Active directory script

Welcome Forums General PowerShell Q&A Active directory script

This topic contains 2 replies, has 3 voices, and was last updated by

 
Participant
3 weeks, 3 days ago.

  • Author
    Posts
  • #178254

    Participant
    Topics: 1
    Replies: 0
    Points: 13
    Rank: Member

    Hello

    I'm searching a powershell script for AccountDisabled with value of time

    This one works fine but i want to know the disabled user in the last 30 days only, and not all the AD

    Possible?

    Thank you

    Search-ADAccount –AccountDisabled –UsersOnly –ResultPageSize 2000 –ResultSetSize $null | Select-Object SamAccountName, DistinguishedName
    
    
    
  • #178455

    Participant
    Topics: 8
    Replies: 1213
    Points: 756
    Helping Hand
    Rank: Major Contributor

    You can get the AccountExpirationDate property from Get-ADUser:

    $today = Get-Date
    $user = Get-AdUser -Filter {(Enabled -eq $True) -and (AccountExpirationDate -lt $Today)} -Properties AccountExpirationDate
    
  • #178593

    Participant
    Topics: 4
    Replies: 76
    Points: 91
    Helping Hand
    Rank: Member

    If I understood correctly you want to find users who has been disabled in the past 30 days. you could look in to whenChanged and Enabled attributes, but the account might be changed by some other attribute thus it would not be solid data.

    This is the closest that I can come up to find disabled users and then check when the userAccountControl flag has been set the last time.

    
    get-aduser -Filter {enabled -eq $false} | Get-ADReplicationAttributeMetadata -Server (Get-ADDomain).pdcemulator | where {$_.attributename -eq "userAccountControl" -and $_.LastOriginatingChangeTime -ge (get-date).adddays(-30)}
    
    

You must be logged in to reply to this topic.