Search-ADAccount
Gets Active Directory user, computer, or service accounts.
Syntax
Search-ADAccount
[-AccountDisabled]
[-AuthType <ADAuthType>]
[-ComputersOnly]
[-Credential <PSCredential>]
[-ResultPageSize <Int32>]
[-ResultSetSize <Int32>]
[-SearchBase <String>]
[-SearchScope <ADSearchScope>]
[-Server <String>]
[-UsersOnly]
[<CommonParameters>]Search-ADAccount
[-AccountExpired]
[-AuthType <ADAuthType>]
[-ComputersOnly]
[-Credential <PSCredential>]
[-ResultPageSize <Int32>]
[-ResultSetSize <Int32>]
[-SearchBase <String>]
[-SearchScope <ADSearchScope>]
[-Server <String>]
[-UsersOnly]
[<CommonParameters>]Search-ADAccount
[-AccountExpiring]
[-AuthType <ADAuthType>]
[-ComputersOnly]
[-Credential <PSCredential>]
[-DateTime <DateTime>]
[-ResultPageSize <Int32>]
[-ResultSetSize <Int32>]
[-SearchBase <String>]
[-SearchScope <ADSearchScope>]
[-Server <String>]
[-TimeSpan <TimeSpan>]
[-UsersOnly]
[<CommonParameters>]Search-ADAccount
[-AccountInactive]
[-AuthType <ADAuthType>]
[-ComputersOnly]
[-Credential <PSCredential>]
[-DateTime <DateTime>]
[-ResultPageSize <Int32>]
[-ResultSetSize <Int32>]
[-SearchBase <String>]
[-SearchScope <ADSearchScope>]
[-Server <String>]
[-TimeSpan <TimeSpan>]
[-UsersOnly]
[<CommonParameters>]Search-ADAccount
[-AuthType <ADAuthType>]
[-ComputersOnly]
[-Credential <PSCredential>]
[-LockedOut]
[-ResultPageSize <Int32>]
[-ResultSetSize <Int32>]
[-SearchBase <String>]
[-SearchScope <ADSearchScope>]
[-Server <String>]
[-UsersOnly]
[<CommonParameters>]Search-ADAccount
[-AuthType <ADAuthType>]
[-ComputersOnly]
[-Credential <PSCredential>]
[-PasswordExpired]
[-ResultPageSize <Int32>]
[-ResultSetSize <Int32>]
[-SearchBase <String>]
[-SearchScope <ADSearchScope>]
[-Server <String>]
[-UsersOnly]
[<CommonParameters>]Search-ADAccount
[-AuthType <ADAuthType>]
[-ComputersOnly]
[-Credential <PSCredential>]
[-PasswordNeverExpires]
[-ResultPageSize <Int32>]
[-ResultSetSize <Int32>]
[-SearchBase <String>]
[-SearchScope <ADSearchScope>]
[-Server <String>]
[-UsersOnly]
[<CommonParameters>]Description
The Search-ADAccount cmdlet retrieves one or more user, computer, or service accounts that meet the criteria specified by the parameters. Search criteria include account and password status. For example, you can search for all accounts that have expired by specifying the AccountExpired parameter. Similarly, you can search for all accounts with an expired password by specifying the PasswordExpired parameter. You can limit the search to user accounts by specifying the UsersOnly parameter. Similarly, when you specify the ComputersOnly parameter, the cmdlet only retrieves computer accounts.
Some search parameters, such as AccountExpiring and AccountInactive use a default time that you can change by specifying the DateTime or TimeSpan parameter. The DateTime parameter specifies a distinct time. The TimeSpan parameter specifies a time range from the current time. For example, to search for all accounts that expire in 10 days, specify the AccountExpiring and TimeSpan parameter and set the value of TimeSpan to "10.00:00:00". To search for all accounts that expire before December 31, 2012, set the DateTime parameter to "12/31/2012".
Examples
-------------------------- EXAMPLE 1 --------------------------
C:\PS>Search-ADAccount -AccountDisabled | FT Name,ObjectClass -A
Name ObjectClass
---- -----------
Guest user
krbtgt user
krbtgt_51399 user
AmyAl-LPTOP computer
DeepakAn-DSKTOP computerDescription
Returns all users, computers and service accounts that are disabled.
-------------------------- EXAMPLE 2 --------------------------
C:\PS>Search-ADAccount -AccountDisabled -UsersOnly | FT Name,ObjectClass -A
Name ObjectClass
---- -----------
Guest user
krbtgt user
krbtgt_51399 userDescription
Returns all users that are disabled.
-------------------------- EXAMPLE 3 --------------------------
C:\PS>Search-ADAccount -AccountExpired | FT Name,ObjectClass -A
Name ObjectClass
---- -----------
Greg Chapman user
Claus Hansen user
Tomasz Bochenek userDescription
Returns all users, computers and service accounts that are expired.
-------------------------- EXAMPLE 4 --------------------------
C:\PS>Search-ADAccount -AccountExpiring -TimeSpan 6.00:00:00 | FT Name,ObjectClass -A
Name ObjectClass
---- -----------
Iulian Calinov user
John Campbell user
Garth Fort userDescription
Returns all users, computers and service accounts that will expire in the next 6 days.
-------------------------- EXAMPLE 5 --------------------------
C:\PS>Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 | FT Name,ObjectClass -A
Name ObjectClass
---- -----------
FABRIKAM-RODC1 computer
Guest user
krbtgt user
krbtgt_51399 user
Almudena Benito user
Aaron Con user
Adina Hagege user
Aaron Nicholls user
Aaron M. Painter user
Jeff Phillips user
Flemming Pedersen useDescription
Returns all accounts that have been inactive for the last 90 days.
-------------------------- EXAMPLE 6 --------------------------
C:\PS>Search-ADAccount -PasswordExpired | FT Name,ObjectClass -A
Name ObjectClass
---- -----------
Stan Orme user
Danni Ortman user
Matej Potokar userDescription
Returns all accounts where the password has expired.
-------------------------- EXAMPLE 7 --------------------------
C:\PS>Search-ADAccount -PasswordNeverExpires | FT Name,ObjectClass -A
Name ObjectClass
---- -----------
Guest user
Toni Poe user
Anders Riis user
Fabien Hernoux userDescription
Returns all accounts with a password that will never expire.
-------------------------- EXAMPLE 8 --------------------------
C:\PS>Search-ADAccount -LockedOut | FT Name,ObjectClass -A
Name ObjectClass
---- -----------
Toni Poe userDescription
Returns all accounts that have been locked out.
-------------------------- EXAMPLE 9 --------------------------
C:\PS>Search-ADAccount -AccountDisabled -ComputersOnly | FT Name,ObjectClass -A
Name ObjectClass
---- -----------
TPOE-PC1 computerDescription
Returns all disabled computer accounts.
-------------------------- EXAMPLE 10 --------------------------
C:\PS>Search-ADAccount -AccountExpiring -DateTime "3/18/2009" | FT Name,ObjectClass -A
Name ObjectClass
---- -----------
Anders Riis userDescription
Returns all accounts which expire on the 18th of March, 2009.
-------------------------- EXAMPLE 11 --------------------------
C:\PS>Search-AdAccount -AccountDisabled -SearchBase "DC=AppNC" -Server "FABRIKAM-SRV1:60000"
Enabled : False
Name : SanjayPatel
UserPrincipalName :
PasswordNeverExpires :
LockedOut : False
ObjectGUID : d671de28-6e40-42a7-b32c-63d336de296d
ObjectClass : user
SID : S-1-510474493-936115905-2231798853-1260534229-4171027843-767619944
PasswordExpired : False
LastLogonDate :
DistinguishedName : CN=SanjayPatel,OU=AccountDeptOU,DC=AppNC
AccountExpirationDate :Description
Returns all users, computers and service accounts that are disabled in the LDS instance: "FABRIKAM-SRV1:60000".
Parameters
-AccountDisabled
Returns account objects that are disabled.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-AccountExpired
Returns account objects that are expired.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-AccountExpiring
Returns account objects that will expire in the specified TimeSpan.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-AccountInactive
Returns all accounts that have been inactive in the specified TimeSpan.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-AuthType
The type of authentication to run the cmdlet. Allowed values are Negotiate Basic
| Type: | ADAuthType |
| Accepted values: | Negotiate, Basic |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ComputersOnly
Limits the search only to computer objects.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Credential
PSCredential object representing the credentials of the user to use to run the cmdlet.
| Type: | PSCredential |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-DateTime
Enter a DateTime object, such as one that the Get-Date cmdlet returns, or a string that can be converted to a date and time, such as "April 19, 2012 15:00", "12/31", or "3am". DateTime objects, and strings that are converted to DateTime objects, are automatically adjusted to be compatible with the date and time formats selected for the local computer in Region and Language in Control Panel.
| Type: | DateTime |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-LockedOut
Returns all account objects that have been locked out.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-PasswordExpired
Returns all account objects that have expired password.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-PasswordNeverExpires
Returns all account objects which password never expires.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | True |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ResultPageSize
Specifies the number of objects to include in one page for an Active Directory Domain Services query.
The default is 256 objects per page.
| Type: | Int32 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-ResultSetSize
Specifies the maximum number of objects to return for an Active Directory Domain Services query. If you want to receive all of the objects, set this parameter to $Null (null value). You can use Ctrl+C to stop the query and return of objects.
| Type: | Int32 |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SearchBase
Specifies an Active Directory path to search under.
When you run a cmdlet from an Active Directory provider drive, the default value of this parameter is the current path of the drive.
When you run a cmdlet outside of an Active Directory provider drive against an AD DS target, the default value of this parameter is the default naming context of the target domain.
When you run a cmdlet outside of an Active Directory provider drive against an AD LDS target, the default value is the default naming context of the target LDS instance if one has been specified by setting the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance. If no default naming context has been specified for the target AD LDS instance, then this parameter has no default value.
When the value of the SearchBase parameter is set to an empty string and you are connected to a GC port, all partitions will be searched. If the value of the SearchBase parameter is set to an empty string and you are not connected to a GC port, an error will be thrown.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-SearchScope
Specifies the scope of an Active Directory search. The acceptable values for this parameter are:
- Base or 0
- OneLevel or 1
- Subtree or 2
A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object.
| Type: | ADSearchScope |
| Accepted values: | Base, OneLevel, Subtree |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-Server
Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server. The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance.
Domain name values:
- Fully qualified domain name (FQDN)
- NetBIOS name
Directory server values:
- Fully qualified directory server name
- NetBIOS name
- Fully qualified directory server name and port
The default value for the Server parameter is determined by one of the following methods in the order that they are listed:
- By using Server value from objects passed through the pipeline.
- By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive.
- By using the domain of the computer running PowerShell.
| Type: | String |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-TimeSpan
Enter a timespan object, such as one that the New-TimeSpan cmdlet returns or a string that can be converted to a timespan object, such as "30:00:00".
| Type: | TimeSpan |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
-UsersOnly
Limits the search to only user objects.
| Type: | SwitchParameter |
| Position: | Named |
| Default value: | None |
| Required: | False |
| Accept pipeline input: | False |
| Accept wildcard characters: | False |
Inputs
None
Outputs
Returns one or more account objects that meet the conditions set by the parameters.