Reputation: 1
Can I pull a report of which Active Directory users were disabled manually vs which users had their account expire?
Some of our users are set up with an expiration date. If all goes accordingly, when that date comes, their account expires and that kicks off a process in which a .txt file with some of their attributes is created and saved in a specified location. This is the happy path.
On occasion, we have to disable a user manually before the expiration date arrives. When we disable them manually, the process is not initiated and no .txt file is created/saved.
My problem right now is that I have a fair number of disabled users that I have to go back and audit. I'm going to have to manually create the .txt files for any users that did not expire automatically, if that makes sense. I'm wondering if there's a way to report on this in AD so that I can tell which users were disabled manually.
I feel like this could be possible with LDAP queries, but I'm not sure. I'm relatively new to using AD and I'm not familiar enough with attributes to know if the method of disabling is logged.
As an example, I had a user today that I had to disable manually. However, the accountExpires attribute is still set to 12/1/2021. I think I may be able to use the whenChanged attribute to do this. If whenChanged doesn't match the timestamp for accountExpires, then that would be a clue they were disabled manually. However I'll have to test this and see if automatic expiration affects whenChanged
Edit: simplified, my questions are:
- Is there an attribute that shows when an account was disabled/expired? (not just when an expiration was scheduled, but when the account was actually turned off)
- Is there an attribute that indicates how an account was disabled/expired? (meaning, did someone right-click on the user and choose 'Disable Account' or did the expiration date pass?)
Upvotes: 0
Views: 1126
Answers (1)
Reputation: 4610
Whenever you create any user in AD (group) default set the user never expire. You can pull the users that has set the expiration date manually.
AccountExpires value is always a FileTime value of 132789024000000000 UNLESS you modify a user to expire at which point. The AccountExpires value changes to 0 for never expire.
PowerShell command for disabled user with their expiry date.
Get-ADGroupMember -Identity TestGroup | get-aduser -Properties * | where {$_.Enabled -eq $false} | Select-Object -Property UserPrincipalName,AccountExpirationDate,AccountExpires | Export-CSV 'C:\test.csv'
In the above screenshot Ipsita and Kartik has set manually to expire so that their value is 132789024000000000 and where Ansuman has set for never expire user, so its value is 0.
So here is your final PowerShell command for the user is set to expire manually.
Get-ADGroupMember -Identity TestGroup | get-aduser -Properties * | where {$_.Enabled -eq $false -and $_.AccountExpirationDate -ne $null} | Select-Object -Property UserPrincipalName,AccountExpirationDate,AccountExpires | Export-CSV 'C:\test.csv'
whenChanged and Expiration date both are different attribute . whenChanged only display the timestamp of the changed properties of an object in an AD Whether that may be expiration date or anyother attribute of that particular object
Upvotes: 1
Related Questions
- Is there a way to find out the date a user was disabled in Active Directory?
- How to find users who were disabled specific dates
- Powershell, find users that were disabled in the past 14 days only
- Trying to find enabled or disabled Users in AD with Powershell
- List of active directory group members that are not disabled
- Disabled AD Users Based on List
- I need to find out disabled users from ldap
- Powershell Search AD via CSV and report on disabled / enable / non-existant users
- include enabled/disabled account status of LDAP User in results
- How to find users who were disabled during a date range