Find Inactive users in Active Directory using PowerShell Script
Find Inactive users in Active Directory using PowerShell Script. This post is directed at explaining how to find inactive users in Active Directory using PowerShell Script.
Active Directory Reporting
InfraSOS
At the beginning of our article titled Find Inactive users in AD please take a look at InfraSOS. A solution you need to secure, analyze and report on Active Directory and Office 365 users using our SaaS AD reporting solution.
InfraSOS Active Directory AD benefits
- Audit Active Directory users.
- Audit Office365 users.
- SaaS platform.
- Active Directory Management.
- Active Directory Health Check.
- Office365 Management.
- Azure AD monitoring.
- Overview of your Active Directory domain / forests.
- Decrease replications of users.
- Improve the speed of AD user logons.
- DNS monitor.
- AD user reporting tools.
How are Inactive User Accounts Identified?
A major issue Organizations that deal with large amounts of data have is a security breach. Inactive users in Active Directory can be the cause of major security issues.
One of the most common and effective ways of discovering inactive users is through the use of the LastLogonTimeStamp Attribute.
The LastLogonTimeStamp Attribute
This is an attribute which is found in user accounts. This attribute helps us identify inactive user accounts and their computers.
- Open a user account
- Click on the Attribute Editor Tab
- Scroll down the LastLogonTimeStamp field.
Whenever a user is logged on to the Active Directory site, you can make use of the LastLogonDate and LastLogonTimeStamp attributes to check every domain controller and figure out the last date of logon. This can be used as means to identify inactive users.
Why Inactive User Accounts in Active Directory should be Identified
As mentioned earlier, there are several reasons why inactive user accounts should be identified and eliminated. Some of the reasons are listed below:
- Security reasons: This reason comes up as the foremost because it is the most important. An account that has been dormant or unused for some time is the perfect entry point for a breach of security. It is therefore important for a constant check and control.
- Data Integrity: The Active Directory is majorly made up of a centralized database, which holds critical information. The data on the Directory has to be accurate and up to date to avoid errors in other systems connected or working with it.
- Licensing and Cost implication: If there are several inactive accounts on Active Directory that are working in synchronization with software that licenses on a per-user bias, the organization will be paying for licenses for users who are not in the use of the license.
- Proper management: An Active Directory that is unorganized and littered with irrelevant information will be harder to manage. This is therefore in an organization’s interest to ensure that old users’ information is removed from Active Directory.
Using PowerShell Script to Find Inactive User Accounts in Active Directory
The downside to this option is that it is cumbersome for organizations with a large number of users. Thankfully, there are other options made available. One of them is through the use of PowerShell Scripts. While this option is fast and time saving, it, however, has some technicalities to it and requires expertise to make use of it.
Installing the Active Directory Module
We will need the following modules and components installed in our server before we will be able to make use of PowerShell to check for inactive users.
- Remote Server Administration Tools (RSAT) for Windows.
- Active Directory Module for PowerShell
By, executing the code snippet Install-Module -Name ActiveDirectory in our PowerShell console on our server should fetch the package from a Content Delivery Network like the PowerShell Gallery and install it on our server or workstation.
However, before installing the AD Module, we must install a pre-requisite package called Remote Server Administration Tools (RSAT).
- RSAT enables IT server administrators, to remotely manage roles and features on a Windows Server. These said tools include managing a domain controller with Active Directory Domain Services or AD DS role installed in the server.
We can install this through the GUI method, but for this article, we will be using a PowerShell script to install RSAT on our server.
# import module ServerManager
Import-Module ServerManager
# install RSAT
Install-WindowsFeature -Name "RSAT-AD-PowerShell" -IncludeAllSubFeature
Next, we will be importing the Active Directory Module.
# import ActiveDirectory Module
Import-Module ActiveDirectory
Finding Inactive Active Directory User Accounts using PowerShell
Find inactive users for the past 30 days and export to csv
This checks for Inactive Active Directory users within 30 days and export the result to a CSV:
# set the date (the number of days)
$NumberOfDays = 30
# set the timeframe ranging for the amount of days entered
$TimeRange = (Get-Date).Adddays(-($NumberOfDay))
# checks for inactive users within 30 days timeframe
Get-ADUser -Filter {LastLogonTimeStamp -lt $TimeRange } -Properties * | Select Name, LastLogonDate | Export-Csv InactiveActiveDirectoryUsers.csv -NoTypeInformation
Find inactive users for the past 60 days and export to csv
This checks for Inactive Active Directory users within 60 days and export the result to a CSV:
# set the date (the number of days)
$NumberOfDays = 60
# set the timeframe ranging for the amount of days entered
$TimeRange = (Get-Date).Adddays(-($NumberOfDay))
# checks for inactive users within 60 days timeframe
Get-ADUser -Filter {LastLogonTimeStamp -lt $TimeRange } -Properties * | Select Name, LastLogonDate | Export-Csv InactiveActiveDirectoryUsers.csv -NoTypeInformation
Find inactive users for the past 90 days and export to csv
This checks for Inactive Active Directory users within 90 days and export the result to a CSV:
# set the date (the number of days)
$NumberOfDays = 90
# set the timeframe ranging for the amount of days entered
$TimeRange = (Get-Date).Adddays(-($NumberOfDay))
# checks for inactive users within 90 days timeframe
Get-ADUser -Filter {LastLogonTimeStamp -lt $TimeRange } -Properties * | Select Name, LastLogonDate | Export-Csv InactiveActiveDirectoryUsers.csv -NoTypeInformation
Find inactive users using the Enabled Attribute
Get-ADUser -Filter * -Property Enabled | Where-Object {$_.Enabled -like "false"} | Format-Table Name, Enabled -Autosize
Find inactive users using the Search-ADAccount
Search-ADAccount -Accountinactive
Search-ADAccount -Accountinactive -Usersonly
Search-ADAccount -Accountinactive -TimeSpan 60 -Usersonly
Search for only users’ accounts that are inactive within 60days and export the result to a CSV
Search-ADAccount -Accountinactive -TimeSpan 60 -Usersonly | Select Name, LastLogonDate | Export-Csv InactiveActiveDirectoryUsers.csv -NoTypeInformation
Thank you for reading about how to Find Inactive users in Active Directory using PowerShell Script. Let’s summarize.
Find Inactive users in Active Directory using PowerShell Script Conclusion
PowerShell script is one way to to help and find inactive users in Active Directory. Specifically, the Get-ADUser and Search-ADAccount cmdlets from the Active Directory module give you the data you will require. Please remember complex tools like PowerShell require a certain level of expertise and there is still a need to check lengthy reports. Make sure you have a look at Active Directory Reporting.
