I've been tasked with finding service accounts (in our shop, that's user accounts starting with 'svc-' in the username) that have expiring passwords. Normally service accounts should not have expiring passwords, so I'm trying to find service accounts incorrectly created so they can be fixed.
I've been using Search-ADAccount and I'm having parameter issues. If I use this:
Search-ADAccount -PasswordNeverExpires | Where {$_.SamAccountName -like 'SVC-*'}
then I get long lists of results, none of which have expiring passwords. But if I'm including the -PasswordNeverExpires parameter, then I'm filtering out any accounts which do have expiring passwords, no?
I've also tried this:
Search-ADAccount | Where {$_.SamAccountName -like 'SVC-*' -and $_.PasswordNeverExpires -like 'FALSE' }
but I only get an error: "Parameter set cannot be resolved using the specified named parameters." That sounds like Search-ADAccount requires certain parameters, but I don't see in the help files which parameters are required.
It's counter-intuitive (to me) that Search-ADAccount has a parameter which can search for one Boolean condition (TRUE) but not the other.
Get-ADUser doesn't seem to have any password configuration info.
Yes, Trondh. That's it. I first looked at Get-ADUser, but the help files didn't mention anything about the PasswordNeverExpires parameter, and piping a single result into Get-Member didn't reveal any relevant property to search against.
In sum, this is the one-liner that worked:
Get-ADUser -filter {PasswordNeverExpires -eq $False} | Where {$_.SamAccountName -like 'SVC-*'}
Thanks again.
I would just use get-aduser (need to clean up the filter param, I just banged this together in my head):
$adusers = Get-ADUser -Filter * -Properties * | where {$_.PasswordNeverExpires -eq $false}
did you try $_.PasswordNeverExpires -eq $false?
Related
Our application allows the customer to authenticate to their own domain via Ldap but we keep a cached copy of those logons and accounts in "myserver" ADSI. Due to limitations with another part of our application I have a need to delete several thousand of those cached accounts from myserver ADSI
Keep in mind that this is NOT FOR MY DOMAIN but for the customer's domain. And no, I'm not trying to delete accounts in THEIR domain, just our cached copies in ADSI.
The following line of code does NOT throw an error but it also does NOT delete the acct (neither does piping it to "remove-aduser"
Get-ADObject -Server "myserver:3890" -SearchBase "CN=fqdn.customer.org,CN=Authentication Sources,O=Enterprise,CN=DifferentDirectory" -filter {name -eq "testuser"} | remove-adobject
Side note: I can query this tree of the default naming context just fine
Get-ADObject -Server "myserver:3890" -filter 'objectclass -like "*"' -SearchBase "CN=fqdn.customer.org,CN=Authentication Sources,O=Enterprise,CN=DifferentDirectory"
or I can use -ldapfilter switch to get pertinent info about a specific account.
It's a weird situation since I'm NOT dealing with accounts in my own domain. Many other variations on this theme throw errors referencing my own domain, partitions, etc. I've worked through all of those I think. The above examples SHOULD work in my opinion.
Final note: I CAN delete the user in the ADSIEDIT gui but as mentioned, they have given me a list of thousands of accts that need removing. There's gotta be a way?!
I figured it out (I’m feeding it a list of $users)
Get-ADObject -Server “myserver:3890” -SearchBase “CN=fqdn.customer.org,CN=Authentication Sources,O=Enterprise,CN=DifferentdirectoryDirectory” -Filter * | Where-Object {$_.name -eq “$user”} | Remove-ADObject -confirm:$false
Trying to make a PS script that finds and deletes expired accounts in specific OUs
I've created this script, and it gets the users that is expired in the 4 OUs, so far so good, but I cant get my head around how to make it delete the users.
$OUs=
"OU=1,OU=Users,DC=Test,DC=local",
"OU=2,OU=Users,DC=Test,DC=local",
"OU=3,OU=Users,DC=Test,DC=local",
"OU=4,OU=Users,DC=Test,DC=local"
Foreach($OU in $OUs){
Search-ADAccount -AccountExpired -Searchbase $OU | Select-Object Name
}
Anybody that got a solution for this? :)
This works on my machine
Foreach($OU in $OUs){
Search-ADAccount -AccountExpired -Searchbase $OU | Remove-ADObject -Confirm:$false
}
I'm trying to retrieve only enabled users in the AD. When I run this code line it returns the error. I tried using a filter as well to filter only enabled users for the requested info but it returns ALL users from every domain instead of just the single id.
Get-ADUser : A positional parameter cannot be found that accepts argument 'enabled -eq 'true''.
This is my code that is throwing the error.
Get-ADGroupMember -Identity 'Animal Shop A' | Get-ADUser -Filter '*' | Get-ADUser Where "enabled -eq 'true'" | Get-ADUser -Properties ('Mail')
This one returns ALL users from every domain
Get-ADGroupMember -Identity 'Animal Shop A' | Get-ADUser -Filter "enabled -eq'true'" | Get-ADUser -Properties ('Mail')
Is my syntax wrong on both of them? If I just want to return values from say "Animal shop A" and then "Animal Shop B"
.. or a little bit shorter this way:
Get-ADUser -Filter 'enabled -eq $true' -Properties mail |
Select-Object -Property Name,samaccountname,mail
Besides this I would recommend to use a -SearchBase. That's less stressful for the AD. ;-)
Get-ADUser -Filter * -Properties mail | Where { $_.Enabled -eq $True} | Select Name,samaccountname,mail
That will get all enabled users in your target domain that are enabled and display the name, username, and mail properties
Important to know for both commands:
You must work with an elevated powershell process.
Otherwise the result may not be complete.
get-aduser -filter 'enabled -eq "true"' -ResultSetSize $Null
simply try below commands in powershell as administrator permission.
As a guide, the first part will filter users, second part filtered enabled users and last part will give you export of results.
Get-ADUser -Filter * -Property Enabled | Where-Object {$_.Enabled -like “false”} | Export-Csv -Path C:\eport.csv -Encoding ascii -NoTypeInformation
hope to be useful for you.
I have the following PowerShell command which I run to show me all the numbers that have been assigned to users. However, I'd like to narrow it down to show me ONLY accounts which have been disabled BUT still have an number assigned, I've tried a few wildcards within 'enabled' but then it fails to run.
Get-ADUser -Properties "msRTCSIP-Line",mail,l,c,Enabled,CanonicalName -LDAPFilter "(msRTCSIP-Line=tel:+44*)" |
Select Name,CanonicalName,mail,l,c,Enabled,"msRTCSIP-Line" |
ft -AutoSize
The enabled/disabled status is encoded in the userAccountControl attribute. Try an LDAP filter like this:
(&
(objectclass=user)
(objectcategory=user)
(useraccountcontrol:1.2.840.113556.1.4.803:=2)
(msRTCSIP-Line=tel:*)
)
or collapsed:
(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2)(msRTCSIP-Line=tel:*))
I think the best way is to get all disabled accounts then pipe it to your code :
Search-ADAccount -AccountDisabled -UsersOnly | %{
Get-ADUser $_ -Properties "msRTCSIP-Line",mail,l,c,Enabled,CanonicalName -LDAPFilter "(msRTCSIP-Line=tel:+44*)" |
Select Name,CanonicalName,mail,l,c,Enabled,"msRTCSIP-Line"
}
I have setup my script to disable inactive user in my Win 2003 AD server using Quest's AD tool GET-QADUSER, and now I am going to migrate AD to Win 2008 R2. Since there is Active Directory module and Quest's tool is no longer free to download (is that?), I am going to migrate to GET-ADUSER.
I am converting from:
Foreach ($ou in $searchBase) {
#$inactUsr += #(Get-QADUser -SearchRoot $ou -Enabled -PasswordNeverExpires:$false -NotLoggedOnFor $inactiveDays -CreatedBefore $creationCutoff -SizeLimit $sizeLimit | Select-Object Name,SamAccountName,LastLogonTimeStamp,Description,passwordneverexpires,canonicalName | Sort-Object Name)
}
to:
$inactUsr += #(Get-ADUser -SearchRoot $ou -Filter 'enabled -eq $true -and PasswordNeverExpires -eq $False' -Properties Name,SamAccountName,LastLogonTimeStamp,Description,passwordneverexpires,canonicalName | Select Name,SamAccountName,#{N='LastLogonTimeStamp'; E={[DateTime]::FromFileTime($_.LastLogonTimeStamp)}},Description,passwordneverexpires,canonicalName | Sort Name)
I am almost there and leave only -NotLogonFor (which select user that not logon for certain days) and -CreatedBefore (which give a grace period for newly created ID). I want to select ID NotLogon for 30 days and DO NOT want ID created less than 30 days.
Appreciate if anyone can let me know whether there is a built-in properties or any manual method to achieve that.
Edited:
I have the CreatedBefore solved by:
$inactUsrdraft += #(Get-ADUser -SearchBase $ou -Filter 'enabled -eq $true -and PasswordNeverExpires -eq $False -and whenCreated -le $CreationCutOff' -Properties Name,SamAccountName,LastLogonTimeStamp,Description,passwordneverexpires,canonicalName | Select Name,SamAccountName,#{N='LastLogonTimeStamp'; E={[DateTime]::FromFileTime($_.LastLogonTimeStamp)}},Description,passwordneverexpires,canonicalName | Sort Name)
:)
Now I need only need to filter ID not logon more than 30 days.
Any help is appreciated.
How about:
$LastLogonCutoff = (Get-Date).Date.AddDays(-30)
That's midnight 30 days ago. If you want it to the second, use (Get-Date).AddDays(-30).
Followed by changing the -Filter to include:
`-and (LastLogonTimeStamp -lt $LastLogonCutoff)`
Also beware that the LastLogonTimeStamp property is not very accurate. Laptop logins off-network that use saved credentials won't trigger, I believe. If you don't have "Wait for network" enabled, clients might never actually update this value, IIRC.