Author Posts

April 27, 2017 at 10:59 pm

I'm trying to get all disabled ad objects. and filter only the disabled ad objects and list only the users that have been disabled for more than a year.

Is there any filter other than LastLogonDate ?

April 28, 2017 at 6:18 am

Sure, here are some examples. These are all AD attributes. You can filter on most of the attributes that make sense to do so, with a few quirks – "EmailAddress" won't work, but "mail" does, for example.

Get-ADUser -filter {Enabled -eq $False}
Get-ADUser -Filter {PasswordExpired -eq $True}
Get-ADUser -Filter {(PasswordNeverExpires -eq $False) -and (Mail -like '*')}

April 28, 2017 at 5:46 pm

When an account is disabled, the userAccountControl attribute is set to 514. You can use Get-ADReplicationAttributeMetadata to find out when that attribute was last set:

$disabledUsers = Get-ADObject -Filter "ObjectClass -eq 'User' -and userAccountControl -eq '514'"

foreach ($disabledUser in $disabledUsers) {

    Get-ADReplicationAttributeMetadata $disabledUser -Server localhost | 
        Where-Object {$_.AttributeName -eq 'UserAccountControl'} | Select Object,LastOriginatingChangeTime |
            Where-Object {$_.LastOriginatingChangeTime -lt (Get-Date).AddDays(-365)}


April 29, 2017 at 6:45 pm

That shows the date of the last change which may or may not be when the account was disabled.
You may have to use one of the optional fields to set a date

April 30, 2017 at 8:52 pm

Richard, can you elaborate please? I'm not seeing the flaw in my logic.

If the current value of the attribute is 514 (account disabled) and the LastOriginatingChangeTime property of the attribute shows the date/time of the last change to the attribute, under what circumstances might it not represent the date/time when the account was disabled?