Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Active Directory / How to Find Inactive Computers and Users in Active Directory with PowerShell?

January 29, 2021 Active DirectoryPowerShell

How to Find Inactive Computers and Users in Active Directory with PowerShell?

Quite an often task of an Active Directory administrator is to make a list of disabled or inactive user and/or computer accounts. You can use both saved LDAP queries in the ADUC console and PowerShell cmdlets to get a list of inactive objects in an Active Directory domain. In this article, we’ll show you how to use PowerShell to find inactive user and computer accounts.

The Active Directory administrator needs to periodically disable and remove unused computers and user accounts. This will reduce the size of the AD database (ntds.dit file), and also reduce the risk of an attacker or ex-employees using old accounts to access the domain.

Contents:
  • How to Find Inactive (Old) Computers in Active Directory Domain?
  • Find Inactive User Accounts in Active Directory
  • Using Search-ADAccount to Find Inactive AD Objects

In order to use all the PowerShell cmdlets discussed below, at least PowerShell version 3.0 and the Remote Server Administration Toolkit (RSAT) must be installed on the computer. Enable the Active Directory Module for Windows PowerShell from RSAT (Control Panel -> Programs-> Turn Windows Features on and off-> Remote Server Administration Tools -> Role Administration Tools -> AD DS and AD LDS Tools).

RSAT Win 10 - enable Active Directory Module for Windows PowerShell

Specifics of installing the RSAT feature in the latest Windows 10 builds.

This PowerShell module can also be enabled using this command:

Add-WindowsFeature RSAT-AD-PowerShell

Start the PowerShell console and import Active Directory for PowerShell module:

Import-Module ActiveDirectory

How to Find Inactive (Old) Computers in Active Directory Domain?

You can use the Get-ADComputer cmdlet to find inactive computer objects in a domain. The LastLogonTimeStamp attribute can be used as search criteria. Note that this attribute cannot be used to retrieve real-time information about the last time a computer logged on to the domain. However, due to the fact that this attribute is replicated between DCs every 9-14 days, you can get information about the last computer logon time from any domain controller (unlike the LastLogonDate attribute, which is updated only on the DC through which the computer logged in).

You can check the current value of the LastLogonTimeStamp attribute in the computer properties in the ADUC console on the Attributes Editor tab.

LastLogonTimeStamp attribute in active directory account properties

Use the following commands to find all computers in a specific OU that have not been logged on for more than 180 days:

$LastLogonDate= (Get-Date).AddDays(-180)
Get-ADComputer -Properties LastLogonTimeStamp -Filter {LastLogonTimeStamp -lt $LastLogonDate }  -SearchBase ‘OU=Computers,OU=Mun,DC=woshub,dc=com’| Sort LastLogonTimeStamp| FT Name, @{N='lastlogontimestamp'; E={[DateTime]::FromFileTime($_.lastlogontimestamp)}} -AutoSize | Export-CSV c:\ps\inactive_computers.csv

get-adcomputer: search for inactive computers by lastlogontimestamp attribute

This command will generate a CSV file with a list of inactive computers that have not been registered on the domain for more than six months.

You can disable the found computer accounts:

Get-ADComputer -Properties LastLogonTimeStamp -Filter {LastLogonTimeStamp -lt $LastLogonDate }  -SearchBase ‘OU=Computers,OU=Mun,dc=woshub,dc=com’| Disable-ADAccount

Move these computer objects to a separate OU:

Get-ADComputer ... | Move-ADObject -TargetPath “OU=Disabled Computers,DC=woshub,DC=com”

Or delete inactive computers:

Get-ADComputer ... | Remove-ADComputer

Find Inactive User Accounts in Active Directory

You can also use the lastLogonTimeStamp attribute to find inactive user accounts. To build a list of inactive users, you need to use this attribute, and not lastLogon (the lastLogon attribute is not replicated between domain controllers).

The following script allow to select enabled user accounts that have not logged into the domain for more than six months (180 days) using the Get-ADUser cmdlet:

$LastLogonDate= (Get-Date).AddDays(-180)
Get-ADUser -Properties LastLogonTimeStamp -Filter {LastLogonTimeStamp -lt $LastLogonDate }  -SearchBase ‘OU=Users,OU=Mun,dc=woshub,dc=com’| ?{$_.Enabled –eq $True} |  Sort LastLogonTimeStamp| FT Name, @{N='lastlogontimestamp'; E={[DateTime]::FromFileTime($_.lastlogontimestamp)}} -AutoSize | Export-CSV c:\ps\inactive_users.csv

list inactive ad users with powershell

You can disable inactive users :

Get-ADUser -Properties LastLogonTimeStamp -Filter {LastLogonTimeStamp -lt $LastLogonDate }  -SearchBase ‘OU=Users,OU=Mun,dc=woshub,dc=com’| Disable-ADAccount

If you need to remove inactive user accounts from AD, use the pipeline with Remove-ADUser.

Using Search-ADAccount to Find Inactive AD Objects

You can use the Get-ADUser, Get-ADComputer, or Get-ADObject cmdlets to find inactive objects in AD. However, creating the correct filter for these commands can be tricky. The ActiveDirectory PowerShell module has a more convenient cmdlet for performing these tasks –  Search-ADAccount. This cmdlet is used to find objects of any type (both users and computers). Let’s look at examples of using the Search-ADAccount cmdlet for typical tasks of searching for disabled, inactive, and locked objects in AD.

Here is the list of the most important keys of Search-ADAccount cmdlet:

Search-ADAccount KeyDescription
-AccountDisabledSearch of disabled accounts
-AccountExpiredSearch of expired accounts
-AccountExpiring [-DateTime DateTime] [-TimeSpan TimeSpan]Search of the accounts to be expired in a certain period of time (-TimeSpan) or on a specific date (-DateTime)
-AccountInactive [-DateTime DateTime] [-TimeSpan TimeSpan]Search of the accounts not logged in since a certain date (-DateTime) or during a certain period of time (-TimeSpan)
-LockedOutSearch of the accounts locked by the domain password policy
-PasswordExpiredSearch of the accounts with the expired passwords
-PasswordNeverExpiresAccounts with the PasswordNeverExpires attribute set (UserAccountControl attribute)
Note. By default, the Search-ADAccount cmdlet searches for both user and computer accounts at the same time. To search only users or computers, you need to use one of the following keys: ComputersOnly or UsersOnly.

For example, let’s display the list of disabled user accounts in domain:

Search-ADAccount -UsersOnly –AccountDisabled

You can limit the search scope to a specific Active Directory container (OU):

Search-ADAccount -UsersOnly –AccountDisabled –searchbase "OU=Admins,OU=Accounts,DC=woshub,DC=com"

list disabled account in AD using Search-ADAccount

The same data can be presented in a more convenient table form using this command:

Search-ADAccount -UsersOnly -AccountDisabled -searchbase "OU=Admins,OU=Accounts,DC=woshub,DC=com"|ft -AutoSize

If you need to get the list of the disabled users containing certain user attributes and present it as a graphic table to be sorted, run the following:

Search-ADAccount -UsersOnly AccountDisabled |sort LastLogonDate | Select Name,LastLogonDate,DistinguishedName |out-gridview -title "Disabled Users"

Search-ADAccount out-gridview

The list of locked user accounts:

Search-ADAccount -UsersOnly –LockedOut

The list of user accounts that have been inactive in the last 60 days:

$timespan = New-Timespan –Days 60
Search-ADAccount –UsersOnly –AccountInactive –TimeSpan $timespan | ?{$_.Enabled –eq $True}

To count these user accounts:

Search-ADAccount –UsersOnly –AccountInactive –TimeSpan $timespan | ?{$_.Enabled –eq $True} | Measure

The list of computers not registered in the domain network for the last 90 days:

Search-ADAccount -AccountInactive –ComputersOnly -TimeSpan 90

Or since a certain date:

Search-ADAccount -AccountInactive -ComputersOnly -DateTime ‘1/1/2021’|Select Name,LastLogonDate| ft

Search-ADAccount list Inactive computers in domain

To export the object list to a CSV, use this command:

Search-ADAccount -AccountDisabled -UsersOnly| Export-Csv "c:\ps\disabled_users.csv"

1 comment
3
Facebook Twitter Google + Pinterest
previous post
Throttling Network File Transfer Speed on Windows
next post
Using TSADMIN.msc and TSCONFIG.msc Snap-Ins on Windows Server 2016 RDS Host

Related Reading

Configuring Event Viewer Log Size on Windows

May 24, 2023

How to Detect Who Changed the File/Folder NTFS...

May 24, 2023

Enable Single Sign-On (SSO) Authentication on RDS Windows...

May 23, 2023

Allow Non-admin Users RDP Access to Windows Server

May 22, 2023

How to Create, Change, and Remove Local Users...

May 17, 2023

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configuring Event Viewer Log Size on Windows

    May 24, 2023
  • How to Detect Who Changed the File/Folder NTFS Permissions on Windows?

    May 24, 2023
  • Enable Single Sign-On (SSO) Authentication on RDS Windows Server

    May 23, 2023
  • Allow Non-admin Users RDP Access to Windows Server

    May 22, 2023
  • How to Create, Change, and Remove Local Users or Groups with PowerShell?

    May 17, 2023
  • Fix: BSOD Error 0x0000007B (INACCESSABLE_BOOT_DEVICE) on Windows

    May 16, 2023
  • View Success and Failed Local Logon Attempts on Windows

    May 2, 2023
  • Fix: “Something Went Wrong” Error When Installing Teams

    May 2, 2023
  • Querying Windows Event Logs with PowerShell

    May 2, 2023
  • Configure Windows LAPS (Local Administrator Passwords Solution) in AD

    April 25, 2023

Follow us

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Configure Google Chrome Settings with Group Policy
  • Get-ADUser: Find Active Directory User Info with PowerShell
  • How to Find the Source of Account Lockouts in Active Directory?
  • Get-ADComputer: Find Computer Properties in Active Directory with PowerShell
  • How to Disable or Enable USB Drives in Windows using Group Policy?
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • Deploy PowerShell Active Directory Module without Installing RSAT
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top