How-To Search Active Directory Domain Services Password and Account Settings Using Windows PowerShell

The Active Directory Module for Windows PowerShell, which is included with Windows Server 2008 R2, can be used to perform password and account search operations against Active Directory Domain Services (AD DS) objects, including user accounts, computer accounts, and service accounts. What follows is an in-depth look at searching AD DS by using the Active Directory Module for Windows PowerShell. For an overview of the Active Directory Module for Windows PowerShell, please see Introducing the Active Directory Module for Windows PowerShell.

Overview

Search-ADAccount is a cmdlet that is included with the Active Directory Module for Windows PowerShell. Search-ADAccount can be used to search AD DS for user accounts, computer accounts, and service accounts. This cmdlet includes a number of default parameters focused on account and password status, such as:

  • Account disabled
  • Account expired
  • Account expiring
  • Account inactive
  • Account locked
  • Password expired
  • Password never expires

Controlling the Search Scope and Search Base

You can specify the search base and search scope by using the -SearchBase and -SearchScope parameters, respectively.

If you want to limit your search to a particular Organizational Unit, you can use the -SearchBase parameter and specify the distinguished name of the OU. The following command sets the search base to the Toronto OU:

  • Search-ADAccount -PasswordNeverExpires -SearchBase “OU=Toronto,DC=domain,DC=local”

The -SearchScope parameter allows you to control the scope of the search. The scope can be set to Base, OneLevel, or SubTree. Base searches the current path/object; OneLevel searches the immediate children of the path/object; SubTree searches the current path/object and its children.

Adding the to above example, you can refine the command so that it only searches the Toronto OU, and no child-OUs by typing the following command:

  • Search-ADAccount -PasswordNeverExpires -SearchBase “OU=Toronto,DC=domain,DC=local” -SearchScope Base

Controlling the Type of Objects to Return

By default, Search-ADAccount will return user accounts and computer accounts that meet the criteria you specify. However, Search-ADAccount allows you to control whether user objects or computers objects are returned when you search.

For example, to return only user objects that have a password that never expires, you would run the following command:

  • Search-ADAccount –PasswordNeverExpires -UsersOnly

To return only computer objects that have a password that never expires, you would run the following command:

  • Search-ADAccount -PasswordNeverExpires –ComputersOnly

Searching for Disabled Accounts

The -AccountDisabled parameter can be used with Search-ADAccount to search for disabled accounts. The figure below shows the results of such a search:

Searching for Expired Accounts

The -AccountExpired parameter can be used with Search-ADAccount to search for expired accounts. The figure below shows the results of such a search:

Searching for Locked Out Accounts

The -LockedOut parameter can be used with Search-ADAccount to search for locked out accounts. The following command can be run to search for all user accounts that are locked out:

  • Search-ADAccount -LockedOut

Searching for Accounts that have an Expired Password

The -PasswordExpired parameter can be used with Search-ADAccount to search for accounts that have an expired password. The following command can be run to search for all user accounts that have an expired password:

  • Search-ADAccount -PasswordExpired

Searching for Accounts that have a Non-Expiring Password

The -PasswordNeverExpires parameter can be used with Search-ADAccount to search for accounts that have a non-expiring password. The figure below shows the results of such a search:

Searching for Accounts that will be Expiring

The -AccountExpiring parameter can be used with Search-ADAccount to search for accounts that will be expiring in a given time period or by a specific time.

To specify a given time period, you must include the -TimeSpan parameter. The following command can be run to search for all user accounts that will expire in the next 30 days:

  • Search-ADAccount –AccountExpiring -TimeSpan 30.00:00:00

To specify a specific time, you must include the -DateTime parameter. The figure below shows the results of such a search for all user accounts that will expire on June 28, 2009:

Searching for Accounts that are Inactive

The -AccountInactive parameter can be used with Search-ADAccount to search for accounts that not logged on within a given time period or since a specified time.

To specify a given time period, you must include the -TimeSpan parameter. The figure below shows the results of such a search for all user accounts that have not logged on within the past 90 days:

To specify a specific time, you must include the -DateTime parameter. The following command will search for all user accounts that have not logged on since May 01, 2009:

  • Search-ADAccount -AccountInactive -DateTime "5/01/2009 12:00:00 AM"

Wrapping Up

The Active Directory Module for Windows PowerShell includes a powerful means to search Active Directory Domain Services password and account settings. Search-ADAccount includes a number of built-in parameters which are extremely useful when searching for password and account settings.

Insider Shootout: Best security tools for small business
Join the discussion
Be the first to comment on this article. Our Commenting Policies