Active directory script

Welcome Forums General PowerShell Q&A Active directory script

Viewing 2 reply threads
  • Author
    Posts
    • #178254
      Participant
      Topics: 1
      Replies: 0
      Points: 13
      Rank: Member

      Hello

      I'm searching a powershell script for AccountDisabled with value of time

      This one works fine but i want to know the disabled user in the last 30 days only, and not all the AD

      Possible?

      Thank you

      Search-ADAccount –AccountDisabled –UsersOnly –ResultPageSize 2000 –ResultSetSize $null | Select-Object SamAccountName, DistinguishedName
      
      
      
    • #178455
      Participant
      Topics: 10
      Replies: 1385
      Points: 1,526
      Helping Hand
      Rank: Community Hero

      You can get the AccountExpirationDate property from Get-ADUser:

      $today = Get-Date
      $user = Get-AdUser -Filter {(Enabled -eq $True) -and (AccountExpirationDate -lt $Today)} -Properties AccountExpirationDate
      
    • #178593
      Participant
      Topics: 5
      Replies: 105
      Points: 264
      Helping Hand
      Rank: Contributor

      If I understood correctly you want to find users who has been disabled in the past 30 days. you could look in to whenChanged and Enabled attributes, but the account might be changed by some other attribute thus it would not be solid data.

      This is the closest that I can come up to find disabled users and then check when the userAccountControl flag has been set the last time.

      
      get-aduser -Filter {enabled -eq $false} | Get-ADReplicationAttributeMetadata -Server (Get-ADDomain).pdcemulator | where {$_.attributename -eq "userAccountControl" -and $_.LastOriginatingChangeTime -ge (get-date).adddays(-30)}
      
      
Viewing 2 reply threads
  • The topic ‘Active directory script’ is closed to new replies.