Assistance creating idle account script

Question

0.00/5 (No votes)

See more:

, +

Hello All,

I am trying to create a PS Script that will search AD account with the following conditions:

Account is Active/Enabled (account not disabled)
Account is expired 90 days or more
Account password is not set to never expire
or
Account password has expired

I want the result to return the following values:

Name/Display Name
SamAccountName
PasswordExpired
LastLogonDate
Pwdage
PwdLastSet

If there is a way to specify exclude a specific OU that would be wonderful or explicitly search multiple OU's at once.

Thanks for any help in advance.

What I have tried:

Search-ADAccount -AccountInactive -TimeSpan 90 -UsersOnly -SearchBase "OU=User Accounts,DC=domain,DC=com" |
Where-Object {($_.Enabled -eq $true) -and ($_.PasswordNeverExpires -eq $False)} | Select-object Name, SamAccountName, PasswordExpired, LastLogonDate, Pwdage, PwdLastSet  | export-csv "c:\data\export.csv"

Pwdage & PwdLastSet do not retun values they return "Microsoft.ActiveDirectory.Management.ADPropertyValueCollection"

Posted 7-Aug-18 7:04am

KD209

Updated 30-Aug-18 10:20am

v2

Add a Solution

1 solution

Add a Solution

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard Deeming · Accepted Answer · 2018-08-30T10:21:00

Solution 1

Try PasswordLastSet instead of PwdLastSet.

As far as I can see, there isn't a PwdAge property; you'll need to calculate it from the PasswordLastSet property.

Something like this should work:

PowerShell

Search-ADAccount -AccountInactive -TimeSpan 90 -UsersOnly -SearchBase "OU=User Accounts,DC=domain,DC=com" | 
Get-ADUser -properties PasswordLastSet, PasswordNeverExpires, PasswordExpired, LastLogonDate |
Where-Object {($_.Enabled -eq $true) -and ($_.PasswordNeverExpires -eq $False)} | 
Select-object Name, SamAccountName, PasswordExpired, LastLogonDate, @{ Name = 'PasswordAge';  Expression = { (New-Timespan $_.PasswordLastSet).Days }}, PasswordLastSet  | 
export-csv "c:\data\export.csv"

Active Directory: Get-ADUser Default and Extended Properties[^]

NB: The Get-ADUser call seems to be required to load certain properties.

Posted 30-Aug-18 10:21am

Richard Deeming

Updated 21-Sep-18 13:02pm

v2

Comments

KD209 10-Sep-18 13:18pm

Hi Richard,

Thanks for the assist with this. There is no data returning for the PasswordAge or the PasswordLastSet. Is there any other method of retrieving these specific properties?

Richard Deeming 11-Sep-18 8:11am

Is there any data in that field if you look in Active Directory Users and Computers?

It's normally blank if the password has never been set, or the "User must change password at next logon" option is ticked.

KD209 21-Sep-18 14:10pm

Sorry for the long delay. Yes, there is data established under the PwdAge attribute.

Richard Deeming 21-Sep-18 14:12pm

Is the "User must change password at next logon" option ticked?

KD209 21-Sep-18 14:21pm

That option is not checked for a majority of the users in the output file. All I am trying to do is figure out who has not logged into the system in the last 90 days, and make sure that the accounts that populate are enabled and not set to expire. The password age just helps as a reference as to how long the user may have not been logging in. If you know any other ways to get this outcome I am open.

Richard Deeming 21-Sep-18 14:30pm

Are you running the script from an elevated PS shell? There's a suggestion on ServerFault[^] that you might need to be running as an administrator to read that attribute.

KD209 21-Sep-18 14:37pm

Yes.. I am running the PowerShell ISE Console as my domain admin account which is the only account that has access to read/write to AD.

Richard Deeming 21-Sep-18 14:37pm

Yes, but is it elevated? Did you right-click and select "Run as administrator"? :)

KD209 21-Sep-18 14:40pm

I am running it as "Run as a different user". I will try from a different machine where my regular account inst an admin so it will prompt for credentials when I run it elevated.

KD209 21-Sep-18 16:27pm

Okay, I still get no data even when the script is ran elevated. I also double checked to ensure that the users have data in the PwdAge attribute as well.

Richard Deeming 21-Sep-18 19:00pm

OK, one last try, based on a Google hit from "Experts Exchange":

Search-ADAccount -AccountInactive -TimeSpan 90 -UsersOnly -SearchBase "OU=User Accounts,DC=domain,DC=com" |
Get-ADUser -properties PasswordLastSet, PasswordNeverExpires, PasswordExpired, LastLogonDate |
Where-Object {($_.Enabled -eq $true) -and ($_.PasswordNeverExpires -eq $False)} |
Select-object Name, SamAccountName, PasswordExpired, LastLogonDate, @{ Name = 'PasswordAge';  Expression = { (New-Timespan $_.PasswordLastSet).Days }}, PasswordLastSet |
export-csv "c:\data\export.csv"

Adding the Get-ADUser call with the extra properties seems to do the trick.

KD209 21-Sep-18 19:06pm

That did the trick!!!!! You are AWESOME! Thanks very much for your time and efforts!

Assistance creating idle account script

1 solution

Solution 1

Add your solution here

Preview 0

Assistance creating idle account script

1 solution

Solution 1

Add your solution here

Preview 0

Existing Members

...or Join us