Powershell Active Directory One-Liners
Recently I blogged about some scripts I left behind in my previous employment for managing AD - really a lot of them were just quick one liners. Not that that is necessarily a bad thing, one of the best things for me about Powershell is the way you can get great information with very little effort. Of course I am using my good friend the Quest AD cmdlets.
I thought I’d share a few of them:
Find Expired Users:
On the theme of cleaning out AD, find user accounts which have expired.
Get-QADUser -searchroot ‘domain.local/resources/users’ -SizeLimit 0 -ldapFilter ‘(pwdlastset=0)’ | ft name,passwordlastset
Find Users Not Logged in Since X Days:
On the same theme, supply X ‘how many days to go back’ and find users who haven’t logged in during that time. (OK I cheated on the one line a bit on this one)
$now=get-date; $daysSinceLastLogon = X; Get-QADUser -sizeLimit 0 -SearchRoot ‘domain.local/resources/users’ | where {$_.lastlogontimestamp.value -and (($now-$_.lastlogontimestamp.value).days -gt $daysSinceLastLogon)} | ft name,lastlogontimestamp
Note: X needs to be more than 14 days to allow for the lastlogontimestamp attribute to have replicated.
Find Users Whose Password is set to Not Expire:
Keep tabs on those naughty administrators who think they can exempt themselves from the corporate password policy - you know who you are!
Get-QADUser -Sizelimit 0 -SearchRoot ‘domain.local/resources/users’ -PasswordNeverExpires $True | ft name
How Many Users in Active Directory?
Need to keep track on an expanding user population? Need to figure out how many CAL’s you need? Easy.
Get-QADUser -DontUseDefaultIncludedProperties -SearchRoot ‘domain.local/resources/users’ -SizeLimit 0 | Measure-Object
Enjoy!