Finding old, inactive users and computers in on-premise Active Directory using Powershell

One of the questions I get asked frequently is “How can I work out how many of my users or computers are inactive or old?”

Well, there are a number of ways to do this, but I’ve found that the easiest and certainly the quickest has been to use PowerShell.

Now, ill say right at the outset, that all I’m doing here is showing you the quickest way I’ve found to get a list of inactive or disabled users, nothing more.

I know there is much, much more that we can do with it, and get really clever with the scripting. I know, I’ve done it, but for the most part, the people who ask me literally want a list of users, nothing more.

So that’s all I’m going to do.

What am I looking for?
Active Directory stores a whole lot more information than you expect inside the objects for users and computers.  A couple of these are useful in determining how long account has been dormant or inactive.

These might include ‘lastLogonTimeStamp’ or looking at the ‘userAccountControl’ to see what their status is. There’s a load more you can look at too, but you don’t need to. You can get the basic details you need from a single command-let.

So, How do I get this information out using PowerShell.

NOTE: The following assumes that you are in PowerShell, have added the Active Directory modules and have relevant AD Permissions.

There are a number of solutions for this, most of them are using the Get-ADUser or Get-ADObject cmdlets. There are many articles around on how to do this, but for the most part, it is much easier to use the cmdlet ‘Search-ADAccount’

Search-ADAccount can be used with a number of switches, but the most common ones are:

-PasswordExpired
-PasswordNeverExpires
-AccountDisabled
-AccountExpired
-AccountInactive

Today, we’ll briefly look at -AccountInactive and -AccountDisabled

Disabled Accounts
We all disable accounts regularly, but remembering which accounts can often be a memory challenge. We can address this simply by using the -AccountDisabled switch.

#Return all ADAccounts which are disabled
Search-ADAccount -AccountDisabled

This will quite simply list all the current AD accounts (users and computers which are disabled)

You can filter this to just Users or Computers using one of the 2 parameters below:

-UsersOnly
-ComputersOnly

You may want to export this data to a csv file that you can use later. This can easily be done with using Export-CSV

#User Search-ADAccount to export a list of all the users which are disabled
Search-ADAccount -AccountDisabled -UsersOnly| Export-Csv "c:\export.csv"

Inactive Accounts
Very similarly to the disabled accounts, it is very straightforward to identify those accounts which are inactive using -AccountInactive

#Return all AD Accounts which are inactive
Search-ADAccount -AccountInactive

You can also filter them using the -UserOnly / -ComputerOnly parameters.

Filtering Inactive Accounts after a certain time
With the -AccountInactive switch you can also quickly find those users that have been inactive for a period of time, such as 90 days, using the -TimeSpan parameter.

Search-ADAccount -AccountInactive -TimeSpan 30

Again, you can export this to a csv or similar using the Export-csv as above.

What’s next
There’s a lot more you can do with this disabled or inactive accounts, and we’ve barely touched on this cmdlet itself.

This may not be the best way for you, but if you just need a really quick overview of your disabled or inactive accounts, then this is probably the quickest and easiest way to get it.