Synopsis
Description
Parameters
-AccountDisabled
Specifies a search for accounts that are disabled. An account is disabled when the ADAccount Enabled property is set to false.
Type: SwitchParameter
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-AccountExpired
Specifies a search for accounts that are expired. An account is expired when the ADAccount AccountExpirationDate property is set to a time in the past. The Lightweight Directory Access Protocol (LDAP) display name (ldapDisplayName) for the AccountExpirationDate property is accountExpires.
Type: SwitchParameter
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-AccountExpiring
Indicates that this cmdlet searches for accounts that are expiring in a given time period or by a specified time. To specify a time period, use the AccountExpiring parameter with the TimeSpan parameter. To specify a specific time, use the AccountExpiring parameter with the DateTime parameter.
Type: SwitchParameter
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-AccountInactive
Indicates that this cmdlet searches for accounts that have not logged in within a given time period or since a specified time. To specify a time period, use the TimeSpan parameter. To specify a specific time, use the DateTime parameter. Note that this attribute is only used when the domain is in Windows Server 2003 Domain Functional Level or higher, so this parameter will only work in that mode.
Type: SwitchParameter
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-AuthType
Specifies the authentication method to use. The acceptable values for this parameter are:
Negotiate or 0
Basic or 1
The default authentication method is Negotiate.
A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.
Type: ADAuthType
Accepted values: Negotiate, Basic
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-ComputersOnly
Indicates that this cmdlet searches only computer accounts.
Type: SwitchParameter
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-Credential
Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory module for Windows PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default.
To specify this parameter, you can type a user name, such as User1 or Domain01\User01 or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password.
If the acting credentials do not have directory-level permission to perform the task, Active Directory module for Windows PowerShell returns a terminating error.
Specifies the credentials for the security context under which the task is performed. If this security context doesn't have directory level permissions to perform the task, then an error is returned by the directory. If running under the context of an Active Directory module for Windows PowerShell provider drive, the credentials information associated with the drive is used as the default value; otherwise, the currently logged on user security context is used.
Type: PSCredential
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-DateTime
Specifies a distinct time value for Search-ADAccount parameters such as AccountExpiring, AccountInactive, and PasswordExpiring.
Time is assumed to be local time unless otherwise specified. When a time value is not specified, the time is assumed to midnight local time. If you do not specify a date, the date is assumed to be the current date. The following examples show commonly-used syntax to specify a DateTime object.
"3/16/2020" "Monday, March 16, 2020" "2:22:45 PM" "Monday, March 16, 2020 2:22:45 PM"
These examples specify the same date and the time without the seconds.
"3/16/20202:22 PM" "Monday, March 16, 2020 2:22 PM" "2:22 PM"
The following example shows how to specify a date and time by using the RFC1123 standard. This example defines time by using Greenwich Mean Time (GMT).
"Mon, 17 Apr 2020 21:22:48 GMT"
The following example shows how to specify a value as Coordinated Universal Time (UTC). This example represents Monday, March 16, 2020at 2:22:58 PM UTC.
"2020-03-16T14:22:58.0000000"
The following example shows how to set the AccountExpiring parameter to a DateTime value of January 18, 2020 at 2:00:00 AM.
-AccountExpiring -DateTime "1/18/2020 2:00:00 AM"
Type: DateTime
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-LockedOut
Indicates that this cmdlet searches for accounts that are locked out.
Type: SwitchParameter
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-PasswordExpired
Indicates that this cmdlet searches for accounts that have an expired password.
Type: SwitchParameter
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-PasswordNeverExpires
Indicates that this cmdlet searches for accounts that have a password that does not expire.
Type: SwitchParameter
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-ResultPageSize
Specifies the number of objects to include in one page for an Active Directory Domain Services query.
The default is 256 objects per page.
Type: Int32
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-ResultSetSize
Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $Null (null value). You can use Ctrl+C to stop the query and return of objects. The default is $Null.
The following example shows how to set this parameter so that you receive all of the returned objects:
-ResultSetSize $Null
Type: Int32
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-SearchBase
Specifies an Active Directory path to search.
When you run a cmdlet from an Active Directory provider drive, the default value of this parameter is the current path of the drive.
When you run a cmdlet outside of an Active Directory provider drive against an Active Directory Domain Services (AD DS) target, the default value of this parameter is the default naming context of the target domain.
When you run a cmdlet outside of an Active Directory provider drive against an Active Directory Lightweight Directory Services (AD LDS) target, the default value is the default naming context of the target AD LDS instance if one has been specified by setting the msDS-defaultNamingContext property of the Active Directory service agent object nTDSDSA for the AD LDS instance. If no default naming context has been specified for the target AD LDS instance, then this parameter has no default value.
The following example shows how to set this parameter to search under an organizational unit.
-SearchBase "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com"
When the value of the SearchBase parameter is set to an empty string and you are connected to a global catalog port, all partitions are searched. If the value of the SearchBase parameter is set to an empty string and you are not connected to a global catalog port, an error is generated.
Type: String
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-SearchScope
Specifies the scope of an Active Directory search. The acceptable values for this parameter are:
-- Base or 0 -- OneLevel or 1 -- Subtree or 2
A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object.
Type: ADSearchScope
Accepted values: Base, OneLevel, Subtree
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-Server
Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory snapshot instance.
Specify the Active Directory Domain Services instance in one of the following ways:
Domain name values:
Fully qualified domain name
NetBIOS name
Directory server values:
Fully qualified directory server name
NetBIOS name
Fully qualified directory server name and port
The default value for this parameter is determined by one of the following methods in the order that they are listed:
By using the Server value from objects passed through the pipeline
By using the server information associated with the Active Directory Domain ServicesWindows PowerShell provider drive, when the cmdlet runs in that drive
By using the domain of the computer running Windows PowerShell
Type: String
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-TimeSpan
Specifies a time interval. This parameter is used to specify a time value for Search-ADAccount parameters such as AccountExpiring. Specify the time interval in the following format:
[-]D.H:M:S.F
Copy
where:
-- D = Days (0 to 10675199)
-- H = Hours (0 to 23) -- M = Minutes (0 to 59) -- S = Seconds (0 to 59) -- F= Fractions of a second (0 to 9999999)
Note: Time values must be between the following values: -10675199:02:48:05.4775808 and 10675199:02:48:05.4775807.
The following examples show how to set this parameter.
Set the time to 2 days
Copy
-TimeSpan "2"
Set the time span to the previous 2 days
-TimeSpan "-2"
Set the time to 2 hours
Copy
-TimeSpan "2:00"
For example, to search for all accounts that are expiring in 10 days, specify the AccountExpiring and TimeSpan parameters as follows.
-AccountExpiring -TimeSpan "10"
Type: TimeSpan
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
-UsersOnly
Indicates that this cmdlet searches for user accounts only.
Type: SwitchParameter
Position: Named
Default value: None
Accept pipeline input: False
Accept wildcard characters: False
Syntax
Search-ADAccount [-AccountDisabled] [-AuthType <ADAuthType>] [-ComputersOnly] [-Credential <PSCredential>] [-ResultPageSize <Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope <ADSearchScope>] [-Server <String>] [-UsersOnly] [<CommonParameters>]
Search-ADAccount [-AccountExpired] [-AuthType <ADAuthType>] [-ComputersOnly] [-Credential <PSCredential>] [-ResultPageSize <Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope <ADSearchScope>] [-Server <String>] [-UsersOnly] [<CommonParameters>]
Search-ADAccount [-AccountExpiring] [-AuthType <ADAuthType>] [-ComputersOnly] [-Credential <PSCredential>] [-DateTime <DateTime>] [-ResultPageSize <Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope <ADSearchScope>] [-Server <String>] [-TimeSpan <TimeSpan>] [-UsersOnly] [<CommonParameters>]
Search-ADAccount [-AccountInactive] [-AuthType <ADAuthType>] [-ComputersOnly] [-Credential <PSCredential>] [-DateTime <DateTime>] [-ResultPageSize <Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope <ADSearchScope>] [-Server <String>] [-TimeSpan <TimeSpan>] [-UsersOnly] [<CommonParameters>]
Search-ADAccount [-AuthType <ADAuthType>] [-ComputersOnly] [-Credential <PSCredential>] [-LockedOut] [-ResultPageSize <Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope <ADSearchScope>] [-Server <String>] [-UsersOnly] [<CommonParameters>]
Search-ADAccount [-AuthType <ADAuthType>] [-ComputersOnly] [-Credential <PSCredential>] [-PasswordExpired] [-ResultPageSize <Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope <ADSearchScope>] [-Server <String>] [-UsersOnly] [<CommonParameters>]
Search-ADAccount [-AuthType <ADAuthType>] [-ComputersOnly] [-Credential <PSCredential>] [-PasswordNeverExpires] [-ResultPageSize <Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope <ADSearchScope>] [-Server <String>] [-UsersOnly] [<CommonParameters>]
C:\PS>Search-ADAccount -AccountDisabled | FT Name,ObjectClass -A
Name ObjectClass
---- -----------
Guest user
dsdfsd user
dsdfsd_54399 user
Amypl-LPTOP computer
kishoren-DSKTOP computer
C:\PS>Search-ADAccount -AccountDisabled -UsersOnly | FT Name,ObjectClass -A
Name ObjectClass
---- -----------
Guest user
dsdfsd user
dsdfsd_51399 user
C:\PS>Search- ADAccount -AccountExpired | FT Name,ObjectClass -A
Name ObjectClass
---- -----------
Kamal Kumara user
Hamasa Raja user
Rajesh Gowda user
C:\PS>Search- ADAccount -AccountExpiring -TimeSpan 6.00:00:00 | FT Name,ObjectClass -A
Name ObjectClass
---- -----------
Julie Chawala user
Kishore Kumar user
Raj Kumar user
C:\PS>Search- ADAccount -AccountInactive -TimeSpan 90.00:00:00 | FT Name,ObjectClass -A
Name ObjectClass
---- -----------
TOSSolution-RODC1 computer
Guest user
dsdfsd user
dsdfsd_54399 user
Amala Kahana user
Kamlash Raj user
C:\PS>Search- ADAccount -PasswordExpired | FT Name,ObjectClass -A
Name ObjectClass
---- -----------
Ash dev user
Samba Shiva user
Vijay Kommi user
C:\PS>Search- ADAccount -PasswordNeverExpires | FT Name,ObjectClass -A
Name ObjectClass
---- -----------
Guest user
Tone Jose user
Bill Gates user
Karthik Sri user
C:\PS>Search- ADAccount -LockedOut | FT Name,ObjectClass -A
Name ObjectClass
---- -----------
Latish kumar user
C:\PS>Search- ADAccount -AccountDisabled -ComputersOnly | FT Name,ObjectClass -A
Name ObjectClass
---- -----------
Latishk-PC1 computer
C:\PS>Search- ADAccount -AccountExpiring -DateTime “3/18/2020” | FT Name,ObjectClass -A
Name ObjectClass
---- -----------
NuthanBB user
C:\PS>Search- AdAccount -AccountDisabled -SearchBase “DC=AppNC” -Server “TOSSolution-SRV1:60000”
Enabled : False
Name : KumarGovind
UserPrincipalName :
PasswordNeverExpires :
LockedOut : False
ObjectGUID : 8den89u7-6e40-42a7-b32c-63d336de296d
ObjectClass : user
SID : S-1-823478283-936115905-2231798853-1260534229-4171027843-767619944
PasswordExpired : False
LastLogonDate :
DistinguishedName : CN=KumarGovind,OU=AccountDeptOU,DC=AppNC
AccountExpirationDate :
Get-Command Search-ADAccount
. Clear-ADAccountExpiration
. Disable-ADAccount
. Enable-ADAccount
. Get-ADAccountResultantPasswordReplicationPolicy
. Set-ADAccountControl
. Set-ADAccountExpiration
. Set-ADAccountPassword
. Unlock-ADAccount