enabled -eq $true} | select name, givenname, surname | export-csv c:\report\unusedaccounts.csv -NoTypeInformation
This report is for management so I need to have the users actual name to accompany their username. Any suggestions for where I am going wrong here?
All replies (17)
Monday, April 11, 2011 2:27 AM âś…Answered | 5 votes
The Search-ADAccount resturns a limited set of user attributes. You will need to modify your command line to pipe the output to something that does expose the reuqired attributes (Get-ADUser), e.g.
Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 | ?{$_.enabled -eq $true} | %{Get-ADUser $_.ObjectGuid} | select name, givenname, surname | export-csv c:\report\unusedaccounts.csv -NoTypeInformation
Tony
Monday, April 11, 2011 3:53 AM
Thanks for the replies. It looks like I'm having issues with the command returning only enabled accounts. I tried your suggestion Richard with the "-band 2" check, however it still looks as if all inactive users are being returned rather than just the enabled inactive users. Also, is there anyway I can configure this command to target an OU (and all sub-containers)?
Thursday, April 14, 2011 2:48 AM
Thanks for your help again Richard. I think your syntax here is correct, however I am still getting vastly different results to running an inactive user query from within the ADUC snap-in. Running the command you supplied based from a specific OU returns 337 users where ADUC reports their being 1122 user accounts in total. When I create a query from ADUC to get all users who have not logged in for the past 90 days I only get 48 users returned.
337 inactive users out of 1122 seems a pretty high. Any idea why I might be getting this discrepency between powershell and ADUC? The same user credentials were used for both...
Thursday, April 14, 2011 12:06 PM
I'd list out the users (or at least part of them) and find one that is different and then inspect the user and their OU location to see what may be different.
Wednesday, April 20, 2011 5:15 AM | 1 vote
Thanks again for the replies, and my apologies for not getting back sooner. The ADUC query I am using is from under the "Common Queries" menu item in the query definition screen. The query string window displays the following "The query is valid but will not be shown here because it contains values that must be computed when the query is run."
Process I followed here entails;
1. Right click "Saved Queries" in ADUC and select New then Query.
2. Under "Browse" select OU root I want to search from
3. Ensure "Include subcontainers" is ticked
4. Click "Define Query", select "Common Queries" from the Find drop down menu.
5. Select 90 from "Days since last logon" drop down
6. Save query and run
The current domain funcitonal level is Windows 2008
Wednesday, April 20, 2011 5:53 AM
This is the command I am running in PowerShell (with domain/OU details modified);
Search-ADAccount -UsersOnly -SearchBase "ou=Bottom,ou=Middle,ou=Top,dc=mydomain,dc=com" -AccountInactive -TimeSpan 90 | Get-ADUser -Properties Name, sAMAccountName, givenName, sn, userAccountControl | Where {($_.userAccountControl -band 2) -eq $False} | Select sAMAccountName, givenName, sn | Sort-Object sAMAccountName | export-csv c:\report\90day-Inactive-users.csv -NoTypeInformation
For the point of testing I've changed the OU target to one that has no subcontainers. There are 1133 user account in total, PowerShell reports 360 as inactive where ADUC reports 237. Even weirder is that for the post part they are also returning different users. I put the results of both into excel and there is a crossover of only 49 user accounts.
Wednesday, April 20, 2011 6:02 AM
Ok, I've decided it's safe to disregard the results returned by ADUC, though I still don't understand why it is returning different results. Using ADSI Edit I viewed the lastLogonTimeStamp of a selection of users from both results. The results from PowerShell were 100% accurate, the ADUC results were no where near accurate (some users didn't even exist in the OU I specified in the query). Thanks again so much for the help.
Tuesday, April 2, 2013 8:01 AM
Hello,
i am using the following PS-command to find inactive users :
Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 30.00:00:00
With which command can i add the option for "enabled=true" within this command?
Thx
Tuesday, April 2, 2013 8:22 AM
MVd....Richard clearly explained in his previous post.
Search-ADAccount -AccountInactive -TimeSpan 90 | Get-ADUser -Properties Name, sAMAccountName, givenName, sn, userAccountControl | Where {($_.userAccountControl -band 2) -eq $False} | Select Name, sAMAccountName, givenName, sn
Note there is no enabled attribute, you need to test the appropriate bit of the userAccountControl attribute (-band with bit mask 2, and check for $False, meaning the account is not disabled). Does this help
Thanks Azam When you see answers please Mark as Answer if Helpful..vote as helpful.
Tuesday, April 2, 2013 8:31 AM
Thx!
Tuesday, May 21, 2013 3:25 PM | 2 votes
Hi, what do you think abou this one:
System generated listing of AD accounts that been inactive for more than 90 days, or that shows the last used date
$90Days = (get-date).adddays(-90)
Get-ADUser -properties * -filter {(lastlogondate -notlike "*" -OR lastlogondate -le $90days) -AND (passwordlastset -le $90days) -AND (enabled -eq $True) -and (PasswordNeverExpires -eq $false) -and (whencreated -le $90days)} | select-object name, SAMaccountname, passwordExpired, PasswordNeverExpires, logoncount, whenCreated, lastlogondate, PasswordLastSet, lastlogontimestamp | export-csv c:\scripts\90days.txt
AG
Thursday, June 23, 2016 5:51 PM
If you use Search-ADAccount -AccountInactive -TimeSpan 90 remember to use "" quotes around the -Timespan pararmeter.
Example: Search-ADAccount -UsersOnly -AccountInactive -TimeSpan "90" | Get-ADUser -Properties SamAccountName | Select SamAccountName
Otherwise you will get incorrect results.
Monday, March 13, 2017 7:48 PM
I'm a noob, sorry, I'm sure this is very easy to modify, but after the last 30 minutes of searching google... I need help...
This works perfectly for me!
Except I desperately need the username and the canonical name
I tried: Search-ADAccount -AccountInactive -TimeSpan 180.00:00:00 | ?{$_.enabled -eq $true} | %{Get-ADUser $_.ObjectGuid} | select name, username, canonicalname | export-csv c:\users\me]\desktop\180DayInactiveAccounts.csv -NoTypeInformation I got Microsoft.ActiveDirectory.Management.ADPropertyValueCollection for the username and the canonicalname is blank. I'm looking for an output such as: Nurse Jane njane OU=company.local, ou=nursing, ou=campus, ou=ICU so that we can quickly sort through the accounts, and/or contact the appropriate manager for that area
Wednesday, October 24, 2018 6:22 PM
This worked and it was super easy to do.
Thanks
Wednesday, October 24, 2018 6:48 PM | 1 vote
import-module activedirectory
$90Days = (get-date).adddays(-90)
Get-ADUser -properties * -filter {(lastlogondate -notlike "*" -OR lastlogondate -le $90days) -AND (passwordlastset -le $90days) -AND (enabled -eq $True) -and (PasswordNeverExpires -eq $false) -and (whencreated -le $90days)} | select-object name, SAMaccountname, passwordExpired, PasswordNeverExpires, logoncount, whenCreated, lastlogondate, PasswordLastSet, lastlogontimestamp | export-csv c:\90days.txt
The one above will do last 90 day login, and the one below will do who has not changed their password in 90 days.
Import-module activedirectory
$date = get-date
Get-ADUser -Filter * -Properties PasswordLastSet | ? {$_.PasswordLastSet -lt $date.adddays(-90) } | select name,samaccountname, PasswordLastSe
Friday, February 1, 2019 4:06 PM
This worked great to pull one OU, but how can I get it to exclude one OU and it's child OUs but include all the other OUs.
Thanks!
Wednesday, April 3, 2019 6:13 PM
Search-ADAccount -UsersOnly -AccountInactive -TimeSpan 90 | ?{$_.enabled -eq $True} | Get-ADUser -Properties Name, sAMAccountName, givenName, sn | Select Name, sAMAccountName, givenName, sn export-csv c:\users\username\desktop\90DayInactiveAccounts.csv -NoTypeInformation
This script kicks back some accounts that are confirmed active. I ran it on 2 different DCs to confirm.
I can see an account listed in results with 18 "open files" per compmgmt.msc
Domain mode is 2008R2