none
Need help finding accounts that expire 90 days from date created RRS feed

  • Question

  • Hi, I am trying to find all temp accounts in AD that expire 90 days after the account was created.  Here is what I have so far. I am not sure how to calculate that. I am not receiving any output.

            $expireDate = (Get-ADUser -filter * -Properties accountExpires).accountExpires
        $accountExpireDate = ([System.DateTime]::FromFileTime($expireDate)).AddDays(-90).Date
        
        Get-ADUser -Filter {whenCreated -ge $accountExpireDate} -Properties whenCreated | select name | export-csv 'c:\temp\all_temp_users.csv'enter code here
    Friday, April 24, 2015 8:05 PM

Answers

  • OK. I read your question again and I think I understand what you are asking now.

    Try it this way:


    $DaysSinceCreation = 90
    
    get-aduser -ldapfilter "(&(!(accountExpires=0))(!(accountExpires=9223372036854775807)))" -properties accountExpires,whenCreated | foreach-object {
      $accountExpires = [DateTime]::FromFileTime($_.accountExpires)
      if ( ($accountExpires - $_.whenCreated).Days -eq $DaysSinceCreation ) {
        new-object PSObject -property @{
          "distinguishedName" = $_.DistinguishedName
          "whenCreated"       = $_.whenCreated
          "accountExpires"    = $accountExpires
        }
      }
    }
    


    -- Bill Stewart [Bill_Stewart]


    • Edited by Bill_StewartModerator Monday, April 27, 2015 10:01 PM Deleted unneeded line
    • Marked as answer by glacket Tuesday, April 28, 2015 1:49 PM
    Monday, April 27, 2015 9:57 PM
    Moderator
  • Here is a small modification that checks for a range of days:


    get-aduser -ldapfilter "(&(!(accountExpires=0))(!(accountExpires=9223372036854775807)))" -properties accountExpires,whenCreated | foreach-object {
      $accountExpires = [DateTime]::FromFileTime($_.accountExpires)
      $span = ($accountExpires - $_.whenCreated).Days
      if ( ($span -ge 85) -and ($span -le 96) ) {
        new-object PSObject -property @{
          "distinguishedName" = $_.DistinguishedName
          "whenCreated"       = $_.whenCreated
          "accountExpires"    = $accountExpires
        }
      }
    }
    


    -- Bill Stewart [Bill_Stewart]

    • Marked as answer by glacket Tuesday, April 28, 2015 2:35 PM
    Tuesday, April 28, 2015 2:16 PM
    Moderator

All replies

  • Hi,

    Use Search-ADAccount instead:

    http://ss64.com/ps/search-adaccount.html

    It has an -AccountExpiring parameter you can use.


    Don't retire TechNet! - (Don't give up yet - 13,225+ strong and growing)

    Friday, April 24, 2015 8:15 PM
  • Hi,

    Use Search-ADAccount instead:

    http://ss64.com/ps/search-adaccount.html

    It has an -AccountExpiring parameter you can use.


    Don't retire TechNet! - (Don't give up yet - 13,225+ strong and growing)


    Thats a good idea, i forgot about the search-adaccount command. So it looks like i would use the -timespan parameter. How would i tell the script to find accounts expire 90 days after they were created? would i add 90 to date created, convert date to human language then have the script check if it equals 90 days?
    Friday, April 24, 2015 8:46 PM
  • I did not really get anywhere with search-adaccount so i used get-aduser again and rewrote the script. Here is what i have so far. I am not sure how to finish it.

    Get-ADUser -Filter * -SearchBase "OU=Contractors & Consultants,OU=Special Accounts,OU=Users,OU=Home Office,OU=Domain,DC=domain,DC=com" -Properties whenCreated,AccountExpirationDate | Where-Object {$_.whenCreated -le ((Get-Date).AddDays(-90)).Date} |

    Monday, April 27, 2015 8:56 PM
  • OK. I read your question again and I think I understand what you are asking now.

    Try it this way:


    $DaysSinceCreation = 90
    
    get-aduser -ldapfilter "(&(!(accountExpires=0))(!(accountExpires=9223372036854775807)))" -properties accountExpires,whenCreated | foreach-object {
      $accountExpires = [DateTime]::FromFileTime($_.accountExpires)
      if ( ($accountExpires - $_.whenCreated).Days -eq $DaysSinceCreation ) {
        new-object PSObject -property @{
          "distinguishedName" = $_.DistinguishedName
          "whenCreated"       = $_.whenCreated
          "accountExpires"    = $accountExpires
        }
      }
    }
    


    -- Bill Stewart [Bill_Stewart]


    • Edited by Bill_StewartModerator Monday, April 27, 2015 10:01 PM Deleted unneeded line
    • Marked as answer by glacket Tuesday, April 28, 2015 1:49 PM
    Monday, April 27, 2015 9:57 PM
    Moderator
  • OK. I read your question again and I think I understand what you are asking now.

    Try it this way:


    $DaysSinceCreation = 90
    
    get-aduser -ldapfilter "(&(!(accountExpires=0))(!(accountExpires=9223372036854775807)))" -properties accountExpires,whenCreated | foreach-object {
      $accountExpires = [DateTime]::FromFileTime($_.accountExpires)
      if ( ($accountExpires - $_.whenCreated).Days -eq $DaysSinceCreation ) {
        new-object PSObject -property @{
          "distinguishedName" = $_.DistinguishedName
          "whenCreated"       = $_.whenCreated
          "accountExpires"    = $accountExpires
        }
      }
    }
    


    -- Bill Stewart [Bill_Stewart]


    That seems to work but i also get an error; Cannot find an overload for "op_Subtraction" and the argument count: "2". ok, so to get the output it looks like your adding 90 days to date created and if that number equals accountexpires then show output, is that correct? Thanks for the reply.

    • Edited by glacket Tuesday, April 28, 2015 12:01 PM
    Tuesday, April 28, 2015 12:01 PM
  • Is it because a null value for account expires? I thought this line only pulls  ad accounts with expiration dates?

    get-aduser -ldapfilter "(&(!(accountExpires=0))(!(accountExpires=9223372036854775807))

    • Edited by glacket Tuesday, April 28, 2015 12:07 PM
    Tuesday, April 28, 2015 12:07 PM
  • Correct; the LDAP filter returns only accounts that have an expiration date set.

    I can't reproduce the error. Please copy and paste the exact error message you're getting.


    -- Bill Stewart [Bill_Stewart]

    Tuesday, April 28, 2015 12:33 PM
    Moderator
  • Correct; the LDAP filter returns only accounts that have an expiration date set.

    I can't reproduce the error. Please copy and paste the exact error message you're getting.


    -- Bill Stewart [Bill_Stewart]

    Here is the full error;

    Cannot find an overload for "op_Subtraction" and the argument count: "2".
    At C:\Scripts\Find all temp contractor accounts\New Text Document.ps1:7 char:26
    +   if ( ($accountExpires - <<<<  $_.whenCreated).Days -eq $DaysSinceCreation ) {
        + CategoryInfo          : NotSpecified: (:) [], MethodException
        + FullyQualifiedErrorId : MethodCountCouldNotFindBest

    Tuesday, April 28, 2015 12:37 PM
  • I can't reproduce it; sorry. I would suggest loading the script in the ISE and use the debugger to examine the data types of the $accountExpires variable and the whenCreated property of the user object ($_.whenCreated). They should both be DateTime objects, which support the subtraction operator (-) and return a TimeSpan object.

    -- Bill Stewart [Bill_Stewart]

    Tuesday, April 28, 2015 12:42 PM
    Moderator
  • I found the issue. It's interesting. Two of the users it pulled do not have a whencreated date. This is only on my workstation. When i run it from a test server all the whencreated dates are reported. I did have another question i did not realize until now. What if the expiration date is not exactly 90 days out? Is it possible to change the $DaysSinceCreation variable to a range of 85-95 instead of 90?
    Tuesday, April 28, 2015 1:24 PM
  • I was able to achieve the proper output by adding an addidiotional $datesincecreation variable, though its not very efficient.
    Tuesday, April 28, 2015 1:39 PM
  • OK. I read your question again and I think I understand what you are asking now.

    Try it this way:


    $DaysSinceCreation = 90
    
    get-aduser -ldapfilter "(&(!(accountExpires=0))(!(accountExpires=9223372036854775807)))" -properties accountExpires,whenCreated | foreach-object {
      $accountExpires = [DateTime]::FromFileTime($_.accountExpires)
      if ( ($accountExpires - $_.whenCreated).Days -eq $DaysSinceCreation ) {
        new-object PSObject -property @{
          "distinguishedName" = $_.DistinguishedName
          "whenCreated"       = $_.whenCreated
          "accountExpires"    = $accountExpires
        }
      }
    }
    


    -- Bill Stewart [Bill_Stewart]


    Here is what i modified for expand the range of $dayssincecreation value. It appears to work but is kind of sloppy. Its not a big deal, but is there a way to make this cleaner? i tried a range variable and did not have any luck. Again thanks for all your help!

    $DaysSinceCreation = 85
    $DaysSinceCreation1 = 86
    $DaysSinceCreation2 = 87
    $DaysSinceCreation3 = 88
    $DaysSinceCreation4 = 89
    $DaysSinceCreation5 = 90
    $DaysSinceCreation6 = 91
    $DaysSinceCreation7 = 92
    $DaysSinceCreation8 = 93
    $DaysSinceCreation9 = 94
    $DaysSinceCreation10 = 95
    $DaysSinceCreation11 = 96
    
    
    
    get-aduser -ldapfilter "(&(!(accountExpires=0))(!(accountExpires=9223372036854775807)))" -properties accountExpires,whenCreated | foreach-object {
      $accountExpires = [DateTime]::FromFileTime($_.accountExpires)
      if ( ($accountExpires - $_.whenCreated).Days -eq $DaysSinceCreation -or ($accountExpires - $_.whenCreated).Days -eq $DaysSinceCreation1 -or ($accountExpires - $_.whenCreated).Days -eq $DaysSinceCreation2 -or ($accountExpires - $_.whenCreated).Days -eq $DaysSinceCreation3 -or ($accountExpires - $_.whenCreated).Days -eq $DaysSinceCreation5 -or ($accountExpires - $_.whenCreated).Days -eq $DaysSinceCreation6 -or ($accountExpires - $_.whenCreated).Days -eq $DaysSinceCreation7 -or ($accountExpires - $_.whenCreated).Days -eq $DaysSinceCreation8 -or ($accountExpires - $_.whenCreated).Days -eq $DaysSinceCreation9 -or ($accountExpires - $_.whenCreated).Days -eq $DaysSinceCreation10 -or ($accountExpires - $_.whenCreated).Days -eq $DaysSinceCreation11) {
        new-object PSObject -property @{
          "SamAccountName" = $_.SamAccountName
          "whenCreated"       = $_.whenCreated
          "accountExpires"    = $accountExpires
        }
      }
    }

    Tuesday, April 28, 2015 1:58 PM
  • Here is a small modification that checks for a range of days:


    get-aduser -ldapfilter "(&(!(accountExpires=0))(!(accountExpires=9223372036854775807)))" -properties accountExpires,whenCreated | foreach-object {
      $accountExpires = [DateTime]::FromFileTime($_.accountExpires)
      $span = ($accountExpires - $_.whenCreated).Days
      if ( ($span -ge 85) -and ($span -le 96) ) {
        new-object PSObject -property @{
          "distinguishedName" = $_.DistinguishedName
          "whenCreated"       = $_.whenCreated
          "accountExpires"    = $accountExpires
        }
      }
    }
    


    -- Bill Stewart [Bill_Stewart]

    • Marked as answer by glacket Tuesday, April 28, 2015 2:35 PM
    Tuesday, April 28, 2015 2:16 PM
    Moderator
  • Here is a small modification that checks for a range of days:


    get-aduser -ldapfilter "(&(!(accountExpires=0))(!(accountExpires=9223372036854775807)))" -properties accountExpires,whenCreated | foreach-object {
      $accountExpires = [DateTime]::FromFileTime($_.accountExpires)
      $span = ($accountExpires - $_.whenCreated).Days
      if ( ($span -ge 85) -and ($span -le 96) ) {
        new-object PSObject -property @{
          "distinguishedName" = $_.DistinguishedName
          "whenCreated"       = $_.whenCreated
          "accountExpires"    = $accountExpires
        }
      }
    }
    


    -- Bill Stewart [Bill_Stewart]

    You are the man. it looks a lot cleaner than my sloppy mess. Thanks!
    Tuesday, April 28, 2015 2:35 PM