Find objects in Active Directory Part 2

In part one I walked through how to find common objects such as users and computers. In part 2, I will go over the custom search options and common queries.

Read other parts in this article series:

Find objects in Active Directory Part 1

The custom search allows you to search within an object and search for very specific details, such as City, State, Zip, address, basically any field that exists in an object. Common queries is a quick and easy way to find disabled accounts, non expiring passwords and accounts that have not been logged into for a certain amount of time.

Example 1: Find all the users that live in the City: Springfield

With the find object window open select custom search -> Field -> “User” and then “City”

You can see from the above screenshot all the different fields from the User object that you can select and use in your search.

In the conditions field select “starts with” and in the value field enter “spr”.

This will show me all the cities that start with “spr”. You could also set the condition to “Is (exactly)” and enter the complete city name in the value field.

You can verify your results by opening one of the search results and then go to the address tab.

Example 2: Find all Disable Account using Common Queries

Select “common queries” from the find drop down menu.
Click the box for disabled accounts and click the “find now” button.

My search found 15 accounts that were disabled.

Example 3: Find accounts with non expiring passwords using Common Queries.

Click the box that says “Non expiring passwords” and click the “find now” button

My search returned 8 accounts where the password was set to non expire. I would recommend running this search in your AD environment and identify any accounts that are set to non expire. Your users should not be set up with non expiring passwords, generally that is only used for service accounts.

Example 4: Find accounts that have not logged in for 30 days.

Select “30 days” from the days since last logon drop down and click “Find Now”.

You can see from the drop down you can select 30, 60, 90, 120 or 180. I would recommend searching for accounts that have not logged in for 90 days or more and verify the accounts are still valid. You may be surprised as to how many accounts that are sitting out there which have not been logged into.

My search returned two accounts that have not been logged into for 30 days.

Recommended Tool: Permissions Analyzer for Active Directory

This FREE tool lets you get instant visibility into user and group permissions. Quickly check user or group permissions for files, network, and folder shares.

Analyze user permissions based on an individual user or group membership.

Leave a Comment