Find Inactive users in Active Directory using PowerShell Script. This post is directed at explaining how to find inactive users in Active Directory using PowerShell Script.
Active Directory Reporting
InfraSOS
At the beginning of our article titled Find Inactive users in AD please take a look at InfraSOS. A solution you need to secure, analyze and report on Active Directory and Office 365 users using our SaaS AD reporting solution.Â
It is therefore pertinent that these organizations take the effort to ensure that regular checks are done on their Active Directory. Once inactive users are found in their Active Directory, these users should be disabled.
One of the most common and effective ways of discovering inactive users is through the use of the LastLogonTimeStamp Attribute.
The LastLogonTimeStamp Attribute
This is an attribute which is found in user accounts. This attribute helps us identify inactive user accounts and their computers.
Also, the LastLogonTimeStamp is updated with several logon types, we are concerned with the Interactive logon, as this talks about when someone logs on at a console.
Let’s discover how to see how to locate the LastLogonTimeStamp attribute for a user in Active Directory:
Open a user account
Click on the Attribute Editor Tab
Scroll down the LastLogonTimeStamp field.
Whenever a user is logged on to the Active Directory site, you can make use of the LastLogonDate and LastLogonTimeStamp attributes to check every domain controller and figure out the last date of logon. This can be used as means to identify inactive users.
Why Inactive User Accounts in Active Directory should be Identified
As mentioned earlier, there are several reasons why inactive user accounts should be identified and eliminated. Some of the reasons are listed below:
Security reasons: This reason comes up as the foremost because it is the most important. An account that has been dormant or unused for some time is the perfect entry point for a breach of security. It is therefore important for a constant check and control.
Â
Data Integrity: The Active Directory is majorly made up of a centralized database, which holds critical information. The data on the Directory has to be accurate and up to date to avoid errors in other systems connected or working with it.
Â
Licensing and Cost implication: If there are several inactive accounts on Active Directory that are working in synchronization with software that licenses on a per-user bias, the organization will be paying for licenses for users who are not in the use of the license.
Â
Proper management: An Active Directory that is unorganized and littered with irrelevant information will be harder to manage. This is therefore in an organization’s interest to ensure that old users’ information is removed from Active Directory.
Using PowerShell Script to Find Inactive User Accounts in Active Directory
Different users have different reasons for wanting to find inactive users. Either for managing the Active Directory database space or reducing security risk issues, either way, this operation has to be carried out.
You have various options when it comes to performing this task. You could navigate through hundreds of names on the Directory to find out whether those that are active or not.
The downside to this option is that it is cumbersome for organizations with a large number of users. Thankfully, there are other options made available. One of them is through the use of PowerShell Scripts. While this option is fast and time saving, it, however, has some technicalities to it and requires expertise to make use of it.
We will need the following modules and components installed in our server before we will be able to make use of PowerShell to check for inactive users.
Remote Server Administration Tools (RSAT) for Windows.
By, executing the code snippet Install-Module -Name ActiveDirectory in our PowerShell console on our server should fetch the package from a Content Delivery Network like the PowerShell Gallery and install it on our server or workstation.
However, before installing the AD Module, we must install a pre-requisite package called Remote Server Administration Tools (RSAT).
Finding Inactive Active Directory User Accounts using PowerShell
There are several ways to use PowerShell to get an inactive Active Directory User and this will be covered below.
First, we will be using the method of checking the LastLogonTimeStamp Attribute.
Find inactive users for the past 30 days and export to csv
This checks for Inactive Active Directory users within 30 days and export the result to a CSV:
# set the date (the number of days)
$NumberOfDays = 30
# set the timeframe ranging for the amount of days entered
$TimeRange = (Get-Date).Adddays(-($NumberOfDay))
# checks for inactive users within 30 days timeframe
Get-ADUser -Filter {LastLogonTimeStamp -lt $TimeRange } -Properties * | Select Name, LastLogonDate | Export-Csv InactiveActiveDirectoryUsers.csv -NoTypeInformation
Find inactive users for the past 60 days and export to csv
This checks for Inactive Active Directory users within 60 days and export the result to a CSV:
# set the date (the number of days)
$NumberOfDays = 60
# set the timeframe ranging for the amount of days entered
$TimeRange = (Get-Date).Adddays(-($NumberOfDay))
# checks for inactive users within 60 days timeframe
Get-ADUser -Filter {LastLogonTimeStamp -lt $TimeRange } -Properties * | Select Name, LastLogonDate | Export-Csv InactiveActiveDirectoryUsers.csv -NoTypeInformation
Find inactive users for the past 90 days and export to csv
This checks for Inactive Active Directory users within 90 days and export the result to a CSV:
# set the date (the number of days)
$NumberOfDays = 90
# set the timeframe ranging for the amount of days entered
$TimeRange = (Get-Date).Adddays(-($NumberOfDay))
# checks for inactive users within 90 days timeframe
Get-ADUser -Filter {LastLogonTimeStamp -lt $TimeRange } -Properties * | Select Name, LastLogonDate | Export-Csv InactiveActiveDirectoryUsers.csv -NoTypeInformation
Find inactive users using the Enabled Attribute
Next, this section of PowerShell snippet checks for inactive Active Directory Users by referencing users with the Enabled attribute that have a value of False (boolean):
Find Inactive users in Active Directory using PowerShell Script Conclusion
PowerShell script is one way to to help and find inactive users in Active Directory. Specifically, the Get-ADUser and Search-ADAccount cmdlets from the Active Directory module give you the data you will require. Please remember complex tools like PowerShell require a certain level of expertise and there is still a need to check lengthy reports. Make sure you have a look at Active Directory Reporting.
In this article, we discussed how to use PowerShell to find inactive users in Active Directory, we also discussed the users’ Active Directory attribute which is used to determine if the user is inactive.
Finally, we created several scripts that show, how to get inactive Active Directory users.
My background is in Cloud Operations, Office 365, Exchange Online, Security & Compliance, Active Directory and Dynamics 365 F&O. I'm a PowerShell Developer and ATTUNE Evangelist. Certified Cyber Security Professional (CSFPC).
00votes
Article Rating
Subscribe
Login and comment with
I allow to create an account
When you login first time using a Social Login button, we collect your account public profile information shared by Social Login provider, based on your privacy settings. We also get your email address to automatically create an account for you in our website. Once your account is created, you'll be logged-in to this account.
DisagreeAgree
Login and comment with
I allow to create an account
When you login first time using a Social Login button, we collect your account public profile information shared by Social Login provider, based on your privacy settings. We also get your email address to automatically create an account for you in our website. Once your account is created, you'll be logged-in to this account.