The Active Directory Module for Windows PowerShell, which is included with Windows Server 2008 R2, can be used to perform password and account search operations against Active Directory Domain Services (AD DS) objects, including user accounts, computer accounts, and service accounts. What follows is an in-depth look at searching AD DS by using the Active Directory Module for Windows PowerShell. For an overview of the Active Directory Module for Windows PowerShell, please see Introducing the Active Directory Module for Windows PowerShell.
Search-ADAccount is a cmdlet that is included with the Active Directory Module for Windows PowerShell. Search-ADAccount can be used to search AD DS for user accounts, computer accounts, and service accounts. This cmdlet includes a number of default parameters focused on account and password status, such as:
You can specify the search base and search scope by using the -SearchBase and -SearchScope parameters, respectively.
If you want to limit your search to a particular Organizational Unit, you can use the -SearchBase parameter and specify the distinguished name of the OU. The following command sets the search base to the Toronto OU:
The -SearchScope parameter allows you to control the scope of the search. The scope can be set to Base, OneLevel, or SubTree. Base searches the current path/object; OneLevel searches the immediate children of the path/object; SubTree searches the current path/object and its children.
Adding the to above example, you can refine the command so that it only searches the Toronto OU, and no child-OUs by typing the following command:
By default, Search-ADAccount will return user accounts and computer accounts that meet the criteria you specify. However, Search-ADAccount allows you to control whether user objects or computers objects are returned when you search.
For example, to return only user objects that have a password that never expires, you would run the following command:
To return only computer objects that have a password that never expires, you would run the following command:
The -AccountDisabled parameter can be used with Search-ADAccount to search for disabled accounts. The figure below shows the results of such a search:
The -AccountExpired parameter can be used with Search-ADAccount to search for expired accounts. The figure below shows the results of such a search:
The -LockedOut parameter can be used with Search-ADAccount to search for locked out accounts. The following command can be run to search for all user accounts that are locked out:
The -PasswordExpired parameter can be used with Search-ADAccount to search for accounts that have an expired password. The following command can be run to search for all user accounts that have an expired password:
The -PasswordNeverExpires parameter can be used with Search-ADAccount to search for accounts that have a non-expiring password. The figure below shows the results of such a search:
The -AccountExpiring parameter can be used with Search-ADAccount to search for accounts that will be expiring in a given time period or by a specific time.
To specify a given time period, you must include the -TimeSpan parameter. The following command can be run to search for all user accounts that will expire in the next 30 days:
To specify a specific time, you must include the -DateTime parameter. The figure below shows the results of such a search for all user accounts that will expire on June 28, 2009:
The -AccountInactive parameter can be used with Search-ADAccount to search for accounts that not logged on within a given time period or since a specified time.
To specify a given time period, you must include the -TimeSpan parameter. The figure below shows the results of such a search for all user accounts that have not logged on within the past 90 days:
To specify a specific time, you must include the -DateTime parameter. The following command will search for all user accounts that have not logged on since May 01, 2009:
The Active Directory Module for Windows PowerShell includes a powerful means to search Active Directory Domain Services password and account settings. Search-ADAccount includes a number of built-in parameters which are extremely useful when searching for password and account settings.
John Policelli (Microsoft MVP for Directory Services, MCTS, MCSA, ITSM, iNet+, Network+, and A+) is a solutions-focused IT consultant with over a decade of combined success in architecture, security, strategic planning, and disaster recovery planning. John has designed and implemented dozens of complex directory service, e-Messaging, web, networking, and security enterprise solutions.
John has spent the past nine years focused on Identity and Access Management and providing thought leadership for some of the largest installations of Active Directory in Canada. He has been involved as an author, technical reviewer, and subject matter expert for over 50 training, exam writing, press, and whitepaper projects related to Windows Server 2008 Identity and Access Management, networking, and collaboration.
John’s was awarded the Microsoft Most Valuable Professional designation in the Directory Services technical expertise in 2008 and 2009. John’s MVP profile can be read here.
John's is the co-author of MCITP Self-Paced Training Kit (Exam 70-647): Windows Server Enterprise Administration. His latest book Active Directory Domain Services 2008 How-To has been selected as Microsoft Subnet's June, 2009, book giveaway.
To enter to win a copy of the book-of-the-month book giveway, visit the Microsoft Subnet home page.
Read a free chapter from Active Directory Domain Services 2008 How-To hosted by Microsoft Subnet.
The Leader in Network Knowledge
Post new comment