Query Active Directory for User Accounts Created in Last 90 Days Using PowerShell


4 views

Tracking recently created Active Directory accounts is critical for security audits, compliance checks, and troubleshooting permission issues. When new employees join or service accounts get created, administrators need visibility into these changes. The 90-day window is particularly important as it covers standard probation periods and helps identify stale test accounts.

While you could use the AD Users and Computers GUI, PowerShell provides more flexibility and automation capabilities. The ActiveDirectory module offers powerful cmdlets specifically designed for this purpose:

Import-Module ActiveDirectory

$90DaysAgo = (Get-Date).AddDays(-90)
Get-ADUser -Filter {whenCreated -ge $90DaysAgo} -Properties whenCreated | 
    Select-Object Name,SamAccountName,whenCreated |
    Sort-Object whenCreated -Descending |
    Export-Csv -Path "C:\Reports\NewUsersLast90Days.csv" -NoTypeInformation

The key components of this solution:

  • -Filter {whenCreated -ge $90DaysAgo} - The date comparison filter
  • -Properties whenCreated - Includes the creation timestamp
  • Sort-Object - Orders results by newest first
  • Export-Csv - Creates an audit-ready report

For more targeted searches, you can combine filters:

Get-ADUser -Filter {whenCreated -ge $90DaysAgo -and Enabled -eq $true} 
    -Properties whenCreated,Department |
    Where-Object {$_.Department -eq "IT"}

To automate this process, create a scheduled task that runs this script weekly. The CSV output can be emailed or saved to a shared location:

$Body = Get-ADUser -Filter {whenCreated -ge $90DaysAgo} | 
    ConvertTo-Html | 
    Out-String

Send-MailMessage -From "admonitor@domain.com" -To "admin@domain.com" 
    -Subject "Weekly AD Account Audit" -Body $Body -BodyAsHtml

For environments without PowerShell 3.0+, you can use the older Quest cmdlets:

Get-QADUser -CreatedAfter (Get-Date).AddDays(-90) | 
    Select-Object Name,SamAccountName,WhenCreated

When auditing Active Directory (AD) environments, administrators frequently need to identify recently created user accounts. This is crucial for security compliance, onboarding verification, or troubleshooting permission issues.

The most efficient approach uses PowerShell with the ActiveDirectory module. Here's a production-ready script:


# Import required module
Import-Module ActiveDirectory

# Calculate date 90 days ago
$CutoffDate = (Get-Date).AddDays(-90)

# Query AD with filters
Get-ADUser -Filter {whenCreated -ge $CutoffDate} -Properties whenCreated,Name,SamAccountName |
    Select-Object Name,SamAccountName,whenCreated |
    Sort-Object whenCreated -Descending |
    Export-Csv -Path "C:\Reports\NewADAccounts.csv" -NoTypeInformation

For environments without PowerShell access, use this LDAP filter:


(&(objectCategory=person)(objectClass=user)(whenCreated>=20230601000000.0Z))

Note: Replace the timestamp with your 90-day threshold in generalized time format.

To refine results, consider these additional parameters:


# Filter enabled accounts only
Get-ADUser -Filter {whenCreated -ge $CutoffDate -and Enabled -eq $true}

# Include specific OUs
Search-ADAccount -AccountCreatedWithin (New-TimeSpan -Days 90) -SearchBase "OU=Departments,DC=domain,DC=com"

For continuous monitoring, create a scheduled task with this script:


$LogFile = "C:\Monitor\ADAccountAudit.log"
$NewAccounts = Get-ADUser -Filter {whenCreated -ge (Get-Date).AddDays(-1)} 

if ($NewAccounts) {
    Add-Content -Path $LogFile -Value "$(Get-Date): New accounts detected"
    $NewAccounts | Export-Clixml -Path "C:\Monitor\DailyAccounts_$(Get-Date -Format yyyyMMdd).xml"
}

If queries return no results:

  • Verify your account has proper read permissions
  • Check if the domain controller replicates changes
  • Confirm time synchronization across servers