Back in December I wrote a posting on “Discovering Stale Computer Accounts with PowerShell”. Today I received an email from one of my readers (Thanks Matt for writing!) trying to adjust the script to query for stale user accounts. The script that I created in the previous entry is a good starting point, but requires some modifications to work properly for user accounts.
The biggest change in the script is that the DirectorySearcher filter has to be modified to look for user accounts. Simply changing the filter to “user” from “computer” doesn’t quite work as for some reason ADSI will retrieve both the user accounts as well as the computer accounts. We can further limit the search by adding the ObjectCategory in addition to the ObjectClass.
This particular example will query on the last password change date.