Active Directory

Interact with AD through powershell. It’s fun!

Get Domain Admins

Get-ADGroupMember "Domain Admins" | select name,distinguishedName

List disabled accounts

Search-ADAccount -AccountDisabled

Sorted by last logon date

Search-ADAccount -AccountDisabled -UsersOnly | Sort-Object lastlogondate

Disabled users

Get-ADUser -Filter {enabled -eq "false" -and objectclass -eq "user"} -properties modified | sort-object modified

Another list of domain admins

Get-ADGroup -Identity S-1-5-21-DOMAIN-512 | Get-ADGroupMember | Get-ADUser -Filter {enabled -eq "false"} -Properties *

List users who haven’t logged in in over 90 days

$Date = (Get-Date).AddDays(-90)

# Only list enabled users
Get-ADUser -Filter {((Enabled -eq $true) -and (LastLogonDate -lt $Date))} -Properties LastLogonDate | select samaccountname, Name, LastLogonDate | Sort-Object LastLogonDate

List Domain Admins sorted by last logon date

Get-ADGroup "Domain Admins" | Get-ADGroupMember | Get-ADUser -Properties LastLogonDate | Select Name,SamAccountName,LastLogonDate,Enabled | Sort LastLogonDate

This one does -recurse, which I don’t know if it’s necessary.

Get-ADGroupMember -Identity "Domain Admins" | foreach {Get-ADUser -Identity $_.distinguishedname -Properties displayname, samaccountname, lastlogondate | select displayname, samaccountname, lastlogondate, Enabled} | sort LastLogonDate

List users who have not logged in within 30 days and disable accounts

Search-ADAccount -AccountInactive -TimeSpan ([timespan]30d) -UsersOnly | Set-ADUser -Enabled $false -WhatIf

Password expiration

Get-ADUser -filter {Enabled -eq $True -and PasswordNeverExpires -eq $False} -Properties "Display Name", "msDS-UserPasswordExpiryTimeComputed" -SearchBase "CN=joshua nelson, CN=Users,DC=intelgd,DC=com" | Select-Object -Property "Displayname",@{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}