Search-ADAccount

Get AD user, computer, or service accounts.

Syntax
       Search-ADAccount SearchSwitch
          [-AuthType {Negotiate | Basic}] [-ComputersOnly] [-Credential PSCredential]
             [-ResultPageSize int] [-ResultSetSize int] [-SearchBase string]
                [-SearchScope {Base | OneLevel | Subtree}] [-Server string]
                   [-UsersOnly] [CommonParameters]

SearchSwitch:
   -AccountDisabled
   -AccountExpired
   -AccountExpiring [-DateTime DateTime] [-TimeSpan TimeSpan]
   -AccountInactive [-DateTime DateTime] [-TimeSpan TimeSpan]
   -LockedOut
   -PasswordExpired
   -PasswordNeverExpires

Key
   -AccountDisabled
       Search for accounts that are disabled.

   -AccountExpired
       Search for accounts that are expired.
       The ADAccount AccountExpirationDate property is set to a time in the past.
       The LDAP Display Name is accountExpires

   -AccountExpiring [-DateTime DateTime] [-TimeSpan TimeSpan]
       Search for accounts that are expiring.
       To specify a time period, use the -TimeSpan parameter.
       To specify a specific time, use the -DateTime parameter. 

        Search for accounts that expire in the next 10 days:
          -AccountExpiring -TimeSpan 10

        Search for accounts that expire before June 18, 2015 at 2:00 AM:
          -AccountExpiring -DateTime "6/18/2015 2:00:00 AM"

   -AccountInactive [-DateTime DateTime] [-TimeSpan TimeSpan]
       Search for accounts that have not logged in within a given time period
       or since a specified time.  n.b. This requires the domain to be at
       'Windows Server 2003 Domain' Functional Level.

        Search for accounts that have been inactive for the past 10 days:
          -AccountInactive -TimeSpan 10

        Search for accounts that have been inactive since July 16, 2010 at 12:00 AM.
          -AccountInactive -DateTime "7/16/2010"

   -AuthType {Negotiate | Basic}
       The authentication method to use: Negotiate (or 0), Basic (or 1)
       A Secure Sockets Layer (SSL) connection is required for Basic authentication.

   -ComputersOnly
       Search only for computer accounts.

   -Credential PSCredential
       The user account credentials to use to perform this task.
       The default credentials are those of the currently logged on user unless the
       cmdlet is run from an Active Directory PowerShell provider drive.
       If the cmdlet is run from such a provider drive, the account associated with the drive is the default.

       Type a user name, such as "User64" or "Domain64\User64" or specify a
       PSCredential object such as one generated by Get-Credential 

       If a user name is specified, the cmdlet will prompt for a password.

   -DateTime DateTime
        Specifies a distinct time value for parameters such as -AccountExpiring,
          -AccountInactive, and -PasswordExpiring.

        Time is assumed to be in local time unless otherwise specified.
        When a time value is not specified, the time is assumed to midnight local time.
        When a date is not specified, the date is assumed to be the current date.
        Examples
          "2:22 PM"
          "2:22:48 PM"
          "4/12/2010"
          "4/12/2010 2:22 PM"
          "Monday, April 12, 2010"
          "Monday, April 12, 2010 2:22:48 PM"
          "Monday, April 12, 2010 2:22 PM"
        Greenwich Mean Time (GMT) /RFC1123 standard:
          "Mon, 12 Apr 2010 21:22:48 GMT"
        Coordinated Universal Time (UTC):
          "2010-04-12T14:22:48.0000000" 

   -LockedOut
       Search for accounts that are locked out.

   -PasswordExpired
       Search for accounts that have an expired password. 

   -PasswordNeverExpires
       Search for accounts that have a password that does not expire.

   -ResultPageSize int
       The number of objects to include in one page for an AD Domain Services query. 
       The default is 256 objects per page. 

   -PassThru switch
       Return the new or modified object.
       By default (i.e. if -PassThru is not specified), this cmdlet
       does not generate any output.

   -ResultSetSize int
       The maximum number of objects to return for an AD Domain Services query.
       The default is $null (receive all objects)
       Ctrl+c will stop a running query and return of objects. 

   -SearchBase string
       An Active Directory path to search under. 

       When a cmdlet is run from an AD provider drive, the default path is
       the current path of the drive.
       Otherwise the default naming context is used (see help for details.

   -SearchScope ADSearchScope
       The scope of an AD search.
       Possible values for this parameter are:
          Base or 0       Search only the current path or object
          OneLevel or 1   Search the immediate children of Base
          Subtree or 2    Search the current path or object and all children

   -Server string
       The AD Domain Services instance to connect to, this may be a Fully qualified domain name,
       NetBIOS name, Fully qualified directory server name (with or without port number)

   -TimeSpan TimeSpan
       A time interval.
       This parameter is used to specify a time value for parameters such as AccountExpiring.

       Format:
           [-]D.H:M:S.F
            where:
              D = Days (0 to 10675199)
              H = Hours (0 to 23)
              M = Minutes (0 to 59)
              S = Seconds (0 to 59)
              F= Fractions of a second (0 to 9999999)

        Note: Time values must be between -10675199:02:48:05.4775808 and 10675199:02:48:05.4775807

        Examples:
          Set the time to 2 days
            -TimeSpan "2"
          Set the time span to the previous 2 days
           -TimeSpan "-2"
          Set the time to 4 hours
            -TimeSpan "4:00"

   -UsersOnly
       Search for user accounts only. 

   CommonParameters:
       -Verbose, -Debug, -ErrorAction, -ErrorVariable, -WarningAction, -WarningVariable,
       -OutBuffer -OutVariable.

Search-ADAccount retrieves one or more user, computer, or service accounts that meet the criteria specified by the parameters. Search criteria include account and password status.

Some parameters, such as -AccountExpiring and -AccountInactive use a default time that you can modify, -DateTime specifies a distinct time or -TimeSpan specifies a time range from the current time.

For example, to search for all accounts that expire in 14 days, specify -AccountExpiring and -TimeSpan and set the value of TimeSpan to "14.00:00:00". To search for all accounts that expire before December 31, 2012, set the -DateTime parameter to "12/31/2012".

Examples

Find all users, computers and service accounts that are disabled:

PS C:\> Search-ADAccount -AccountDisabled | Format-Table Name,ObjectClass -A

Find all users that are disabled:

PS C:\> Search-ADAccount -AccountDisabled -UsersOnly | Format-Table Name,ObjectClass -A

Find all accounts where the password has expired:

PS C:\> Search-ADAccount -PasswordExpired | Format-Table Name,ObjectClass -A

Find all accounts that have been inactive for the last 90 days:

PS C:\> Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 | Format-Table Name,ObjectClass -A

“Anything that excites me for any reason, I will photograph; not searching for unusual subject matter, but making the commonplace unusual” ~ Edward Weston

Related:

Disable-ADAccount - Disable an Active Directory account.
New-ADUser - Create a new AD user
Unlock-ADAccount - Unlock an Active Directory account.


© Copyright SS64.com 1999-2014
Some rights reserved