Administrators frequently need to check the account status of Active Directory (AD) objects to maintain security and ensure compliance. Using the Get-ADUser and Get-ADComputer cmdlets in Windows PowerShell, you can efficiently identify whether AD user and computer accounts are enabled or disabled. While PowerShell offers a robust command-line interface for this task, you can also use ADManager Plus to report on AD user account status or computer account status with just a few clicks.
The following table compares the methods for checking AD account status in PowerShell and ADManager Plus.
To get AD users' account status using PowerShell, open Windows PowerShell as an administrator and execute the following script:
For users' status:
Get-ADUser -Filter * -Properties Enabled | Select-Object Name, Enabled
To get AD computers' account status using PowerShell, execute the following script:
Get-ADComputer -Filter * -Properties Enabled | Select-Object Name, Enabled
To export them account status to a CSV file, execute the following script:
Get-ADUser -Filter * -Properties Enabled, LockedOut, PasswordExpired, AccountExpirationDate, LastLogonDate |
Select-Object Name, SamAccountName, Enabled, LockedOut, PasswordExpired, AccountExpirationDate, LastLogonDate |
Export-Csv -Path "C:\Reports\AD_User_Account_Status.csv" -NoTypeInformation
To get AD users or computers based on their status, use any of the multiple status-based reports in ADManager Plus.
For example, to get a report on the disabled users in AD:
When using PowerShell to check AD account status, you will primarily use the Get-ADUser or Get-ADComputer cmdlets along with the -Filter parameter for finding accounts based on their status attributes. The following are some common properties to check.
| Parameters | Description |
|---|---|
| Enabled | This indicates whether the user account is enabled (True) or disabled (False). |
| LockedOut | This shows whether the account is currently locked out due to failed login attempts. |
| AccountExpirationDate | This displays when the account will expire. |
To check the status of a specific user, use the -Identity parameter and request the relevant properties.
Get-ADUser -Identity 'John' -Properties Enabled, LockedOut, AccountExpirationDate | Select-Object name, Enabled, LockedOut, AccountExpirationDate
You can find all active user accounts by setting the Enabled filter to $true.
Get-ADUser -Filter 'Enabled -eq $true' | Select-Object name, sAMAccountName
This is a common PowerShell command to generate a list of all user accounts that are currently disabled.
Get-ADUser -Filter 'Enabled -eq $false' | Select-Object name, sAMAccountName
The following command retrieves comprehensive account status information for a single computer.
# Get all disabled computer accounts
Get-ADComputer -Filter 'Enabled -eq $false' | Select-Object name
The Search-ADAccount cmdlet is the most efficient way to find all accounts that are currently locked out due to incorrect password attempts.
Search-ADAccount -LockedOut -UsersOnly | Select-Object Name, SamAccountName, LastLogonDate
This command will retrieve all user accounts where the AccountExpirationDate has passed, which is useful for cleaning up temporary or contract accounts.
Search-ADAccount -AccountExpired-UsersOnly | Select-Object Name, SamAccountName, AccountExpirationDate
This script is useful when you need to check the status of a specific list of users provided by HR or an audit team.
Import-Csv -Path "C:\Reports\users.csv" | ForEach-Object {
$user = Get-ADUser -Identity $_.username -Properties Enabled, LockedOut, AccountExpirationDate -ErrorAction SilentlyContinue
if ($user) {
[PSCustomObject]@{
SamAccountName = $user.SamAccountName
Enabled = $user.Enabled
LockedOut = $user.LockedOut
AccountExpirationDate = $user.AccountExpirationDate
}
} else {
[PSCustomObject]@{
SamAccountName = $_.username
Status = "User Not Found"
}
}
}
While PowerShell is powerful, it has limitations for routine reporting:
ADManager Plus is a comprehensive AD reporting solution that overcomes the limitations of PowerShell and helps admins efficiently report on and manage users and computers based on their account status.
The primary PowerShell command to check user account status is Get-ADUser. You can use its -Filter parameter with the Enabled attribute to find enabled and disabled users. For specific requirements like locked out or expired passwords, Search-ADAccount is often more efficient.
You can use the Import-Csv cmdlet to read a list of usernames from a CSV file and then loop through them using a ForEach-Object loop, running Get-ADUser for each of them.
You can use the -SearchBase parameter along with the Get-ADUser parameter to limit your search to a specific OU.