Using Search-ADAccount to find and move expired accounts that have been expired for a year


  • I am trying to clean up accounts in AD. It seems, in our environment, accounts get expired but never disabled. I would like to figure out how to find accounts that have been expired for a year or more and then move those into a different OU so I can disable them.

    I have researched this but can't seem to figure out the "accounts expired for a year or more" part. My company wants to give consultants a year before we disable their accounts permanently, if that makes sense. 

    I am not sure if I should be using the -AccountExpired, -AccountExpires or some other parameter

    I have the below so far so I can see the results before working on the moving part, but this fails so I haven't been able to work on that part yet.

    search-ADAccount -AccountExpired -DateTime "(get-date).AddDays(-365)" -UsersOnly | fl name


    Search-ADAccount : Cannot bind parameter 'DateTime'. Cannot convert value "(get-date).AddDays(-365)" to type 
    "System.DateTime". Error: "String was not recognized as a valid DateTime."

    Any help I can get is appreciated, thank you!

    ____________ Kyle

    Wednesday, February 8, 2017 5:07 PM

All replies

  • it's probably the cmdlet interprets everything in quotes as a literal string. To verify, assign the get-date result to a variable, then use the variable in your datetime parameter. I think it's merely a syntax issue.
    Wednesday, February 8, 2017 5:28 PM
  • Thanks, that makes sense. I tried it but get an error still.

    This is the script that I tried.

    search-ADAccount -AccountExpired -DateTime $date -UsersOnly | fl name

    If I break down each part it works. So if I run the (Get-Date).AddDays(-365) as a single command it gives me the correct info. If I run the command without the $date variable I get success.

    search-ADAccount -AccountExpired -UsersOnly | fl name

    As soon as I combine them I get this:

    Search-ADAccount : Parameter set cannot be resolved using the specified named parameters.
    At line:3 char:1
    + search-ADAccount -AccountExpired -DateTime $date -UsersOnly | fl name
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        + CategoryInfo          : InvalidArgument: (:) [Search-ADAccount], ParameterBindingException
        + FullyQualifiedErrorId : AmbiguousParameterSet,Microsoft.ActiveDirectory.Management.Commands.SearchADAccount

    ____________ Kyle

    Wednesday, February 8, 2017 8:20 PM
  • I used an LDAP Filter instead and got the results I am after. Now I can work on moving these accounts or disabling them.


    Import-Module ActiveDirectory
    $date = (Get-Date).AddDays(-365).ToFileTime()
    $ldapfilter = "(&(!userAccountControl:1.2.840.113556.1.4.803:=2)(accountexpires<=$date)(!accountexpires=0))"
    Get-ADUser -ldapfilter $ldapfilter | fl name

    ____________ Kyle

    Wednesday, February 8, 2017 8:52 PM
  • Try below command:

    Note: you need to have PS AD module installed on your machine.

    Search-ADAccount -AccountExpired |where {$_.accountexpirationdate -lt (get-date).AddYears(-1) -and $_.ObjectClass -eq "User"} | move-adobject -identity $_  -targetpath "OU=Disabled,DC=int,DC=asurion,DC=com"

    Kindly mark this as answer if helpful.

    • Proposed as answer by SachinWaghmare Thursday, February 9, 2017 10:56 AM
    Thursday, February 9, 2017 10:56 AM