Finding AD User Account Status

At some point, particularly if you ever have to deal with auditors, you may be asked to generate a report with account status for given AD users. For this example, let us assume we were given a CSV containing the LastName and FirstName of user accounts and we need to find if each account is expired,disabled, when the password was last set, if the password is expired, and the date of the last logon.

This sounds like quite a bit of information to gather, but thankfully the Quest AD cmdlets make this quite easy. First, you’ll need to get the Quest AD tools (also known as the ActiveRoles Management Shell for Active Directory) from There are both 32 and 64 bit versions. Also note that the PDF of the Administrator’s Guide is a separate download.

For information on how to use the Quest cmdlets to get user accounts, type:

Get-Help Get-QADUser –detailed

Once installed, you can run a one line command such as this:

Import-Csv accounts.csv | ForEach-Object {Get-QADUser –firstname $_.firstname –lastname $_.lastname} | select lastname, firstname, accountisexpired, accountisdisabled, passwordlastset, passwordstatus, lastlogontimestamp | sort-object lastname | export-csv accounts.csv

Breaking this down a piece at a time, here is what we are doing:

Import-Csv accounts.csv

First, we import the CSV file, which contains the firstname and lastname of the accounts to be checked. Then we pipe that to:

ForEach-Object {Get-QADUser –firstname $_.firstname –lastname $_.lastname}

This command starts with a ForEach-Object, which simply means, do the following for every object that we imported from CSV. The second portion of the command calls the quest cmdlet Get-QADUser. We tell the cmdlet which account(s) to retrieve from AD by specifying the first name and last name with the –firstname and –lastname parameters. So, if we wanted the Daniel Lange account, we could type:

Get-QADUser –firstname Daniel –lastname Lange

In our example, we’re using a ForEach loop to get each account from the CSV file. In a ForEach loop, we use $_ to represent the individual object. In this case, $_ is an object from the CSV file with the two properties of firstname and lastname. To specify a specific property, we use:


So, putting it together, we are taking the CSV in from the pipeline and, for each object in that CSV, we are getting the AD accounts that match the firstname and lastname fields in the CSV. From there, we pipe it to:

select lastname, firstname, accountisexpired, accountisdisabled, passwordlastset, passwordstatus, lastlogontimestamp

This cmdlet takes what is passed to it and returns only the properties specified. To see what properties are available, we can get an AD account and pass it to the get-member cmdlet like so:

Get-QADUser –firstname Daniel –lastname Lange | Get-Member

You will see that there properties to see if the account is expired, if it is disabled, when the password was last set, the password status, and the last log on time. For this example, we are using the lastlogontimestamp. The reason for this is that LastLogon is domain controller specific and is not a replicated value. However, if your AD schema has been updated to 2003, the lastlogontimestamp is available as a replicated property. Note, however, that it is not real-time and is only replicated every 9-14 days.

So, we take the selected subset of properties and pass it on the pipeline to:

sort-object lastname

This cmdlet sorts the objects passed to it by a property value. In this case, we are sorting by lastname, which we then pipe to:

export-csv accounts.csv

This exports the sorted account information to a csv named accounts.csv

The pipeline is an amazing tool, and I love when I have the opportunity to perform tasks in a single line of code within the shell.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s