I’m trying to get all disabled ad objects. and filter only the disabled ad objects and list only the users that have been disabled for more than a year.
Is there any filter other than LastLogonDate ?
Sure, here are some examples. These are all AD attributes. You can filter on most of the attributes that make sense to do so, with a few quirks - “EmailAddress” won’t work, but “mail” does, for example.
Get-ADUser -filter {Enabled -eq $False}
Get-ADUser -Filter {PasswordExpired -eq $True}
Get-ADUser -Filter {(PasswordNeverExpires -eq $False) -and (Mail -like '*@foo.bar')}
When an account is disabled, the userAccountControl attribute is set to 514. You can use Get-ADReplicationAttributeMetadata to find out when that attribute was last set:
$disabledUsers = Get-ADObject -Filter "ObjectClass -eq 'User' -and userAccountControl -eq '514'"
foreach ($disabledUser in $disabledUsers) {
Get-ADReplicationAttributeMetadata $disabledUser -Server localhost |
Where-Object {$_.AttributeName -eq 'UserAccountControl'} | Select Object,LastOriginatingChangeTime |
Where-Object {$_.LastOriginatingChangeTime -lt (Get-Date).AddDays(-365)}
}
That shows the date of the last change which may or may not be when the account was disabled.
You may have to use one of the optional fields to set a date
Richard, can you elaborate please? I’m not seeing the flaw in my logic.
If the current value of the attribute is 514 (account disabled) and the LastOriginatingChangeTime property of the attribute shows the date/time of the last change to the attribute, under what circumstances might it not represent the date/time when the account was disabled?
Thanks guys