Expired Users Greater than 30 Days

I'm trying to create a script that will show me all of the AD accounts that have been expired for more than 30 days. So, I did this:

Import-Module ActiveDirectory
$then = (Get-Date).AddDays(-30)
Get-ADUser -Properties Name,Title,SAMAccountName,accountExpires,AccountExpirationDate,homeDirectory -Filter {accountExpires -lt $then}

Doing this pulls up 56 users, however some of these users were expired and reinstated, so I need to filter on the 'accountexpires' property to see only those accounts currently expired:

Import-Module ActiveDirectory
$then = (Get-Date).AddDays(-30)
Get-ADUser -Properties Name,Title,SAMAccountName,accountExpires,AccountExpirationDate,homeDirectory -Filter {accountExpires -lt $then -AND accountExpires -ne "0"}

Doing this pulls up 36 users, which is exactly correct. Now I want to exclude those users that are expired due to military leave. There are only 2 users in this list that match that criteria so it should show me 34 accounts. However, when I run the following script it only returns 3:

Import-Module ActiveDirectory
$then = (Get-Date).AddDays(-30)
Get-ADUser -Properties Name,Title,SAMAccountName,accountExpires,AccountExpirationDate,homeDirectory -Filter {accountExpires -lt $then -AND accountExpires -ne "0" -AND description -ne "Inactive Military Leave"}

So, what am I doing wrong?

Your help is appreciated! Thanks!

July 9th, 2015 8:59am

accountexpires is of type Int64 so no need to wrap 0 in quotes. Then on the description, I would use -like instead of -ne, as when using -eq or -ne on a string, it must be an exact match, so try

description -like "*Military*"

or you could try using -match

description -match "*Military*"

Free Windows Admin Tool Kit Click here and download it now
July 9th, 2015 9:59am

Thank you for replying, Clayman2.

When I try 'description -like "*Military*"' it returns only the 2 accounts I am trying to exclude.

I want to exclude users that are out on military leave so that their accounts are not accidently deleted.

Thanks!

July 9th, 2015 11:10am

Hi,

In that case, you can use -notlike instead.

Free Windows Admin Tool Kit Click here and download it now
July 9th, 2015 11:56am

Thank you for the response, Mike.

Using -notlike returns the same results as using 'description -ne "Inactive Military Leave"'. It only displays 3 accounts.

July 9th, 2015 12:16pm

Wild guess:

From the 36 accounts, 2 have description "Inactive Military Leave", 3 have something else as description, and the remaining 31 have description not set?

Try this filter:

{accountExpires -lt $then -AND accountExpires -ne "0" -AND (description -ne "Inactive Military Leave" -OR description -notlike "*")}


Free Windows Admin Tool Kit Click here and download it now
July 9th, 2015 1:49pm
Yes! That does exactly what I need. Thank you!
July 9th, 2015 2:31pm

Wild guess:

From the 36 accounts, 2 have description "Inactive Military Leave", 3 have something else as description, and the remaining 31 have description not set?

Try this filter:

{accountExpires -lt $then -AND accountExpires -ne "0" -AND (description -ne "Inactive Military Leave" -OR description -notlike "*")}


  • Edited by Leif-Arne Helland Thursday, July 09, 2015 5:57 PM
  • Marked as answer by PSOSSA Thursday, July 09, 2015 6:28 PM
Free Windows Admin Tool Kit Click here and download it now
July 9th, 2015 5:45pm

This topic is archived. No further replies will be accepted.

Other recent topics Other recent topics