There are several ways to collect information from Active Directory. Starting with Windows Server 2003, Microsoft provided Domain Services (DS) command-line tools such as DSMod, DSGet, DSQuery and so on to collect objects and information from Active Directory.
Fortunately, the time and effort needed in gathering information from Active Directory has been dramatically reduced dramatically with the introduction of Active Directory PowerShell cmdlets in Windows Server 2008 at later editions.
While Active Directory PowerShell cmdlets are not exactly new at this point, there are a few essential Active Directory PowerShell commands, explained shortly, you might want to use to streamline your daily operational needs.
In our latest PowerShell tutorial for learning PowerShell commands and scripting, we’ll look at some of the most useful Active Directory commands for PowerShell.
1. Disabled Computer Accounts Count and List from Active Directory
In case you need to get a list of disabled computer accounts from Active Directory, you can use the Get-ADComputer PowerShell cmdlet. The Get-ADComputer cmdlet has a -Filter switch you can use to specify a particular computer object property. For example, to get the disabled computer accounts from Active Directory, you will specify “Enabled -eq $false” as shown in the following command:
$CompsDisabledCount=(Get-ADComputer -Filter {(enabled -eq $false)} -ResultPageSize 2000 -resultSetSize 500 -Server Serverwatch.com).count
$CompsDisabledCount
In the above PowerShell commands example, the output is stored in the $CompsDisabledCount variable. If you wish to collect the list of disabled computer accounts from an Active Directory domain, use this command:
$DisabledCompsList = .CompsDisabledList.CSV
Get-ADComputer -Filter {(enabled -eq $false)} -Server ServerWatch.com -Properties Name, SamAccountName, DistinguishedName, OperatingSystem | Export-CSV "$DisabledCompList" -NoTypeInformation
The PowerShell command above collects the disabled computer name, SamAccountName, full path of the computer, and operating system, and then stores the output in a CSV file named CompsDisabledList.CSV.
2. Disabled User Accounts Count and List from Active Directory
Use these PowerShell commands to get the disabled users count and a list of these users. Change the domain name to your own and then run these commands in a PowerShell window:
To get the disabled users count:
$UsersDisabledCount=(Search-ADAccount -Server Serverwatch.com -ResultPageSize 2000 -resultSetSize 500 -AccountDisabled -UsersOnly).Count
$UsersDisabledCount
To get a list of disabled users and store the output in a CSV file:
$UsersDisabledListCSV = .DisabledUsersList.CSV
$UsersDisabledList=Search-ADAccount -Server Serverwatch.com -AccountDisabled -UsersOnly | Select-Object Name, SamAccountName, DistinguishedName | Export-CSV "$UsersDisabledListCSV" -NoTypeInformation
Note that in the above commands, we are using the “Search-ADAccount” PowerShell cmdlet. Search-ADAccount is a powerful Active Directory cmdlet that also supports collecting “expired user accounts,” “passsord never expires user accounts,” “account locked out user accounts,” and “inactive user accounts” information from Active Directory. All you need to do is specify the parameter name with Search-ADAccount cmdlet as listed in the table below:
Item |
Parameter |
Accounts Expired User Accounts |
-AccountExpired |
Password Never Expires |
-PasswordNeverExpires |
Locked Out User Accounts |
-LockedOut |
Stale User Accounts |
-AccountInactive |
3. Collect accounts expired user accounts count and list:
To collect the count:
$UsersExpiredCount=(Search-ADAccount -Server Serverwatch.com -ResultPageSize 2000 -resultSetSize 500 -AccountExpired -UsersOnly).Count
$UsersExpiredCount
To collect the complete list with a PowerShell command, use:
$UserExpiredList = .UsersExpired.CSV
$UsersExpiredList=Search-ADAccount -Server Serverwatch.com -AccountExpired -UsersOnly | Select-Object Name, SamAccountName, DistinguishedName | Export-CSV "$UserExpiredList" -NoTypeInformation
4. Collect password never expires user accounts count and list:
To collect the count:
$UsersPassNeverExpireCount=(Search-ADAccount -Server Serverwatch.com -ResultPageSize 2000 -resultSetSize 500 -PasswordNeverExpires -UsersOnly).Count
$UsersPassNeverExpireCount
To collect the complete list:
$UserNeverExpireList = .UserNeverExpireList.CSV
$UsersPassNeverExpireList=Search-ADAccount -Server Serverwatch.com -PasswordNeverExpires -UsersOnly | Select-Object Name, SamAccountName, DistinguishedName | Export-CSV "$UserNeverExpireList " -NoTypeInformation
5. Collect the account locked-out user accounts count and list:
To collect the count:
$UsersAccountLockOutCount=(Search-ADAccount -Server $ItemName -ResultPageSize 2000 -resultSetSize 500 -LockedOut -UsersOnly).Count
$UsersAccountLockOutCount
To collect the complete list:
$UserAccountLockOutCSV = .UserAccountLockOut.CSV
$UsersAccountLockOutList=Search-ADAccount -Server $ItemName -LockedOut -UsersOnly | Select-Object Name, SamAccountName, DistinguishedName | Export-CSV "$UserAccountLockOutCSV " -NoTypeInformation
6. Collect the stale user accounts count and list:
To collect the count:
$UsersInactiveAccountCount=(Search-ADAccount -Server $ItemName -ResultPageSize 2000 -resultSetSize 500 -AccountInactive -UsersOnly).Count
$UsersInactiveAccountCount
To collect the complete list with a PowerShell command, use:
$UsersInactiveListFile = .UsersInactiveList.CSV
$UsersInactiveAccountList=Search-ADAccount -Server Serverwatch.com -AccountInactive -UsersOnly | Select-Object Name, SamAccountName, DistinguishedName | Export-CSV "$UsersInactiveListFile" -NoTypeInformation
Adding the Power of a ForEach Loop
The above commands are designed to collect the computer and user information from a single Active Directory domain. We’ve used “Serverwatch.com” as the target domain in these examples.
If you need to run the above commands for multiple domains in an Active Directory forest, you will need to use “PowerShell ForEach loop” in a script. For example, to collect a list of disabled computers from all domains in an Active Directory forest, execute the following PowerShell commands in a PowerShell window:
$DomainList = ".DomainList.TXT"
$DisabledCompsList = .CompsDisabledList.CSV
ForEach ($DomainName in Get-Content "$DomainList")
{
Get-ADComputer -Filter {(enabled -eq $false)} -Server $DomainName -Properties Name, SamAccountName, DistinguishedName, OperatingSystem | Select-Object Name, SamAccountName, DistinguishedName, OperatingSystem, @{Name='Active Directory Domain';Expression={$DomainName}} | Export-CSV "$DisabledCompsList" -NoTypeInformation
}
In the list of PowerShell commands above, DomainList.TXT contains the list of domains that the ForEach loop processes to collect the list of disabled computer accounts from each domain. The output for each domain is stored in a single CSV file named CompsDisabledList.CSV.
Similarly, if you wish to execute PowerShell commands explained in this article for multiple domains, use the above code as a template.
The Active Directory PowerShell commands examples detailed in this article are supported on Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2 and Windows Server 2016.
Nirmal Sharma is a MCSEx3, MCITP and Microsoft MVP in Directory Services. He specializes in directory services, Microsoft Azure, Failover clusters, Hyper-V, System Center and Exchange Servers, and has been involved with Microsoft technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites and contributing to Health Packs for ADHealthProf.ITDynamicPacks.Net solutions. Nirmal can be reached at nirmal_sharma@mvps.org.