Filter out users in an OU from get-aduser/Expired AD attrib?

by MohnJadden at 2013-04-30 06:10:15

I’m trying to identify all AD accounts that are expired and have also never logged on, while excluding the Out of Band group (it’s got all the $ime computer accounts).

Here’s what I’ve got:

get-aduser -filter {not ( lastlogontimestamp -like “" -and (enabled -eq $false) -and (distinguishedname -not like “out of”) }

This returns no results. If I use enabled -eq $true that also returns nothing. However, if I remove the -and (distinguishedname) part, I get a long list of users.

The only thing is that this lists disabled users, not users who have account expiration dates which have already passed. Let’s say Jane Doe had an expiration date of last week - I want to find Jane Doe, not John Doe, a user who had no expiration date in AD but was disabled.

I tried looking around for an AD attribute that specifies an expired user with no luck - anyone know how I can go about that, and how I should execute the filter to exclude Out of Band?
by ArtB0514 at 2013-04-30 07:49:07
You can do this easier in the Quest tools.
Get-QADUser -Enabled -ExpiredFor <x-days>
If you set <x-days> to 0, it should return all expired users that are still enabled.
by MohnJadden at 2013-04-30 08:06:46
Yeah, I’m trying to keep things to Powershell basic - I’m not sure how well the Powers That Be where I am would take kindly to adjuncts to scripts other than specific code in scripts. Surely there are standard Powershell equivalents to Quest tools, aren’t there?

Plus I’d like to learn all I can for the future. QAD is out there and does make things easier but I’m still very much in a Powershell learning mode.
by dchristian3188 at 2013-04-30 11:48:23
I don’t think DistinguishedName supports the like parameter…

Notice even this fails
Get-ADUser -Filter {DistinguishedName -like “CN”}

Does this work for you?
Get-ADUser -Filter {(lastlogontimestamp -like "
”) -and (enabled -eq $false)} | where {$.DistinguishedName -notmatch ‘out of’}
by DonJ at 2013-04-30 12:32:16
Sometimes you’ll get to the point where -Filter won’t help. The problem is that the parameter is being parsed inside the cmdlet, into an actual LDAP filter, and then sent to AD - so there are limitations on how well it does that. You may need to write an -LDAPFilter instead, so you can get more control and better see the filter limitations.
by MohnJadden at 2013-04-30 12:35:18
Okay, so that looks to work. My one concern is the enabled flag - this is including accounts that are disabled (Service accounts, room accounts, shared mailbox user accounts, etc.) and not expired. Any knowledge of the correct AD attribute to govern expired accounts?
by mjolinor at 2013-04-30 13:12:33
Check the Search-ADAccount cmdlet. It has a switch parameter specifcally for finding expired accounts.

Search-ADAccount -AccountExpired -ResultSetSize $null |
where {$
.distinguishedname -notmatch ‘Out of Band’}
by MohnJadden at 2013-05-01 06:28:41
So the search-adaccount part does show expired accounts. That’s perfect. It also seems to work with the -notmatch part. However, I still need to only include users who have never logged on - and I tried a couple of means of accomplishing this:

First attempt:
search-adaccount -accountexpired -resultsetsize $null -f {not (lastlogontimestamp -like “")} | where {$_.distinguishedname -notmatch ‘Out of Band’}
Error on this: Search-ADAccount: A parameter cannot be found that matches parameter name 'filter.'

So I thought that since search-adaccount may not have that kind of filter option, I decided to pipe the search-adaccount above (which does list all expired accounts successfully) to a CSV and then run get-aduser against it as follows:

get-content Expired.csv | get-aduser -filter {not (lastlogontimestamp -like "
Errors out as follows: Get-ADUser : Error parsing query: ‘not (lastlogontimestamp -like “*”)’ Error Message: ‘syntax error’ at position: '5’
At line:1 char:37

So is there a way for search-adaccount to use the lastlogontimestamp filter to show users that have never logged on and are expired, or to do so with a csv of all expired users via get-aduser or some other cmdlet?

A bit new to PS, just started forcing myself to use about a month ago. Anyway, a few months behind, but maybe this will help you:

Search-ADAccount -AccountDisabled -ResultSetSize $null | where {$.DistinguishedName -match “IT”} | where {$.LastLogonDate -notmatch “.”}

I’m sure there’s a better approach as piping to two Where’s is surely not the most efficient.