The LastLogon and LastLogonTimeStamp attributes can help you to decide if an Active Directory user account or computer account is active or inactive.
Powershell to find inactive accounts Active Directory for 90 days or longer.
[stextbox id=’grey’]Search-ADAccount -UsersOnly -AccountInactive -TimeSpan 90 | ?{$_.enabled -eq $True} | Get-ADUser -Properties Name, EmailAddress, Department, Description, lastLogonTimestamp | Select Name, EmailAddress, Department, Description,@{n=’lastLogonTimestamp’;e={[DateTime]::FromFileTime($_.lastLogonTimestamp)}} | Export-Csv D:\temp\testfunytest.csv[/stextbox]
Another Powershell script to find inactive accounts for 90 days or longer.
[stextbox id=’grey’]import-module activedirectory
$domain = “example.com”
$DaysInactive = 90
$time = (Get-Date).Adddays(-($DaysInactive))
# Get all AD User with lastLogonTimestamp less than our time and set to enable
Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp |
select-object Name,@{Name=”Stamp”; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}} |
export-csv OLD_User.csv -notypeinformation[/stextbox]
In Order to Disable a User account, use this to see what accounts you are going to be disabling:
[stextbox id=’grey’]Search-ADAccount -AccountInactive -TimeSpan 90 -UsersOnly |
Where-Object {$_.lastlogondate -ne $null} |
Format-Table Name,SamAccountName,LastLogonDate -AutoSize[/stextbox]
The below powershell lists all the disabled Active Directory users:
[stextbox id=’grey’]Search-ADAccount –AccountDisabled -UsersOnly[/stextbox]
Search-ADAccount and list the selected properties of all disabled Active Directory users:
[stextbox id=’grey’]Import-Module ActiveDirectory
Search-ADAccount –AccountDisabled -UsersOnly
Select -Property Name,DistinguishedName[/stextbox]
Find Disabled Active Directory Users from specific OU:
[stextbox id=’grey’]Import-Module ActiveDirectory
Search-ADAccount -SearchBase “OU=TestOU,DC=TestDomain,DC=Local” –AccountDisabled -UsersOnly
Select -Property Name,DistinguishedName[/stextbox]
In Order to Export Disabled Active Directory Users to CSV using Powershell user below cmdlet:
[stextbox id=’grey’]Import-Module ActiveDirectory
Search-ADAccount –AccountDisabled -UsersOnly |
Select -Property Name,DistinguishedName |
Export-CSV “C:\\DisabledADUsers.csv” -NoTypeInformation -Encoding UTF8[/stextbox]
You can check the below cmdlets which will export data in the following order – Givenname, Surname, SamAccountname, PrimarySMTPAddress
[stextbox id=’grey’]Get-QADUser -sizelimit 0 | where {$_.accountisdisabled -eq $true} | select givenname,sn,SamAccountName,PrimarySMTPAddress | Export-Csv -Encoding utf8 c:tempdisabled_users.csv[/stextbox]
In Order to Move Disabled Active Directory Users and Computers to New OU
Let’s assume you have two OU’s in Active Directory; DisabledUserAccounts and DisabledComputerAccounts.
[stextbox id=’grey’]Get-ADUser -Filter ‘Enabled -eq $False’ | ForEach {Move-ADObject -Identity “$_” -TargetPath “OU=DisabledUserAccounts,DC=domain,DC=com”} #Substitute your domain for “DC=domain,DC=com”
Get-ADComputer -Filter ‘Enabled -eq $False’ | ForEach {Move-ADObject -Identity “$_” -TargetPath “OU=DisabledComputerAccounts,DC=domain,DC=com”} #Substitute your domain for “DC=domain,DC=com”[/stextbox]
By following above steps you can easily find and remove Active Directory inactive user and computer accounts or you can move them to different OU by using Powershell.
