The LastLogon and LastLogonTimeStamp attributes can help you to decide if an Active Directory user account or computer account is active or inactive.
Powershell to find inactive accounts Active Directory for 90 days or longer.
Search-ADAccount -UsersOnly -AccountInactive -TimeSpan 90 | ?{$_.enabled -eq $True} | Get-ADUser -Properties Name, EmailAddress, Department, Description, lastLogonTimestamp | Select Name, EmailAddress, Department, Description,@{n='lastLogonTimestamp';e={[DateTime]::FromFileTime($_.lastLogonTimestamp)}} | Export-Csv D:\temp\testfunytest.csv
Another Powershell script to find inactive accounts for 90 days or longer.
import-module activedirectory
$domain = "example.com"
$DaysInactive = 90
$time = (Get-Date).Adddays(-($DaysInactive))
# Get all AD User with lastLogonTimestamp less than our time and set to enable
Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp |
select-object Name,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}} |
export-csv OLD_User.csv -notypeinformation
In Order to Disable a User account
Use this to see what accounts you are going to be disabling:
Search-ADAccount -AccountInactive -TimeSpan 90 -UsersOnly |
Where-Object {$_.lastlogondate -ne $null} |
Format-Table Name,SamAccountName,LastLogonDate -AutoSize
The below powershell lists all the disabled Active Directory users:
Search-ADAccount –AccountDisabled -UsersOnly
Search-ADAccount and list the selected properties of all disabled Active Directory users:
Import-Module ActiveDirectory
Search-ADAccount –AccountDisabled -UsersOnly
Select -Property Name,DistinguishedName
Find Disabled Active Directory Users from specific OU:
Import-Module ActiveDirectory
Search-ADAccount -SearchBase "OU=TestOU,DC=TestDomain,DC=Local" –AccountDisabled -UsersOnly
Select -Property Name,DistinguishedName
In Order to Export Disabled Active Directory Users to CSV using Powershell user below cmdlet:
Import-Module ActiveDirectory
Search-ADAccount –AccountDisabled -UsersOnly |
Select -Property Name,DistinguishedName |
Export-CSV "C:\\DisabledADUsers.csv" -NoTypeInformation -Encoding UTF8
You can check the below cmdlets which will export data in the following order – Givenname, Surname, SamAccountname, PrimarySMTPAddress
Get-QADUser -sizelimit 0 | where {$_.accountisdisabled -eq $true} | select givenname,sn,SamAccountName,PrimarySMTPAddress | Export-Csv -Encoding utf8 c:tempdisabled_users.csv
In Order to Move Disabled Active Directory Users and Computers to New OU
Let’s assume you have two OU’s in Active Directory; DisabledUserAccounts and DisabledComputerAccounts.
Get-ADUser -Filter ‘Enabled -eq $False’ | ForEach {Move-ADObject -Identity "$_" -TargetPath "OU=DisabledUserAccounts,DC=domain,DC=com"}#Substitute your domain for “DC=domain,DC=com”
Get-ADComputer -Filter ‘Enabled -eq $False’ | ForEach {Move-ADObject -Identity "$_" -TargetPath "OU=DisabledComputerAccounts,DC=domain,DC=com"}#Substitute your domain for “DC=domain,DC=com”
By following above steps you can easily find and remove Active Directory inactive user and computer accounts or you can move them to different OU by using Powershell.
