Finding old, inactive users and computers in on-premise Active Directory using Powershell

One of the questions I get asked frequently is “How can I work out how many of my users or computers are inactive or old?”

Well, there are a number of ways to do this, but I’ve found that the easiest and certainly the quickest has been to use PowerShell.

Now, ill say right at the outset, that all I’m doing here is showing you the quickest way I’ve found to get a list of inactive or disabled users, nothing more.

I know there is much, much more that we can do with it, and get really clever with the scripting. I know, I’ve done it, but for the most part, the people who ask me literally want a list of users, nothing more.

So that’s all I’m going to do.

What am I looking for?
Active Directory stores a whole lot more information than you expect inside the objects for users and computers.  A couple of these are useful in determining how long account has been dormant or inactive.

These might include ‘lastLogonTimeStamp’ or looking at the ‘userAccountControl’ to see what their status is. There’s a load more you can look at too, but you don’t need to. You can get the basic details you need from a single command-let.

So, How do I get this information out using PowerShell.

NOTE: The following assumes that you are in PowerShell, have added the Active Directory modules and have relevant AD Permissions.

There are a number of solutions for this, most of them are using the Get-ADUser or Get-ADObject cmdlets. There are many articles around on how to do this, but for the most part, it is much easier to use the cmdlet ‘Search-ADAccount’

Search-ADAccount can be used with a number of switches, but the most common ones are:

-PasswordExpired
-PasswordNeverExpires
-AccountDisabled
-AccountExpired
-AccountInactive

Today, we’ll briefly look at -AccountInactive and -AccountDisabled

Disabled Accounts
We all disable accounts regularly, but remembering which accounts can often be a memory challenge. We can address this simply by using the -AccountDisabled switch.

#Return all ADAccounts which are disabled
Search-ADAccount -AccountDisabled

This will quite simply list all the current AD accounts (users and computers which are disabled)

You can filter this to just Users or Computers using one of the 2 parameters below:

-UsersOnly
-ComputersOnly

You may want to export this data to a csv file that you can use later. This can easily be done with using Export-CSV

#User Search-ADAccount to export a list of all the users which are disabled
Search-ADAccount -AccountDisabled -UsersOnly| Export-Csv "c:\export.csv"

Inactive Accounts
Very similarly to the disabled accounts, it is very straightforward to identify those accounts which are inactive using -AccountInactive

#Return all AD Accounts which are inactive
Search-ADAccount -AccountInactive

You can also filter them using the -UserOnly / -ComputerOnly parameters.

Filtering Inactive Accounts after a certain time
With the -AccountInactive switch you can also quickly find those users that have been inactive for a period of time, such as 90 days, using the -TimeSpan parameter.

Search-ADAccount -AccountInactive -TimeSpan 30

Again, you can export this to a csv or similar using the Export-csv as above.

What’s next
There’s a lot more you can do with this disabled or inactive accounts, and we’ve barely touched on this cmdlet itself.

This may not be the best way for you, but if you just need a really quick overview of your disabled or inactive accounts, then this is probably the quickest and easiest way to get it.

Active Directory Advanced Mode

As a domain or enterprise administrator, you’d like to think that opening Active Directory users and computers (ADUC) will give you all the access you could ever need.

Well, you’d be wrong. Some of the features you may need are hidden away in ‘Advanced Features’

These include:

  • Access to the ‘object’, ‘security’ and ‘Attribute Editor’ tabs
  • The revealing of some hidden containers (including Lost and Found and System)

Enabling ‘Advanced Features’
The Advanced Features option is easy to find, as its a check box under ‘view’

ad-advancedMode

Do I need it?
The answer here is possibly, but once you’ve used it, you’ll want it on everywhere you look. The features i use the most in Active Directory are the Attribute Editor and the Object tab.

Here’s why:

Object Tab
The object tab is great for looking at when a user was created/modified or using the ‘Prevent object from Accidental deletion’ check box.ad-objectTab

Attribute Editor
As someone who works with Active Directory every day, I use the Attribute Editor more than most. Firstly, its great for finding out what attributes are really called, and what’s really in them.

I also use it extensively to store data that I need in Active Directory, but I don’t want to put in a field that anyone can see.

ad-attributeEditor

Working with Active Directory in Powershell – Finding and exporting user information

Most of us work primarily with Active Directory Users and Computers, and for the most part this works fine. Sometimes though, its easier to do the things we need to do with PowerShell.

In this post, ill cover the basics of using PowerShell with Active Directory to get user information.

Connecting to Active Directory
If you are working on a Server with an Active Directory Role (Domain Controller etc.) you will already have all the tools you need. You can either open the Active Directory Module for PowerShell from start.

Or you can open PowerShell and add the Active Directory Module

Import-Module Active Directory

If you are working on a machine which is not a Server with an AD role, you will need to be on a machine which is a member of the domain you want to query and has the ‘Remote Server Administration Tools’ or ‘RSAT’ installed.

For more information on installing RSAT, see this post on TechNet

Once you have RSAT installed, ensure you have the Active Directory Module for PowerShell installed.

RSAT

 

Testing the Connection to Active Directory.
Once you have PowerShell open, you can check that you can communicate Active Directory easily using the command

Get-ADDomain

This will simply connect to Active Directory and output some basic details above the domain.

4-domain

The Get-ADUser Commandlet
The only cmdlet we’ll use here is ‘Get-ADUser’

As with every PowerShell CommandLet you can use the Get-Help to get detailed information on the parameters you can use.

Get-Help Get-ADUser

You can also use -Examples to get some sample code

Get-Help Get-ADUser -Examples

Finding Users
Firstly, we can use the Get-ADUser cmdlet to retrieve all the users in the Domain:

Get-ADUser -Filter *

This will retrieve every user in Active Directory and output this as list.

However, this isn’t very useful, as it most likely won’t contain the attributes you need.

By default, only a small set of attributes are retrieved. You can specify the attributes to be retrieved using:

-Properties *

This will add every property for a user, but you can then us the ‘select’ option to display only the attributes you want.

| select <attributeName>, <attributeName2>
Get-ADUser -Filter * -Properties * | select sAMAccountName, givenName, surname

You can select as many attributes as you want, but if you add more than 4, the way the information is displayed will change from a tabular format to a 1 line per attribute.

PowershellADUser

Exporting the retrieved information
your probably querying active directory in order to do something with the information, and for that you may want the data exported into a usable format. You can export to a csv file by adding

| Export-Csv "C:\pathtoexportto\filename.csv" -noType
Get-ADUser -Filter * | select sAMAccountName, givenName, surname


Filtering which OU’s to query
So far we have only queried the full domain. To choose where the base of the query should be, you can add the Property -SearchBase

-SearchBase "OU=nameofou,DC=domain,DC=local"
Get-ADUser -Filter * -SearchBase "OU=Staff,OU=Users,OU=Salamander-Sims,DC=salamandertest,DC=co,DC=uk" | select sAMAccountName


Find a specific user
If you want to select a user specifically you can specify the parameter -Identity followed by the account name

Get-ADUser -Identity myusername


Adding filters based on attributes

You can also filter users using their attributes with the Filter Parameter

Get-ADUser -Filter {givenName -eq "Ben"
Get-ADUser -Filter {(givenName -eq "John") -and (sn -eq "Smith")}

You can also use the -like parameter when filtering. Here we query any user where they have an email address.

Get-ADUser -Filter {mail -like "*"}