Active Directory: How to Find Expired User Accounts

As a part of security management best practices, Active Directory administrators have to find expired user accounts so they can remove or disable them before an attacker has time to take them over. User accounts for vendors or contractors are often needed only temporally, but even if the IT team sets an expiration date, a malicious actor can reset the date by running a simple ADAccount cmdlet and then use the account as a backdoor to gain access to IT systems like Windows Server and Microsoft Active Directory. Therefore, it’s critical to ensure that you know about all expired user accounts in your Active Directory and delete any of them that are no longer needed to minimize risk and make your IT environment more secure.

1. Open the PowerShell ISE → Run the following cmdlet, paying close attention to the properties used:

Search-ADAccount -Server $ThisDomain -Credential $Creds -AccountExpired -UsersOnly -ResultPageSize 2000 -resultSetSize $null| Select-Object Name, SamAccountName, DistinguishedName, AccountExpirationDate

2. Review the accounts listed in the PowerShell output:

https://img.netwrix.com/howtos/get_list_of_expired_ad_accounts_powershell.png

Credits

Originally posted at: https://www.netwrix.com/how_to_find_expired_accounts.html