Find Inactive Users in Active Directory with Powershell
Active Directory it's a tool that IT Pro has use it when work with Windows. But sometimes can be very difficult to manage Users and Computers when company has hundreds of Users.
You must have one IT to check at least one time every month to identify inactive or disable users that must be deleted or remove access.
We know that this can't be happened and most of the times clean up of Active Directory canceled for other task.
Leaving inactive users in Active Directory degrade your security in your environment and the management of Active Directory becomes more difficult.
Today i will explain how can use Powershell to find inactive users in the Active Directory in few minutes.
Just t note that every time which publish article with Powershell Commands will be added in Useful Powershell Commands that can use it every day
How can use Powershell to find inactive users in Active Directory. You have lot of options that can use but today will use the command Search-ADAccount
With the Search-ADAccount
Before start let's explain what can do the command. With this command we can search for Active Directory users , computers or service accounts.
With combination of some parameters we can create a small script to find inactive users for more than x days.
- Of course first step is to open Powershell or Powershell ISE for more functionality.
- We know that can use Search-ADAccount but must use and at least one parameter to run the command.
- If you open the https://technet.microsoft.com/en-us/library/ee617247.aspx you will find all the parameters that can use with Search-ADAccount.
- I found the parameter that can help us in this report.
- Type the following command and press enter
- Search-ADAccount -Accountinactive
- Seems intresting because we get all the objects of Active directory users , computers and service accounts which are inactive.
- But can't help me because i need only the inactive users and in better format.
- So let's use parameter -Usersonly and type
- Search-ADAccount -Accountinactive -Usersonly
- This is that i want because i get a report only for users.
- But one second. From when are inactive these users? To be sure it's better to have specific days that these users are inactive.
- Let's use inactive users more than 60 days. Base on your company policy can change the number of days.
- But how can use this filter?
- Search-AD Account has the parameter -TimeSpan that can use to specify number of days.
- So let's type and run . The report will be the same but with inactive users more than 60 days.
- Search-ADAccount -Accountinactive -TimeSpan 60 -Usersonly
- Now you can export this report in Excel or use the Select for better format like and export to Excel
- Search-ADAccount -Accountinactive -TimeSpan 60 -Usersonly | Select name,lastlogondate
That's it. Now you can use this report or export in Excel and find the users in Active Directory to delete them.
Maybe need a research to find the commands that can cover your requirements but remember that will do it once. Now you have a small script that can use it once a month or 3 months to identify in minute inactive users.
I hope to help you and learn from this article.
Have a nice weekend !!!!.
Do you have suggestions or feedback? Use our commented system to discuss it with other IT Pro