{"id":17701,"date":"2010-07-20T00:01:00","date_gmt":"2010-07-20T00:01:00","guid":{"rendered":"https:\/\/blogs.technet.microsoft.com\/heyscriptingguy\/2010\/07\/20\/hey-scripting-guy-how-can-i-use-windows-powershell-to-identify-inactive-user-accounts-in-active-directory-domain-services\/"},"modified":"2023-05-15T13:56:21","modified_gmt":"2023-05-15T20:56:21","slug":"hey-scripting-guy-how-can-i-use-windows-powershell-to-identify-inactive-user-accounts-in-active-directory-domain-services","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/scripting\/hey-scripting-guy-how-can-i-use-windows-powershell-to-identify-inactive-user-accounts-in-active-directory-domain-services\/","title":{"rendered":"Hey, Scripting Guy! How Can I Use Windows PowerShell to Identify Inactive User Accounts in Active Directory Domain Services?"},"content":{"rendered":"

\"Hey, Hey, Scripting Guy! I need to use Windows PowerShell to identify inactive user accounts in Active Directory Domain Services (AD DS). I used to have a VBScript script that I would use, but I would like to be able to use Windows PowerShell 2.0 and the new Active Directory cmdlets that come with Windows Server 2008 R2. Is this something that can easily be accomplished?\n— GJ<\/p>\n

\"Hey, Hello GJ,\nMicrosoft Scripting Guy Ed Wilson here. I believe the weather person made a mistake. In fact, I am nearly positive. The weather forecast for the entire week is exactly the same as yesterday\u2019s weather forecast\u2014hot, humid, and a chance of afternoon thundershowers. Dude<\/a>, Craig and I could never get away with posting the same Hey, Scripting Guy! Blog post for seven days in a row. Where is the weather guesser\u2019s manager? Where is the person in charge of quality control? Who monitors the incoming email for the department of redundancy department? They never make a mistake like this when the weather is mild and sunny with low humidity<\/a>\u2014it is not fair!\nGJ, luckily we have air conditioning, and because it is too hot and humid to be outside in my woodworking shop, I decided to come in and check the email sent to scripter@microsoft.com<\/a>.<\/p>\n

By using the Active Directory cmdlets that come with Windows Server 2008 R2, it is easy to query for information about user accounts. The Get-ADUser<\/strong> Windows PowerShell cmdlet is fairly intuitive and actually quite fun to use.\nThe first thing you will need to do is to import the ActiveDirectory<\/strong> module into the current Windows PowerShell session. To quickly obtain a listing of all the users in Active Directory, supply a wildcard character to the -Filter<\/strong> parameter of the Get-ADUser<\/strong> cmdlet.<\/p>\n

If you wish to change the base of the search operations, use the SearchBase<\/strong> parameter. The SearchBase<\/strong> parameter accepts an LDAP style of naming. The following command changes the search base to the hsg_TestOU<\/strong>:<\/p>\n

\r\nGet-ADUser\u00a0-Filter\u00a0*\u00a0-SearchBase \"ou=hsg_TestOU,dc=nwtraders,dc=com\"\r\n<\/code><\/pre>\n
When using the Get-ADUser<\/strong> cmdlet, only a certain subset of user properties is displayed (10 properties, to be exact). These properties will be displayed when you pipe<\/a> the results to Format-List<\/strong> and use a wildcard character and the -Force<\/strong> parameter as shown here:<\/p>\n
\r\nPS C:\\> Get-ADUser -Identity bob | format-list -Property * -Force\r\nDistinguishedName : CN=bob,OU=HSG_TestOU,DC=NWTraders,DC=Com\r\nEnabled : True\r\nGivenName : bob\r\nName : bob\r\nObjectClass : user\r\nObjectGUID : 5cae3acf-f194-4e07-a466-789f9ad5c84a\r\nSamAccountName : bob\r\nSID : S-1-5-21-3746122405-834892460-3960030898-3601\r\nSurname :\r\nUserPrincipalName : bob@NWTraders.Com\r\nPropertyNames : {DistinguishedName, Enabled, GivenName, Name...}\r\nPropertyCount : 10\r\nPS C:\\>\r\n<\/code><\/pre>\n
Anyone who knows very much about Active Directory Domain Services (AD DS) knows there are certainly more than 10 properties associated with a user object. Does this mean we need to use the Get-ADObject<\/strong> cmdlet. If I try to display a property that is not returned by the Get-ADUser<\/strong> cmdlet, such as the whenCreated<\/strong> property, an error is not returned. The value of the property is not returned. This is shown here:<\/p>\n
PS\u00a0C:>\u00a0Get-ADUser\u00a0-Identity\u00a0bob\u00a0|\u00a0Format-List\u00a0-Property\u00a0name,\u00a0whenCreated\r\nname\u00a0:\u00a0bob\r\nwhencreated\u00a0:\r\n<\/code><\/pre>\n
I used the whenCreated<\/strong> property for the user object because I know that it has a value. But suppose I was looking for users that had never logged onto the system? Suppose I used a query such as the one shown here, and I was going to base a delete operation upon the results. The results could be disastrous.<\/p>\n
\r\nPS\u00a0C:\\>\u00a0Get-ADUser\u00a0-Filter\u00a0*\u00a0|\u00a0Format-Table\u00a0-Property\u00a0name,\u00a0LastLogonDate\r\nname\u00a0LastLogonDate\r\n----\u00a0-------------\r\nAdministrator\r\nGuest\r\nkrbtgt\r\ntestuser2\r\ned\r\nSystemMailbox{1f05a927-a261-4eb4-8360-8...\r\nSystemMailbox{e0dc1c29-89c3-4034-b678-e...\r\nFederatedEmail.4c1f4d8b-8179-4148-93bf-...\r\nHSG_Test\r\nHSG_TestChild\r\n<results\u00a0truncated>\r\n<\/code><\/pre>\n
To retrieve a property that is not a member of the default 10 properties, you must select it by using the \u2013property<\/strong> parameter. The reason that Get-ADUser<\/strong> does not automatically return all properties and their associated values is because of performance reasons on large networks\u2014there is no reason to return a large dataset when a small dataset will perfectly suffice. To display the name and the whenCreated<\/strong> date for the user named \u201cbob,\u201d the following command can be used:<\/p>\n
\r\nPS\u00a0C:\\>\u00a0Get-ADUser\u00a0-Identity\u00a0bob\u00a0-Properties\u00a0whencreated\u00a0|\u00a0Format-List\u00a0-Property\u00a0name\r\n,\u00a0whencreated\r\nname\u00a0:\u00a0bob\r\nwhencreated\u00a0:\u00a06\/11\/2010\u00a08:19:52\u00a0AM\r\nPS\u00a0C:\\>\r\n<\/code><\/pre>\n
To retrieve all of the properties associated with a user object, use the wildcard character \u201c*\u201d for the Properties <\/strong>parameter value. You would use a command similar to the one shown here:<\/p>\n
\r\nGet-ADUser\u00a0-Identity\u00a0bob\u00a0-Properties\r\n<\/code><\/pre>\n
To produce a listing of all the users and their last logon date, you can use a command similar to the one shown here. This is a single command that might wrap the line, depending on your screen resolution:<\/p>\n
\r\nGet-ADUser\u00a0-Filter\u00a0*\u00a0-Properties \"LastLogonDate\" |\u00a0\r\n    Sort-Object\u00a0-property\u00a0lastlogondate\u00a0-descending\u00a0|\u00a0\r\n    Format-Table\u00a0-property\u00a0name,\u00a0lastlogondate\u00a0-AutoSize\r\n<\/code><\/pre>\n
GJ, that is all there is to using Active Directory cmdlets to work with user objects. Active Directory Week will continue tomorrow when we will talk about working with computer objects.<\/p>\n
Ed Wilson and Craig Liebendorfer, Scripting Guys<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"
Hey, Scripting Guy! I need to use Windows PowerShell to identify inactive user accounts in Active Directory Domain Services (AD DS). I used to have a VBScript script that I would use, but I would like to be able to use Windows PowerShell 2.0 and the new Active Directory cmdlets that come with Windows Server […]<\/p>\n","protected":false},"author":595,"featured_media":87096,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[7,3,20,45],"class_list":["post-17701","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-scripting","tag-active-directory","tag-scripting-guy","tag-user-accounts","tag-windows-powershell"],"acf":[],"blog_post_summary":"
Hey, Scripting Guy! I need to use Windows PowerShell to identify inactive user accounts in Active Directory Domain Services (AD DS). I used to have a VBScript script that I would use, but I would like to be able to use Windows PowerShell 2.0 and the new Active Directory cmdlets that come with Windows Server […]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/17701","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/users\/595"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/comments?post=17701"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/posts\/17701\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media\/87096"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/media?parent=17701"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/categories?post=17701"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/scripting\/wp-json\/wp\/v2\/tags?post=17701"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}