How to generate and export account expired users report using Powershell
The following is a comparison between getting a list of all users whose accounts have expired with Windows PowerShell and ADManager Plus.
Windows PowerShell
Steps to obtain Account Expired Users report using PowerShell:
- Identify the domain from which you want to retrieve the report.
- Identify the LDAP attributes you need to fetch the report.
- Identify the primary DC to retrieve the report.
- Compile the script.
- The script should contain functions to identify the account expiration date by the conditions such as Account Expiration Date LDAP value not equal to Null and Account Expiration Date LDAP less than equal to the current date.
- Execute it in Windows PowerShell.
- To obtain the report in a different format, modify the script according to the needs of the user.
Sample Windows PowerShell script to get a list of expired AD users
Copied
$OutFile = 'C:\Scripts\AccountExpiredUsers.csv' # your output file
Get-ADUser -Filter * -Properties Name, Enabled, AccountExpirationDate, LastLogonDate | ? {($_.AccountExpirationDate -NE $NULL -AND $_.AccountExpirationDate -LT (Get-Date)) } | foreach {Add-Content -path $OutFile "$($_.Name),$($_.Enabled)"}
Click to copy entire script
ADManager Plus
To obtain the report,
- Navigate to Reports> User Reports > Account expired users.
- Select a domain and OU. Click Generate.
- Select Export as to export the report in any of the preferred formats (CSV, PDF, HTML, CSVDE and XLSX).
Screenshot
ยป Start 30-day Free Trial
Following are the limitations of obtaining reports on account expired users using native tools like Windows PowerShell:
- We can run this script only from the computers which have Active Directory Domain Services role.
- For accurate data, DC and the machine in which the script is executed must be in same time zone, else additional filters have to be employed .
- Difficult to change date formats.
- Difficult to apply different time zones on the date results.
- Complexity in obtaining report in different formats.
- Applying more filters, like OU or 'User name starts with' will increase the LDAP query complexity.
ADMP offers a preconfigured report to find the list of account expired users across multiple domains or from a specific OU at the click of a button. You can learn more about this report here.