Use PowerShell to easly find Obsolete Accounts
One of the great new capabilities new to ActiveRoles AD CMDLETS version 1.4 is the ability to define criteria for how you want to identify obsolete or inactive accounts. You define the criteria as an “InactiveAccountsPolicy” that can be called from the Get-QADUser cmdlet to list accounts matching the obsolete policy then delete, disable or if you own ActiveRoles Server execute the Deprovisoning policy.
Set-QADInactiveAccountsPolicy
Set the current user preference on what accounts to consider inactive by default.
Syntax
Set-QADInactiveAccountsPolicy [-AccountExpiredPeriod <Int32>] [-PasswordNotChangedPeriod <Int32>] [-AccountNotLoggedOnPeriod <Int32>]
Parameters
AccountExpiredPeriod
Use this parameter to specify the number of days after which an expired account is considered inactive by default. Thus, an account is considered inactive if the account remains in the expired state for more days than specified by this parameter.
AccountNotLoggedOnPeriod
Use this parameter to specify the period, in days, that an account is not used to log on, after which the account is considered inactive by default. Thus, an account is considered inactive if no successful logons to that account occur for more days than specified by this parameter.
PasswordNotChangedPeriod
Use this parameter to specify the password age, in days, after which an account is considered inactive by default. Thus, an account is considered inactive if the password of the account remains unchanged for more days than specified by this parameter.
Detailed Description
Use this cmdlet to specify the default conditions that must be met for a user or computer account to be considered inactive. The inactivity conditions are specific to the current user, and have an effect on the cmdlets that support the Inactive parameter (such as Get-QADUser or Get-QADComputer). If no account-inactivity related parameters other than Inactive are supplied, then the Inactive parameter retrieves the accounts that meet the conditions defined by this cmdlet. To view the inactivity conditions that are currently in effect, use the Get-QADInactiveAccountsPolicy cmdlet.
Get-QADInactiveAccountsPolicyView the current user preference on what accounts to consider inactive by default.
Syntax
Get-QADInactiveAccountsPolicy
Detailed Description
Use this cmdlet to examine the settings that were specified by using Set-QADInactiveAccountsPolicy, and are in effect for the current user session. These settings specify the default conditions that must be met for a user or computer account to be considered inactive. The inactivity conditions are specific to the current user, and have an effect on the cmdlets that support the Inactive parameter (such as Get-QADUser or Get-QADComputer). If no account-inactivity related parameters other than Inactive are supplied, then the Inactive parameter retrieves the accounts that meet the conditions defined by the AccountExpiredPeriod, AccountNotLoggedOnPeriod, and PasswordNotChangedPeriod settings that you can examine using this cmdlet. For details regarding each of these settings, see the corresponding parameter description for the Set-QADInactiveAccountsPolicy cmdlet.
Set-QADInactiveAccountsPolicy
4 Responses Leave a comment
Hi Bob this is useful and seems that it would make the process easier to identify these accounts. I am having a similar issue with the housekeeping of computer accounts. The only “active” flag seems to the the pwdlastset field, however this flag is not always set particularly by remote users and so using this as a delete trigger is not reliable.
As of yet I have yet to come across a reliable method for deleting obsolete computer accounts without it getting me into trouble! Of course we have RMAD which is a good safety net, but I’d rather delete the right one in the first instance.
Any ideas?
Try Get QAD-Computer -Inactive
I don’t think that will do the job as it must used the passwdlastset AD attribute and this seems not to be set for devices that use VPN. So some devices could show as not active in AD, but actually are they have just not set the attribute due to connecting in a certain way.
In addition to interactive logons we also provide detection options for objects that may be doing non-interactive logons; such as VPNs.