Powershell script to find user accounts disabled in last 7 days.

  • 67 Views
  • Last Post 4 weeks ago
syam posted this 5 weeks ago


Hello Everyone!
I was trying to find the disabled user accounts in the  last 7 days using Powershell script.

But to my surprise, none of the script is written to query the IsDiabled attribute of the user property. Instead, it’s looking for WhenChanged, but this is not a correct method as its just assuming that the last change was disabling user account.

 

Could someone give me a lead here please? Is such a script is not possible to fetch user accounts that are disabled in last 7 days? If possible, could you please share it?

 

Any help is much appreciated !!
Regards,Syam,Bangalore.

Order By: Standard | Newest | Votes
gzusagnt007 posted this 5 weeks ago

Hi Syam,
I am looking now at 'ADSI Edit' on my DC and I do not see an attribute named "IsDisabled". There is an attribute named "Enabled" and this can be set to either True or False. Run these and let us know if they help:
$FormatEnumerationLimit=-1
Search-ADAccount -AccountDisabled -UsersOnly | More
Search-ADAccount -AccountDisabled -UsersOnly | ft -Property Name,Enabled,DistinguishedName -AutoSize
Search-ADAccount -AccountDisabled -UsersOnly | fl 
Search-ADAccount -AccountDisabled -UsersOnly | fl > $home\Documents\disabled.txt
Brian J. Talbot
brianjtalbot@xxxxxxxxxxxxxxxx


show

Atula posted this 5 weeks ago

can you please try below command , hope this helps
Get-ADUser -LDAPFilter {(useraccountcontrol:1.2.840.113556.1.4.803:=2)} -Properties whenChanged | Where-Object {$_.whenChanged -gt (Get-Date).AddDays(-30)} | Select-Object Name, whenChanged
-Atul


show

kool posted this 5 weeks ago

This script will find disabled accounts, but it assumes that the change to UAC was the last change. The only way to do this reliably is to look at replication

metadata. You could start with this script to get a list of all disabled accounts and then for each fetch the replication metadata. I don’t believe there is any PowerShell for reading replication metadata, so you’d have to use repadmin /showobjmeta  and parse

the text output.

 

Change auditing is one of the real pain points for AD. Folks that need comprehensive auditing spend lots of money for add-on systems to collect, store, and query

change audit information.

 

    Eric

 

show

froosh posted this 5 weeks ago

Something like this should do it: $Since = (Get-Date).AddDays(-7) $DomainController = Get-ADDomainController $PotentialTargets = Get-ADUser -Filter {Enabled -eq $false -and whenChanged -ge $Since} $DisabledWithin7Days = $PotentialTargets | Where-Object -FilterScript {(Get-ADReplicationAttributeMetadata -Server $DomainController -Object $PSItem -Properties userAccountControl).LastOriginatingChangeTime -ge $Since} Result is $DisabledWithin7Days Regards, Robin Frousheger | Technical LeadMicrosoft Systems | University ServicesLevel 3, 11 Barry St, Carlton, 3053, VIC

show

syam posted this 5 weeks ago

Hello All,
Thank you so much for putting your effort to give me an answer. I have tried the script Atul has shared and I am getting the output too. Then my doubt was even though UAC, useraccountcontrol:1.2.840.113556.1.4.803:=2 is for disabled accounts, how much is the chance that any other attributes of a disabled account can change? Is there an attribute that keeps updating even for a disabled user account ? Please let me know. 
Once again many thanks to you all :)
Syam. 

show

chriss3 posted this 5 weeks ago

Disabling an account do not enforce any restrictions on what kind of attributes that can be updated or not, so no matter if the account is disabled or not, attributes can still be updated. Robin gave you a very nice solution that determines when the “userAccountControl” attribute was last changed thought the replication metadata, I would say this is the closest you can narrow it down without involving reading security logs from each DC in the given domain. “userAccountControl” attribute is a bit mask that is used for other things as well, so last time the attribute was updated don’t have to be disable/enable. 

show

Close