Thursday, August 21, 2008

Powershell - Finding Unused AD Accounts

As an admin of an Active Directory domain I like to identifying accounts that are either unused or setup to not adhere to the password expiry policy that is pushed out through the domain security policy.

I'm very new to PowerShell and I wanted to see how simple it would be to achieve this. I soon found that using PowerShell and the Quest Active Directory cmdlets the identification of these accounts becomes a piece of cake.

First I wanted to see what properties of he user object I would find most userful so I run the command:

get-qaduser administrator | select *

This showed everything I could select from the user account. I figured out what would be most useful to me and came up with the following:

get-qaduser * -sizelimit 0 | select -property name,accountexpires,pass*,accountisdisabled,lastlog*,canonicalname | export-csv -path d:\Passwords.csv

This will output a list of accounts to a csv file complete with the username, account expiry details, whether the account is disabled, the lastloggon details, password details and the OU where the account is use the following command. As you can see, it's really useful stuff.

The output is a csv file which can be opened in Excel.