How to get Active Directory accounts' status using PowerShell
This article compares the process of fetching Active Directory (AD) user and computer accounts' status using PowerShell and ADManager Plus, a unified AD, Office 365 and Exchange Server management and reporting solution.
To get the account status of users and computers, the Get-ADUser and Get-ADComputer cmdlets have to be used. To limit the scope of the command to specific OUs or domains, the filters must be used, which makes using these cmdlets a complex task. ADManager Plus on the other hand, offers predefined reports to get status of AD users and computers. You can also set the scope for these reports with just point and click actions.
Steps to get the status of AD user and computers status using PowerShell.
- Ensure you have the necessary permissions to perform this action, and also to execute PowerShell scripts.
- Create the script using the Get-ADUser or Get-ADComputer cmdlet, as per your need and execute it in the PowerShell window.
A sample PowerShell script to get AD accounts' status
Click to copy entire script
For users' status:
Get-ADUser -Filter* | Select Name, Enabled
- For computers' status:
Get-ADComputer -Filter* | Select Name, Enabled
These scripts will list the names and status of all the users and computers in the domain. If you wish to export the report in a specific format, the script has to be modified, by adding the required format and the location to store the exported file.
To get AD users or computers reports based on their status, use any of the multiple status-based reports. For example, to get the disabled users or computers,
- Select the Disabled Users report from User Reports section in the Reports tab. (For disabled computers, select the Disabled Computers report from Computer Reports in Reports tab.)
- Select the domains from which you wish to get all the accounts and click Generate. Click the Export as option and select the format to export the report.
» Start 30-day Free Trial
Unlike PowerShell cmdlets, ADManager Plus offers purpose-built reports to fetch enabled, disabled, and locked out and expired users, and computers for every type of AD object. For each object type, it offers an enable / disable option. Also, right from the reports, you can enable, disable, or delete the accounts; move, modify their attributes and more, using the reports' built-in management options.
Limitations of using PowerShell to get AD accounts' status
- You will not be able to generate all the account status reports using PowerShell if you do not have enough privileges in the AD domains from which you wish to generate this report. With ADManager Plus, users privileges in native AD doesn't to be elevated to enable user AD accounts.
- To export the report in a specific format using PowerShell, the script has to be modified. With ADManager Plus though, there is a built-in Export as option which allows you to export the report in CSV, PDF, HTML, or CSV format at just the click of a mouse button.
- If you wish to search the generated AD reports for any specific user account or data, the PowerShell script doesn't offer any option. Nor does it offer any means to manage the accounts from the report. ADManager Plus on the other hand offers a built-in search and on-the-fly management actions in all its reports to locate any computer easily and move, enable/disable, delete, or reset the desired accounts or modify their attributes, right from the reports.
- You must know how to run the scripts from the PowerShell window. ADManager Plus is purely GUI-based, allowing you to perform all management and reporting actions with just mouse clicks from its web-based console.
- Just a misplaced hyphen, or a misspelt LDAP attribute name could cause errors. ADManager Plus lets you perform all the desired management and reporting operations with purely mouse-clicks based actions.