Finding AD accounts that are expired, but still in active state

Hello,

I’m a noob when it comes to Powershell, and I have a big issue with creating a script, that would get Active Directory accounts that have passed their expiration date, but were not put to disabled state automatically.

The main issue is that I don’t know what kind of parameter should I use to get a result of “account expires before today”.

I went through lots of forums and Microsoft support pages, but I was unable to figure out how to do this. This is the code I’ve created but it need it to be more specific, so it shows all the Active accounts that have an Expiry Date before today so I don’t have to update the date every day.

Search-ADAccount -UsersOnly -AccountInactive |Where-Object { $_.Enabled -eq $true}

I have tried to use the Get-Date but I failed to figure out what would be the “before” factor in this.
All help will be really appreciated!

Install-Module AZSBTools -Force -AllowClobber
$UserList = Get-SBADUser 
$EnabledExpiredUsers = $UserList | where { $_.dateexpires -ge [DateTime]'1/1/1700' -and 
                    $_.dateexpires -le (Get-date) -and 
                    $_.useraccountcontrol -notmatch 'Disabled' }
$EnabledExpiredUsers 

[quote quote=167698]

Unfortunatelly, I work on Powershell 4, with no possibility to upgrade it to 5. It's an external client environment, and they do not want to upgrade.
 

As for …

'I'm a noob when it comes to Powershell'
How new?

What training have you tried / searched for?

There are plenty of free training resources to leverage as well as tools provided from MS that will write the base line code for you that you can later tweak as needed.

Examples:

Introduction to Active Directory Administrative Center Enhancements (Level 100) https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/adac/introduction-to-active-directory-administrative-center-enhancements--level-100-

Learning PowerShell with Active Directory Administrative Center (PowerShell History Viewer)

Step-By-Step: Utilizing PowerShell History Viewer in Windows Server 2012 R2

Use Active Directory Administrative Center to Create PowerShell Commands in Windows Server 2012
https://www.petri.com/use-active-directory-administrative-center-create-powershell-commands


You use the PowerShell help files to look at all available properties give you and select and compare from there ir use Get-Member against one object.

So, playing with stuff like…

Clear-Host
# Select only the first user and show all properties. methods, etc.
(Search-ADAccount -UsersOnly -AccountInactive | 
Where-Object { $_.Enabled -eq $true})[0] | 
Get-Member

Clear-Host
# Select All users and only the needed properties
Search-ADAccount -UsersOnly -AccountInactive | 
Where-Object { $_.Enabled -eq $true} | 
Select-Object -Property SamAccountName, Enabled, AccountExpirationDate


Clear-Host
# Select All users and only the needed properties where AccountExpirationDate
Search-ADAccount -UsersOnly -AccountInactive | 
Select-Object -Property SamAccountName, Enabled, AccountExpirationDate | 
Where-Object { $PSItem.Enabled -eq $true -And $PSItem.AccountExpirationDate -lt (Get-Date) }

 

Other resources

See also posts here for other resource suggestions here:

Learning this stuff.
https://www.reddit.com/r/PowerShell/comments/bserj9/learn_powershell/eooduq9/?context=3
https://www.reddit.com/r/PowerShell/comments/bserj9/learn_powershell/eoodxzu/?context=3

Best Practices
https://www.reddit.com/user/get-postanote

Passwords
https://www.reddit.com/r/PowerShell/comments/bv7ywa/whats_the_best_practice_for_passwords_in_ps/epoux2c/?context=3
https://www.reddit.com/r/PowerShell/comments/c5qbjb/how_to_store_password_in_powershell_file/

Practice with PSKoans

PSKoans : 0.50.0
A module designed to provide a crash-course introduction to PowerShell with programming koans.
PowerShell Gallery | PSKoans 0.50.0