How to Get a List of Expired User Accounts and Expiration Date in AD Using PowerShell
Jul 20, 2017
How to Get a List of Expired User Accounts with PowerShell
One of the most important tasks that an Active Directory administrator performs is ensuring that expired user accounts are reported in a timely manner and that action is taken to immediately remove or disable them. Note that user accounts for which you set an expiration date are only created temporarily. For example, you might have created several user accounts to allow vendors to log on to the Active Directory. Similarly, you might have created user accounts for contractors. If you wish to see what accounts have expired, execute the following PowerShell command:
Search-ADAccount -Server $ThisDomain -Credential $Creds -AccountExpired -UsersOnly -ResultPageSize 2000 -resultSetSize $null| Select-Object Name, SamAccountName, DistinguishedName
Note the use of the Search-ADAccount PowerShell cmdlet again but with a different switch this time. The switch that we use is AccountExpired. As the name suggests, the AccountExpired switch helps you to collect user accounts that have expired.
How to Get Account Expiration Date Using PowerShell
To get AD account expiration date for all enabled users in your Active Directory you can use Get-ADUser cmdlet with an -AccountExpirationDate property. Run the following script in PowerShell ISE on your Windows Server:
Get-ADUser -Filter 'enabled -eq $true' -Properties AccountExpirationDate | Select sAMAccountName, distinguishedName, AccountExpirationDate
You will get and expiration date and time for a complete list of your AD users.
If you need a summary for a specific group you need to modify the script by adding -SearchBase parameter. You can pipe data to .csv file (e.g. to import it to Excel or open in text editor) by adding |export-csv <Path> –NoTypeInformation
Assuming we need to export list of account expiry dates for “IT” organizational unit of enterprise.com domain, expression we will execute on DC will be following:
Get-ADUser -Filter 'enabled -eq $true' -Searchbase "OU=IT,DC=enterprise,DC=com" -Properties AccountExpirationDate | Select SAMAccountName, distinguishedName, AccountExpirationDate |export-csv C:TempExpiryDate.csv -NoTypeInformation
Summing up, with minimal Microsoft Powershell scripting skills Search-ADAccount, combined with Get-ADUser can help you to solve many ad-hoc AD cleanup and analysis tasks.
Need more PowerShell scripts for Active Directory? Find all the top wanted PowerShell commands for Active Directory in one blog post.
Handpicked related content:
- How to quickly find expired accounts in Active Directory without PowerShell
- How to get notified of an expired password in Active Directory with PowerShell
- How to get a list of users with password never expires
- How to remind users to change their passwords before they expire
- How to export group policy settings into an actionable report
Track Expired Accounts and Reduce Risk with Netwrix Auditor
Identify orphaned and expired accounts in AD instantly
Learn MoreShare on
Learn More
About the author
Nirmal Sharma
Nirmal is an MCSEx3, MCITP, and he was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in PowerShell Scripting, Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, and System Center products.