Reputation: 13
How to get the number of enabled and non expired accounts members of an AD group
I need to get the number of accounts that are enabled and non expired of an AD group. I'm able to get the enabled accounts but I'm having problems with those that are expired.
I've been reading about how to do that and I found many solutions that are basically the same:
Get-ADGroupMember -Identity $DisName |get-aduser|Where{$_.Enabled -eq $true -and $_.AccountExpires -ne 0}
That's not working. I've checked for the value of the Property AccountExpires of an expired account and is not equal to 0. I've also compared this value among different Expiration Dates such as: Expired, expiring today, expiring tomorrow and Never Expires, to try to find something relevant among the values, but I didn't find anything.
This is my code:
$DisName = 'CN=demo1group,OU=groups,OU=demo1,OU=res10000,OU=Customer,DC=cloud,DC=local'
$lic = (Get-ADGroupMember -Identity $DisName |get-aduser|Where{$_.Enabled -eq $true -and $_.AccountExpires -ne 0}).count
I've tried to force to expire an account but I always get the same value for $lic
Upvotes: 1
Views: 2757
Answers (2)
Reputation: 146
AccountExpires value is always a FileTime value of 9223372036854775807 UNLESS you modify a user to expire at which point the AccountExpires value changes to 0 for never expire (this changed to 0 for all AD users in my lab)
I manually set an expired date of 9th January 2019 on my lab and get:
AccountExpirationDate : 10/01/2019 00:00:00
accountExpires : 131915520000000000
so you may be better off setting a variable $currentdate = Get-Date and then doing a comparison operator against the AccountExpirationDate parameter instead?
Here's some sample code that validates it in my lab:
$currrentdate = (Get-Date).ToFileTime()
Get-ADGroupMember -Identity <groupname> | get-aduser -Properties * | where {$_.Enabled -eq $true -and $_.AccountExpirationDate -ne $null -and $_.AccountExpires -lt $currrentdate} | Select-Object -Property UserPrincipalName,AccountExpirationDate,AccountExpires
Upvotes: 1
Reputation: 23355
You might need to do this:
Get-ADGroupMember -Identity $DisName | Get-ADUser -Properties Enabled,AccountExpires | Where { $_.Enabled -eq $true -and $_.AccountExpires -ne 0 }
Get-ADUser only returns a limited set of properties by default, but you can use -Properties to return a specific list of additional properties, or use -Properties * to return all properties.
Upvotes: 0
Related Questions
- Get count of members of an active directory group?
- Powershell to show AD group with disabled account - count?
- Powershell: count members of a AD group
- How to retrieve only enabled users from the Active Directory
- Trying to find enabled or disabled Users in AD with Powershell
- List of active directory group members that are not disabled
- Find inactive users on an active directory group?
- Get-ADGroupMembers with User account Enabled status
- Pull Ad groups and count the users inside each group
- Powershell, how to check group memberships for AD users