Mar 26 2019 02:13 PM
I am not very good at Powershell (yet) and I was tasked with finding all the service accounts in our Active Directory. Once I have a list I need to find the last time it was used to logon and clear out the old accounts. I can't figure out how to gather the accounts. I have tried the Get-ADServiceAccounts with different settings but can't get it to find the accounts. It seems like it should be easy but....
Any help would be appreciated!
Mar 27 2019 04:53 AM - edited Mar 27 2019 04:58 AM
What have you tried?
This should get you started:
Get-ADServiceAccount - Filter * -SearchScope Subtree
This will grab all the service accounts in your domain.
Your AD domain's distinguished name can be obtained from:
(Get-ADDomain).DistinguishedName
Mar 27 2019 06:52 AM
Thanks for the reply - where would the Distinguished name fit into the command? Lets say my distinguished name is DC=Contoso, DC=Com
Mar 27 2019 07:20 AM
The distinguished name can be used in the cmdlet like so:
Get-ADServiceAccount -SearchBase (Get-ADDomain).DistinguishedName
The -SearchBase parameter accepts a distinguished name syntax e.g. "CN=blah, OU=blah, dc=domain, dc=domain" This provides a means of targeting your search at a know starting point instead of the entire directory.
Use the -SearchScope parameter to specify how deep the search should go; Base, OneLevel, Subtree
Ex: Get-ADServiceAccount -Filter * -SearchScope Base
Ex: Get-ADServiceAccount -SearchBase (Get-ADDomain).DistinguishedName -SearchScope Base
Ex: Get-ADServiceAccount -Filter * -SearchScope Subtree
Ex: Get-ADServiceAccount -SearchBase (Get-ADDomain).DistinguishedName -SearchScope Subtree
Note the results.
Review the documentation here:
https://docs.microsoft.com/en-us/powershell/module/addsadministration/get-addomain?view=win10-ps