Find Expired Accounts in Active Directory using Powershell

Hello All,

You must have seen my previous article where we saw how to find empty groups in Active Directory using Powershell. Continuing on the same front, we will now see how to find Expired Accounts in Active Directory using Powershell.

We all know, people join organizations and leave organizations at regular intervals. And we as System Administrators have to create and manage their user accounts in Active Directory.

As a best practice, we all set an expiration date to the user account that is created. But do we delete those accounts if they are no longer in use? Its hard to tell based on the company's policies and procedures. Therefore, today we will see how to find the expired accounts in the domain and you can do the same in your organization.

We will be using Search-ADAccount cmdlet to perform this activity. You can do Get-Help Search-ADAccount to get more information and use cases of the cmdlet.

Now type the below on your screen.

Import-Module ActiveDirectory Search-ADAccount -AccountExpired | select Name, samAccountName, ObjectClass, AccountExpirationDate, lastLogonDate | Export-Csv c:\ExpiredAccounts.csv

Let us see what we did here.

First we used the Search-ADAccount cmdlet with one of its parameters AccountExpired which will search for all the expired accounts in the domain.

Next we are selecting Name, samAccountName and the ObjectClass of the account, the Account Expiration Date and the Last Logon time. The ObjectClass can be a user or a computer.

After which we are exporting the result to a csv file with the help of the Export-Csv cmdlet.

If you want to select only the User Accounts then we can select the parameter UsersOnly along with the Search-ADAccount cmdlet to find the same.

Similarly we can use ComputersOnly parameter to see for computer accounts.

If you are using User Accounts only then you can find out what are the properties avilable to export with the help of Get-Member cmdlet. See below for example.

Feel free to test the various options available at your disposal and leave the comments below so that others can find it useful.

I hope this was informative and thank you for reading!

5 Comments

Sam on March 2, 2015 9:23 am

Thanks for sharing this script its really helpful. Few day ago, I also thought to give a try into my circumstance but due to not much technical expertise, I moved to automated solution and I found http://www.lepide.com/active-directory-self-service/ for active directory self service helps to manage AD accounts more easily.

Thomas on April 15, 2015 7:35 am

Thanks for the script. 🙂 For general reports like locked, disabled users you can also use a freeware called AD Inspector.:http://www.firstattribute.com/en/software/free-tools/firstware-ad-inspector/

- Adil Arif on April 16, 2015 3:56 am
  
  Thanks Thomas for the useful tool! I am sure readers will benefit from it.
  
Jitendra on March 23, 2016 10:47 am

Hi Adil Arif,
I am from Bangalore do you teach exchange server and vmware on weekends. Please let me know about it.

- Adil Arif on March 28, 2016 6:09 am
  
  Hi Jitendra,
  
  At this moment, I am not. But I will be soon planning to start some classes. Will keep you posted.