How could I clean up stale user accounts without Quest?

I use Powershell, in some form, on a daily basis. Primarily I use the Powershell CLI for quick queries against WMI, getting data from SQL,  Data from Exchange and Active Directory. Active directory is the most interesting because I nearly always end up using commands that are only available using the Quest Active Directory CMDlets.

I was on a customer’s domain controller and noticed that they had a lot of service accounts created under the users CN in AD.  By service accounts, I mean that they were user objects that were named things like FTPsrv and that the ftp service runs on an FTP server using that user account. Because of the names being used, it was obvious that at least a few were not being used.

I’ll keep using the FTPsrv user as the example here, but basically from the PS CLI I just typed:

(get-qaduser ftpsrv).lastlogon and checked the last logon date to see if this account was being used.

Then, to see the same for all of these service accounts:

foreach($usr in get-qaduser |where{$ -like “*srv*){




I disabled the unused accounts and made a note in the description to delete by a certain date if there were no problems. I can search on that note later and delete the accounts.

This all seems simple but it occurs to me that it’s worth pointing out WHY I use the Quest AD cmdlet.

Without the Quest cmdlets, from AD users and computers MMC you can make a query that returns users, but you are limited to the preset options for numbers of days and the results won’t display the last logon date so that seems to be a place to start but not a useful place to actually get data. So we’re back to powershell to get our data.

There is a really good reason to use the Quest AD cmdlet.  That reason is that by default it’s pretty difficult to use PS to get useful AD information.  The first problem  is that you actually need to find domain controllers and search them individually, the next is that you need to convert time to a readable format.Finally you end up with a last logon date and time from each domain controller that will need to be compared.

$Username = “FTPsrv”
[DirectoryServices.ActiveDirectory.Domain]::GetCurrentDomain().DomainControllers | ForEach-Object {
$Server = $_.Name
$SearchRoot = [ADSI]”LDAP://$Server”
$Searcher = New-Object DirectoryServices.DirectorySearcher($SearchRoot,”(sAMAccountName=$Username)”)
$Searcher.FindOne() | Select-Object `
@{n=’Name’;e={ $_.Properties[“name”][0] }},
@{n=’Last Logon’;e={ (Get-Date “01/01/1601”).AddTicks($_.Properties[“lastlogon”][0]) }},
@{n=’Domain Controller’;e={ $Server }}}

This gets us a table with the entries from each domain controller.


Leave a comment

Filed under Active Directry, Powershell

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s