AD中检索30天未登录的具有管理权限的账户信息

连国 于 530 Reputation points
2023-11-22T04:28:42.44+00:00

工程师,您好

想要在AD域中检索出超过30天未登录的、具有管理员权限(特殊权限,有别于普通AD账户的权限)的账户信息,

如何操作

Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
6,186 questions
Windows Server PowerShell
Windows Server PowerShell
Windows Server: A family of Microsoft server operating systems that support enterprise-level management, data storage, applications, and communications.PowerShell: A family of Microsoft task automation and configuration management frameworks consisting of a command-line shell and associated scripting language.
5,449 questions
0 comments No comments
{count} votes

1 answer

Sort by: Most helpful
  1. Rich Matheisen 45,671 Reputation points
    2023-11-22T16:29:02.96+00:00

    First, understand that there are two AD properties that hold a "logon date". One is accurate, the other may be several days behind because it's replicated in frequently.

    https://social.technet.microsoft.com/wiki/contents/articles/22461.understanding-the-ad-account-attributes-lastlogon-lastlogontimestamp-and-lastlogondate.aspx

    Second, I think you're attempting to find privileged users (i.e., users that are members of privileged groups). Those users would have a property named "adminCount" with a non-zero value. You should be able to get that list using Get-ADUser with a LDAPFilter parameter:

    Get-ADUser -LDAPFilter "(objectClass=user)(objectCategory=Person)(adminCount=1)"
    

    Keep in mind that you may encounter users that are NO LONGER members of a privileged group that still have an adminCount property value set to 1. I don't know if MS ever fixed that problem in the AD, but it was common years ago. You can safely set to adminCount to zero if the user is truly no longer a member of any privileged group.

    0 comments No comments