PowerShell: How to use Get-ADUser to list all recently created accounts (and recently changed accounts)

PowerShell

For the next couple of posts I’ll be looking into AD security and auditing. In this article we’ll look at how to use Get-ADUser to list all recently created accounts.

With the increasing number of cyber attacks, security is at the top of most IT departments agenda. There are many checks you can perform to make sure AD is safe and secure, and that only valid or approved modifications have been made to user accounts. I’ll look at AD auditing in a future post, but this will be a handy snippet of PowerShell to help you identify recently created AD accounts, and a bonus bit of code to identify recently modified accounts!

As a quick recap, to view the available options with Get-ADUser type:

help Get-ADUser

help get-aduser

Next we want to find out the full list of properties Get-ADUser can give us so we can identify the specific property to search for. Pick a user at random and type:

Get-ADUser -identity username -property *

get-aduser -identity username -property star whenCreated whenChanged

 

Looking through the  properties you can see the very last two, whenChanged and whenCreated. These are the two properties we’ll be working with




Now we need to do some date manipulation to feed into the Get-ADUser cmdlet so that we can list only accounts created within xx days. To do this we’ll use the variable $DateCutOff, along with the Get-Date cmdlet and AddDays. Type:

$DateCutOff=(Get-Date).AddDays(-30)

This will take today’s date and effectively add -30 days to it.

datecutoff-equals-get-date-adddays-minus30

So you can see today is 22nd July, but the $DateCutOff variable is 22nd June. Now we can use this along with the Where-Object cmdlet on the whenCreated property.

Type:

Get-ADUser -Filter * -Property whenCreated | Where {$_.whenCreated -gt $datecutoff} | FT Name, whenCreated -Autosize

 

get-aduser-filter-star-property-whencreated-pipe-where-whencreated-greaterthan-datecutoff-ft-name-whencreate-autosize

So above you can see two test accounts have been created in the last 30 days.

Now if we change the whenCreated property for the whenChanged property, we can see all accounts that have been modified in the last 30 days.

Type:

Get-ADUser -Filter * -Property whenChanged | Where {$_.whenChanged -gt $datecutoff} | FT Name, whenChanged -Autosize

get-aduser-filter-star-property-whenchanged-pipe-where-whenchanged-greaterthan-datecutoff-ft-name-whenchanged-autosize

Here you can see all the accounts that have been modified in the last 30 days.

Resources

Get-ADUser http://technet.microsoft.com/en-us/library/ee617241.aspx

Get-Date  https://technet.microsoft.com/en-us/library/ee692801.aspx https://blogs.technet.microsoft.com/heyscriptingguy/2015/01/21/adding-and-subtracting-dates-with-powershell/

Where-Object http://technet.microsoft.com/en-us/library/ee177028.aspx

Format-Table https://msdn.microsoft.com/en-us/powershell/reference/5.1/microsoft.powershell.utility/format-table

What the heck is $_ https://technet.microsoft.com/en-us/library/ee677578.aspx

Related Get-ADUser Posts:

1. PowerShell: Get-ADUser to retrieve logon scripts and home directories – Part 1

2. PowerShell: Get-ADUser to retrieve logon scripts and home directories – Part 2

3. PowerShell: Get-ADUser to retrieve password last set and expiry information

4. PowerShell: How to add all users in an OU to a Security Group using Get-ADUser and Add-ADGroupMember

5. PowerShell: Get-ADUser to retrieve disabled user accounts

 

If you found this post useful, please share!

    Related Posts

    Leave a Reply

    Your email address will not be published. Required fields are marked *