Search-AdmAccount

Gets a user or computer object.

Description

The Search-AdmAccount cmdlet retrieves one or more user or computers that meet the criteria specified by the parameters. Search criteria include account and password status. For example, you can search for all accounts that have expired by specifying the AccountExpired parameter. Similarly, you can search for all accounts with an expired password by specifying the PasswordExpired parameter. You can limit the search to user accounts by specifying the UsersOnly parameter. Similarly, when you specify the ComputersOnly parameter, the cmdlet only retrieves computer accounts.

Some search parameters, such as AccountExpiring and AccountInactive use a default time that you can change by specifying the DateTime or TimeSpan parameter. The DateTime parameter specifies a distinct time. The TimeSpan parameter specifies a time range from the current time. For example, to search for all accounts that expire in 10 days, specify the AccountExpiring and TimeSpan parameters and set the value of TimeSpan to 10.00:00:00. To search for all accounts that expire before December 31, 2012, set the DateTime parameter to 12/31/2012.

Examples

Example 1 – Get all users, computers, and service accounts that are disabled

Search-AdmAccount -AccountDisabled | FT Name,ObjectClass -A

Name                ObjectClass 
-----               ----------
Guest               user
krbtgt              user
krbtgt_51399        user
AmyAl-LPTOP         computer
DeepakAn-DSKTOP     computer

This command returns all users, computers, and service accounts that are disabled.

Example 2 – Get all users that are disabled

Search-AdmAccount -AccountDisabled -UsersOnly | FT Name,ObjectClass -A

Name                ObjectClass 
-----               ----------
Guest               user
krbtgt              user
krbtgt_51399        user

This command returns all users that are disabled.

Example 3 – Get all users, computers, and service accounts that are expired

Search-AdmAccount -AccountExpired | FT Name,ObjectClass -A

Name                ObjectClass 
-----               ----------
Evan Narvaez        user
Patti Fuller        user
David Chew          user

This command returns all users, computers, and service accounts that are expired.

Example 4 – Get all users, computers, and service accounts that will expire in the specified time

Search-AdmAccount -AccountExpiring -TimeSpan 6.00:00:00 | FT Name,ObjectClass -A

Name                ObjectClass
----                -----------
David Chew          user
Evan Narvaez        user
Patti Fuller        user

This command returns all users, computers, and service accounts that will expire in the next 6 days.

Example 5 – Get all accounts that have expired passwords

Search-AdmAccount -PasswordExpired | FT Name,ObjectClass -A

Name                ObjectClass
----                -----------
David Chew          user
Evan Narvaez        user
Patti Fuller        user

This command returns all accounts whose password has expired.

Example 6 – Get all accounts that are locked out

Search-AdmAccount -LockedOut | FT Name,ObjectClass -A

Name                ObjectClass
----                -----------
David Chew          user

This command returns all accounts that are locked out.

Parameters

-AccountDisabled

Specifies a search for accounts that are disabled. An account is disabled when the Enabled property is set to $false.

-AccountExpired

Specifies a search for accounts that are expired. An account is expired when the AccountExpirationDate property is set to a time in the past. The schema name of the property is accountExpires.

-AccountExpiring

Specifies a search for accounts that are expiring in a given time period or by a specified time. To specify a time period, use the AccountExpiring parameter with the TimeSpan parameter. To specify a specific time, use the AccountExpiring parameter with the DateTime parameter.

-AccountInactive

Specifies a search for accounts that have not logged in within a given time period or since a specified time. To specify a time period, use the TimeSpan parameter. To specify a specific time, use the DateTime parameter. The parameter only works when the domain is in Windows Server 2003 Domain Functional Level.

-AdaxesService

Specifies the DNS name of an Adaxes service that will be used to execute this cmdlet. If this parameter is not specified, and the cmdlet is running from an Adaxes Active Directory provider drive, the value for this parameter can be determined from the current path. For example, if the current path is Adaxes:/example.com, the Adaxes service on example.com will be used. If the parameter is not specified and the service DNS name can't be determined from the current path, the cmdlet will access Active Directory directly. To perform an operation in a Microsoft Entra managed domain, you must specify this parameter.

-ComputersOnly

Specifies a search for computer accounts only.

-Credential

Specifies the user account credentials to use to perform this task. The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Adaxes Active Directory PowerShell provider drive. If the cmdlet is run from such a provider drive, the account associated with the drive is the default one.

To specify this parameter, you can type a user name, such as User1 or Domain01\User01 or you can specify a PSCredential object. If you specify a user name for this parameter, the cmdlet prompts for a password.

You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet. You can then set the Credential parameter to the PSCredential object.

If the acting credentials do not have permission to perform the task, the cmdlet returns a terminating error.

-DateTime

Specifies a distinct time value for Search-AdmAccount parameters such as AccountExpiring, AccountInactive, and PasswordExpiring.

Time is assumed to be local time unless otherwise specified. When a time value is not specified, the time is assumed to midnight local time. If you do not specify a date, the date is assumed to be the current date.

The following examples show commonly-used syntax to specify a DateTime object.

• "4/17/2006"
• "Monday, April 17, 2006"
• "2:22:45 PM"
• "Monday, April 17, 2006 2:22:45 PM"

The following examples specify the same date and the time without the seconds.

• "4/17/2006 2:22 PM"
• "Monday, April 17, 2006 2:22 PM"
• "2:22 PM"

The following example shows how to specify a date and time by using the RFC1123 standard. This example specifies time by using Greenwich Mean Time (GMT).

"Mon, 17 Apr 2006 21:22:48 GMT"

The following example shows how to specify a value as Coordinated Universal Time (UTC). This example represents Monday, April 17, 2006 at 2:22:48 PM UTC.

"2000-04-17T14:22:48.0000000"

The following example shows how to set the AccountExpiring parameter to a DateTime value of June 18, 2012 at 2:00:00 AM.

-AccountExpiring -DateTime "6/18/2012 2:00:00 AM"

-LockedOut

Specifies a search for accounts that are locked out.

-PasswordExpired

Specifies a search for accounts that have expired passwords.

-PasswordNeverExpires

Specifies a search for accounts that have passwords that do not expire.

-ResultPageSize

Specifies the number of objects to include in one page of this query.

The default is 256 objects per page.

-ResultSetSize

Specifies the maximum number of objects to return for a query. If you want to receive all the objects, set this parameter to $null (null value). The default is $null.

-SearchBase

Specifies a directory path to search under.

When you run a cmdlet from an Adaxes Active Directory provider drive, the default value of this parameter is the current path of the drive.

When you run a cmdlet outside of an Adaxes Active Directory provider drive, the default value of this parameter is the default naming context of the target domain.

The following example shows how to set this parameter to search under an OU.

-SearchBase "ou=mfg,dc=noam,dc=corp,dc=contoso,dc=com"

When the value of the SearchBase parameter is set to an empty string and you are connected to a global catalog port, all partitions will be searched. If the value of the SearchBase parameter is set to an empty string and you are not connected to a global catalog port, an error will be thrown.

-SearchScope

Specifies the scope of the search.

Possible values for this parameter are:

• Base or 0
• OneLevel or 1
• Subtree or 2

A Base query searches only the current path or object. A OneLevel query searches the immediate children of that path or object. A Subtree query searches the current path or object and all children of that path or object.

-Server

Specifies the directory to connect to by providing one of the following values for a corresponding domain name or directory server. Specify the AD DS instance or the Microsoft Entra domain name in one of the following ways:

Domain name values:

• Fully qualified domain name
• NetBIOS name

Directory server values:

• Fully qualified directory server name
• NetBIOS name
• Fully qualified directory server name and port

The default value for the Server parameter is determined by one of the following methods in the order that they are listed:

• By using Server value from objects passed through the pipeline.
• By using the server information associated with the Adaxes Active Directory PowerShell provider drive, when running under that drive.
• By using the domain of the computer running PowerShell.

-TimeSpan

Specifies a time interval. This parameter is used to specify a time value for Search-AdmAccount parameters such as AccountExpiring.

Specify the time interval in the following format.

[-]D.H:M:S.F

where:

• D = Days (0 to 10675199)
• H = Hours (0 to 23)
• M = Minutes (0 to 59)
• S = Seconds (0 to 59)
• F= Fractions of a second (0 to 9999999)

Time values must be between the following values:

-10675199:02:48:05.4775808 and 10675199:02:48:05.4775807.

The following examples show how to set this parameter.

Set the time to 2 days

-TimeSpan "2.00:00:00"

Set the time span to the previous 2 days

-TimeSpan "-2.00:00.00"

Set the time to 4 hours

-TimeSpan "4:00"

For example, to search for all accounts that are expiring in 10 days, specify the AccountExpiring and TimeSpan parameters as follows.

-AccountExpiring -TimeSpan "10.00:00.00"

-UsersOnly

Specifies a search for user accounts only.

Inputs

None

Outputs

Softerra.Adaxes.PowerShellModule.Directory.ADAccount

Returns one or more account objects that meet the conditions set by the parameters.

See also

• Enable-AdmAccount
• Disable-AdmAccount
• Unlock-AdmAccount
• Set-AdmAccountControl
• Set-AdmAccountExpiration
• Clear-AdmAccountExpiration
• Set-AdmAccountPassword