In a large organization with many employees, groups, devices an inactive account can become security and auditing nightmare. Normally established company policies take care of de provisioning a account when it is not needed but a extra check on the part of administrator would always be a pro active step .
Generally, admins mostly use Get -AdUser filter for finding the user accounts. There are many ways to query the active directory database for user accounts. One of them is Search -ADAccount to get details about the user accounts, computers and service accounts. We will see flavors of Search -ADAccount to find various kinds of inactive users.
To Find Password Expired Accounts
Once password expires for an account it is unusable until password is changed. Finding such accounts in Active Directory could be an indicator of a stale account. We can use – Search -AdAccount -PasswordExpired –UsersOnly
Here “UsersOnly” is a switch used to extract only user accounts instead of all computers as well as service accounts.
To Find Inactive Accounts
Search-AdAccount alleviates Get -AdAccount hassles by giving the -AccountInactive parameter. By using a TimeSpan/DateTime object as the parameter argument, age can be specified for the query. Using the AD attribute LastLogonDate — which is a friendly version of LastLogonTimestamp Search-AdAccount — can easily give you a view of all those stale accounts. For example, to find all accounts that haven’t been active in 30 days
Syntax:- Search-AdAccount -AccountInactive -Timespan 30.00:00:00 -UsersOnly
To Find Disabled/LockedOut Accounts
Finding disabled accounts is a cinch with Search-AdAccount.
Syntax: – Search -AdAccount -AccountDisabled -UsersOnly
These commands will only help you to identify inactive user accounts but it is your job to verify whether they are actually inactive for valid reason. Somebody might be at client place or might have gone to sabbatical. In any case being aware is better than ignorance.
With Anakage intelligent training technology it is easier to learn these concepts . It guides you step by step on your system. Above topic being discussed is also part of our “Learning Application” for Windows Active Directory. If you want to evaluate it let us know by sending a mail to us at firstname.lastname@example.org . You can know more about our offering for training.