0 votes


I try to change the script from Report 'Inactive users' to get only users which are located under an specific "Admin" OU.

I can't use "Look in" because we manage 20 small Domains and I can only pick one Admin OU at a time.
So I try to change the filter part, add $filterAdminOU = "(ou:dn:=Admin)" -> didn't work.
I can't find the failure :(

# Build search filter
$threshold = (Get-Date).AddDays(- $days)
$thresholdInt64 = $threshold.ToFileTime()
$thresholdGeneralizedTime = [Softerra.Adaxes.Utils.Transform]::ToGeneralizedTime($threshold.ToUniversalTime())

$filterUsers = "(sAMAccountType=805306368)" # all user objects
$filterAdminOU = "(ou:dn:=Admin)"
$filterCreatedBefore = "(whenCreated<=$thresholdGeneralizedTime)"

$filterNoLastLogonTimestamp = "(!(lastLogonTimestamp=*))"
$filterLoggedOnBeforeTimestamp = "(lastLogonTimestamp<=$thresholdInt64)"

# The report is based on the lastLogonTimestamp attribute, which is replicated across all DCs.
# The lastLogon attribute is not replicated but contains the exact time when a 
# user logged on the DC Adaxes is connected to. Using the attribute in search filter makes
# report results more accurate.
$filterNoLastLogon = "(!(lastLogon=*))"
$filterLoggedOnBefore = "(lastLogon<=$thresholdInt64)"

$filterPasswordChangedBefore = "(pwdLastSet<=$thresholdInt64)"

$filter = "(&" +
    $filterUsers + $filterCreatedBefore + $filterAdminOU +
    "(|" + $filterNoLastLogonTimestamp + $filterLoggedOnBeforeTimestamp + ")" +
    "(|" + $filterNoLastLogon + $filterLoggedOnBefore + ")" +
    $filterPasswordChangedBefore + ")"


by (510 points)

Ok, I found "Support for Extensible Match Search Filters are limited, Microsoft's Active Directory for instance does not support this (reference)."

Can I filter the search result like in Powershell | where { $_.CanonicalName -like "*/Admin/*" }


1 Answer

0 votes
by (262k points)
selected by
Best answer

Hello Helmut,

To achieve what you need, we recommend using a Business Unit as the report scope. For information on how to create Business Units, have a look at the following tutorial: https://www.adaxes.com/tutorials_Active ... tively.htm. The Business Unit should contain the users located in the Admin OUs in all the domains.

Related questions

0 votes
1 answer

I have to do a weekly Inactiviy Report for Accounts that have not logged in for 30 days or more. 1 of the reports is for Internal users BUT there is an Account ... Adaxes and working on the product, and i need to get all my reporting done through Adaxes

asked Nov 14, 2022 by dtorannini (80 points)
0 votes
1 answer

Dear Adaxes Support, I'm trying to check the uniqueness of the Initials-proberty. My script works well so far. Import-Module Adaxes $value = $Context.GetModifiedPropertyValue("initials"); if ( ... Have you a idea how I can do this in the right way? Thanks :-)

asked Aug 13, 2013 by Napoleon (700 points)
0 votes
1 answer

Hello dear ADAXES community, what i wanted to do is, to have a custom report which does the following: get every group in a specific OU (the OU comes from an adaxes custom ... Add($Group.name) } } is this possible in such a way? thank you for your help

asked Sep 23, 2020 by m_st (200 points)
0 votes
1 answer

We manage employee user accounts in our on-premise Active Directory and synchronize them to Azure Active Directory using Azure AD Connect. We'd like to be able to generate ... if this is possible so we can easily identify user accounts that are truly inactive.

asked May 9 by RickWaukCo (320 points)
0 votes
1 answer

Hello, The report named Inactive users allowed to log in shows the Active Directory sign-in (Last-Logon-Timestamp) and Azure AD sign-in (Last Logon) but only for Active Directory ... updated by an Azure logic App. But we'd love to have this natively in Adaxes.

asked Dec 13, 2022 by Gavin.Raymen (40 points)
3,225 questions
2,925 answers
534,169 users