I would like to get the actual date of accounts that have expired but still enabled in the active directory. I always get the date + 1 day. For example, if a user is expired today (15/11/2022), it will shows (16/11/2022)... Can you help me with this?
Get-ADUser -Filter * -properties AccountExpirationDate |
Where-Object{$_.AccountExpirationDate -lt (Get-Date) -and $_.AccountExpirationDate -ne $null -and $_.Enabled -eq $True} |
select-object Name, SamAccountName, AccountExpirationDate | Sort-Object -Property {$_.AccountExpirationDate} -Descending
I always like to include LDAP property accountExpires in there (PowerShell conveniently converts this to local time in Property AccountExpirationDate)
to first check if the attribute has never been set (value 0) or if the attribute for the user has been set to 'Never Expires' (value 9223372036854775807).
Try
$refDate = (Get-Date).Date # set to midnight
# or use -LDAPFilter "(!userAccountControl:1.2.840.113556.1.4.803:=2)"
Get-ADUser -Filter 'Enabled -eq $true' -Properties AccountExpirationDate, accountExpires |
Where-Object {($_.accountExpires -gt 0 -and $_.accountExpires -ne 9223372036854775807) -and
($_.AccountExpirationDate -le $refDate)} |
Select-Object Name, SamAccountName, AccountExpirationDate |
Sort-Object AccountExpirationDate -Descending
Thanks Theo, ive found what i was looking for
Get-ADUser -Filter 'Enabled -eq $true' -Properties AccountExpirationDate, accountExpires |
Where-Object {($_.accountExpires -gt 0 -and $_.accountExpires -ne 9223372036854775807) -and
($_.AccountExpirationDate -le $refDate)} |
Select-Object Name, SamAccountName, #{Name="AccountExpirationDate";Expression={(get-date $_.AccountExpirationDate).AddDays(-1)}} |
Sort-Object AccountExpirationDate -Descending
Related
I need to provide a report of accounts that are disabled, but still have security groups in their account so I can purge them. Can you help me with this? In my file, it doesnt show groups Name. I only get Microsoft.ActiveDirectory.Management.ADPropertyValueCollection
$path = "c:\temp\DisabledUsers_ContainGroups ($(Get-Date -Format "yyyy-MM-dd")).xlsx"
$date = Get-Date -Format yyyy-MM-dd
Get-ADUser -Filter ({enabled -eq $false -and memberof -like '*'}) -properties Name, Samaccountname, memberof | select Name, Samaccountname, memberof | Export-excel -Path $path -WorksheetName $date -AutoSize -AutoFilter -TableStyle Medium2
I got what im looking for. Not sure how i can add a new line instead of -join ';' but it works fine. Thanks for your help.
$path = "c:\temp\DisabledUsers_GroupMembership ($(Get-Date -Format "yyyy-MM-dd")).xlsx"
$date = Get-Date -Format yyyy-MM-dd
GET-ADUSER -Filter {Enabled -eq $false} –Properties name, samaccountname, MemberOf |
where {$_.MemberOf.Count -gt 1} |
select name, samaccountname, #{N= "Groups"; E ={(($_.MemberOf).split(",") |
where-object {$_.contains("CN=")}).replace("CN=","") -join ';'}} |
Export-excel -Path $path -WorksheetName $date -AutoSize -AutoFilter -TableStyle Medium2
This should get you going...
Get-AdUser -Filter {Enabled -eq $false} |
select *, #{l='MemberOf'; e={Get-AdPrincipalGroupMemberShip $_}} |
where {$_.MemberOf.Count -gt 1}
Then you can filter out the properties you would like to keep
Get-AdUser -Filter {Enabled -eq $false} |
select *, #{l='MemberOf'; e={Get-AdPrincipalGroupMemberShip $_}} |
where {$_.MemberOf.Count -gt 1} |
SamAccountName, MemberOf
or if you don't like to get all properties of the groups
Get-AdUser -Filter {Enabled -eq $false} |
select *, #{
l='MemberOf';
e={Get-AdPrincipalGroupMemberShip $_ | Select Name}
} |
where {$_.MemberOf.Count -gt 1} |
SamAccountName, MemberOf
This script below works, but every attempt I make to have it cycle through all my domain controllers fail. How do I add a array to go through all these OUs on all my domain controllers. Thanks in advance!
$OUs= “OU=Test1,OU=Test1,OU=Test1,OU=Test1,OU=All Users,DC=domain,DC=local",
"OU=Test2,OU=Test2,OU=Test2,OU=All Users,OU=Test2,DC=domain,DC=local",
"OU=Test3,OU=Test3,OU=Test3,OU=All Users,OU=Test3,DC=domain,DC=local",
"OU=test4,OU=test4,OU=test4,OU=All Users,OU=test4,DC=domain,DC=local",
"OU=Test5,OU=test5,OU=Test5,OU=All Users,OU=test5,DC=domain,DC=local”
$OUs | ForEach-Object
{
Get-ADUser -Filter {Enabled -eq $TRUE} -SearchBase $_ -Properties Name,SamAccountName,LastLogonDate |
Where-Object {($_.LastLogonDate -lt (Get-Date).AddDays(-7)) -and ($_.LastLogonDate -ne $NULL)}
} |
Sort LastLogonDate |
Format-Table -Property Name,SamAccountName,LastLogonDate, DistinguishedName |
Out-String
Below you have now an array of your OUs. Please try whether that works for you now.
$OUs= #(
“OU=Test1,OU=Test1,OU=Test1,OU=Test1,OU=All Users,DC=domain,DC=local",
"OU=Test2,OU=Test2,OU=Test2,OU=All Users,OU=Test2,DC=domain,DC=local",
"OU=Test3,OU=Test3,OU=Test3,OU=All Users,OU=Test3,DC=domain,DC=local",
"OU=test4,OU=test4,OU=test4,OU=All Users,OU=test4,DC=domain,DC=local",
"OU=Test5,OU=test5,OU=Test5,OU=All Users,OU=test5,DC=domain,DC=local”
)
I would also suggest to break your line after every pipe in order to cut the line. That makes it far easier to read for you, plus your colleagues.
$OUs | ForEach-Object
{
Get-ADUser -Filter {Enabled -eq $TRUE} -SearchBase $_ -Properties Name,SamAccountName,LastLogonDate |
Where-Object {($_.LastLogonDate -lt (Get-Date).AddDays(-7)) -and ($_.LastLogonDate -ne $NULL)}
} |
Sort LastLogonDate |
Format-Table -Property Name,SamAccountName,LastLogonDate, DistinguishedName |
Out-String
You mention cycling through your domain controllers, but then you go on to ask about OUs. I suspect you want DC's, because each DC might have a different Last Logon Time for the user.
You can omit the -SearchBase and search all OU's, if you're looking to get this data for all users.
$Domains = Get-ADDomainController -Filter * #Note, this shows all DCs- you may have some without ADWS Installed, which won't handle the WHERE.
foreach ($domain in $Domains) {
Get-ADUser -Filter {Enabled -eq $TRUE} -Server $domain -Properties Name,SamAccountName,LastLogonDate |
Where {($_.LastLogonDate -lt (Get-Date).AddDays(-7)) -and ($_.LastLogonDate -ne $NULL)} |
Export-CSV -Path 'UsersNotRecentlyLoggedIn.CSV' -Append
}
If you only want one DC, but all OUs
$Domains = Get-ADDomainController -Discover -Service ADWS
foreach ($domain in $Domains) {
Get-ADUser -Filter {Enabled -eq $TRUE} -Server $domain -Properties Name,SamAccountName,LastLogonDate |
Where {($_.LastLogonDate -lt (Get-Date).AddDays(-7)) -and ($_.LastLogonDate -ne $NULL)} |
Export-CSV -Path 'UsersNotRecentlyLoggedIn.CSV' -Append
}
We've been tasked with creating a process to review random employee's web traffic on a quarterly basis. I have started a script in Powershell that selects 10 random users from a specific OU, but I'm still getting some unneeded data. I need help filtering down the list further. The output gives me users that have been disabled and left in the OU as well as PRN employees that haven't signed on in a long time. I would like to search AD accounts that has an email address & a logon, modified within the last 3 months. Here is an example of the code I have so far.
Get-ADUser -SearchBase "ou=ouname,ou=ouname,dc=domainname,dc=suffix" -Filter * | Select-Object -Property Name | Sort-Object{Get-Random} | select -First 10
[Edit: Question Answered]
Here is my final script, added $_.passwordlastset as a search attribute since this will pickup users that have changed their password in the last 90 days.
$DateFrom = (get-Date).AddDays(-90)
Get-ADUser -Properties * -Filter {enabled -eq $True} -SearchBase "ou=ouname,dc=domainname,dc=suffix" | where { $_.passwordlastset -gt $DateFrom -and $_.mail -ne $null } | Sort-Object {Get-Random} | select name, sAMAccountName -First 10
Get-ADUser -Properties name, mail, lastlogondate -Filter {enabled -eq $True} -SearchBase "ou=ouname,ou=ouname,dc=domainname,dc=suffix" | select name, mail, lastlogondate | where { $_.lastlogondate -gt (Get-Date).AddDays(-90) -and $_.mail -ne $null }
Here a start.
Try this:
$timeFrame = (get-Date).AddDays(-90)
get-aduser -SearchBase 'ou=ouname,ou=ouname,dc=domainname,dc=suffix' -Filter * -Properties * |
Where-Object {$_.whenChanged -gt $timeFrame -and $_.mail -ne $null} |
Select-Object -Property Name | Sort-Object{Get-Random} | select -First 10
Change the -Filter value:
# LastLogontimeStamp is not guaranteed to be updated on every login, so 30 days + 14 days margin
$threshold = (Get-Date).AddDays(-44).ToFileTime()
Get-ADUser -Filter {Enabled -eq $true -and LastLogontimeStamp -gt $threshold} -SearchBase "ou=ouname,ou=ouname,dc=domainname,dc=suffix" | Sort-Object {Get-Random} | Select Name -First 10
This filter will ensure that AD only returns Enabled users and that their lastLogontimeStamp value has been updated within the last month and a half
This will do everythign the OP stated:
$timeFrame = (get-Date).AddDays(-90)
get-aduser -SearchBase 'YourOU,DC=Domain,DC=com' -Filter * -Properties * |
Where-Object {$_.whenChanged -lt $timeFrame -and $_.mail -ne $null -and $_.Enabled -eq $true} |
Select-Object -Property Name | Sort-Object{Get-Random} | select -First 10
This should meet all the OPs checkpoints via the snippets:
"I would like to search AD accounts that has an email address"
$_.mail -ne $null
"& a logon"
$_.Enabled -eq $true
"modified within the last 3 months"
$_.whenChanged -lt $timeFrame
I am running a powershell script to get AD users and their password expiration date. I would like to sort the output based on their password expiration date.
Here is the script:
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} `
-Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname", #{
Name="ExpiryDate";
Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}
} > result.txt
How can I sort/display the result by the ExpiryDate field?
Use the sort-object cmdlet on the Get-ADUser output like this:
| Sort-Object -property ExpiryDate
So the whole thing would look like this:
Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} `
-Properties "DisplayName", "msDS-UserPasswordExpiryTimeComputed" |
Select-Object -Property "Displayname", #{
Name="ExpiryDate";
Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}
} |
Sort-Object -property ExpiryDate > result.txt
I need to use PowerShell to list users that are enabled, have never logged on or have not logged on in 60 days.
The below is what I've come up with having never used PowerShell previously, however clearly there is something wrong in my understanding as it just spouts out a bunch of different error messages.
Get-ADUser -Filter { Enabled -eq $true } -Properties LastLogonDate | where { ($_.LastLogonDate.AddDays(60) -lt $(Get-Date)) -or ( -not $_.LastLogonDate-like "*")) } | Select-Object SamAccountName | Format-Table
try this
Get-ADUser -Filter { Enabled -eq $true } -Properties LastLogonDate | where{ (($_.LastLogonDate.AddDays(60) -lt $(Get-Date)) -or ( -not $_.LastLogonDate-like "*")) } | Select-Object SamAccountName | Format-Table
your brackets werent correct, more specifically this bracket is extra
( -not $_.LastLogonDate-like "*")) // extra closing bracket
Taking my comment and making it an answer:
Get-ADUser -Filter { Enabled -eq $True } -Properties LastLogonDate |
#Tests whether LastLogonDate is older than 60 days or if it's $Null
Where-Object { $_.LastLogonDate -lt (Get-Date).AddDays(-60) -or
-not $_.LastLogonDate } |
Select-Object -Property SamAccountName |
Format-Table