“We need a list of all disabled users.”
“How many users are locked out right now?”
“Do we have any inactive computer accounts?”
These questions – and questions like them – are popular in most environments using Active Directory. They’re not always easy to answer, though, because Active Directory doesn’t have any real built-in reporting mechanisms. If you’re looking for a do-it-yourself solution, there are two approaches you can take: The console, and PowerShell.
Let’s start with the console. All recent versions of the Active Directory Users and Computers console provide custom querying capabilities. Unfortunately, the console doesn’t actually provide a report, per se. What you get is a list of actual accounts that match your criteria. You can add columns to that list, just as you can in any list in the console, and you can export the account list to a tab- or comma-delimited file. If that’s all you need, then this might be the easiest way to create reports. You could, for example, import the CSV file into Excel to clean it up and make it prettier. The queries you create are saved, so you can always access them in the future to generate the same kind of list a bit more quickly.
Another approach is to use PowerShell, along with the Microsoft ActiveDirectory module that ships with Windows Server 2008 R2 (and the Windows 7 Remote Server Administration Toolkit, or RSAT). This time, let’s say you want to find all computer accounts that have never changed their password. Remember that computer accounts, just like user accounts, have a password. Computers change that password themselves on a regular basis, but a computer that has never changed its password is one that’s probably never logged onto the domain. If the computer account isn’t fairly recent, then it probably can be deleted – or at least examined to find out why it isn’t in use. You could schedule PowerShell commands to run on a regular basis by simply using Scheduled Tasks. You’d schedule PowerShell.exe, and then use its –command parameter to specify whatever command you come up with. Be sure the task runs under a user account that has permission to query this information.
You can learn more and see the actual PowerShell scripts in my article The Guide to Creating Active Directory Auditing Scripts or you can watch me build a simple auditing report in my video How to Build Active Directory Reports Using Queries & Scripts.