Powershell to Find Inactive AD Users and Computers Accounts

In this blog we see how to find disable and inactive Active Directory user and computer accounts and move them to different OU.

The LastLogon and LastLogonTimeStamp attributes can help you to decide if an Active Directory user account or computer account is active or inactive.

Powershell to find inactive accounts Active Directory for 90 days or longer.

Search-ADAccount -UsersOnly -AccountInactive -TimeSpan 90 | ?{$_.enabled -eq $True} | Get-ADUser -Properties Name, EmailAddress, Department, Description, lastLogonTimestamp | Select Name, EmailAddress, Department, Description,@{n='lastLogonTimestamp';e={[DateTime]::FromFileTime($_.lastLogonTimestamp)}} | Export-Csv D:\temp\testfunytest.csv

Another Powershell script to find inactive accounts for 90 days or longer.

import-module activedirectory
$domain = "example.com"
$DaysInactive = 90
$time = (Get-Date).Adddays(-($DaysInactive))
# Get all AD User with lastLogonTimestamp less than our time and set to enable
Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp |
select-object Name,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}} |
export-csv OLD_User.csv -notypeinformation

In Order to Disable a User account

Use this to see what accounts you are going to be disabling:

Search-ADAccount -AccountInactive -TimeSpan 90 -UsersOnly |
Where-Object {$_.lastlogondate -ne $null} |
Format-Table Name,SamAccountName,LastLogonDate -AutoSize

The below powershell lists all the disabled Active Directory users:

Search-ADAccount –AccountDisabled -UsersOnly

Search-ADAccount and list the selected properties of all disabled Active Directory users:

Import-Module ActiveDirectory
Search-ADAccount –AccountDisabled -UsersOnly
Select -Property Name,DistinguishedName

Find Disabled Active Directory Users from specific OU:

Import-Module ActiveDirectory
Search-ADAccount -SearchBase "OU=TestOU,DC=TestDomain,DC=Local" –AccountDisabled -UsersOnly
Select -Property Name,DistinguishedName

In Order to Export Disabled Active Directory Users to CSV using Powershell user below cmdlet:

Import-Module ActiveDirectory
Search-ADAccount –AccountDisabled -UsersOnly |
Select -Property Name,DistinguishedName |
Export-CSV "C:\\DisabledADUsers.csv" -NoTypeInformation -Encoding UTF8

You can check the below cmdlets which will export data in the following order – Givenname, Surname, SamAccountname, PrimarySMTPAddress

Get-QADUser -sizelimit 0 | where {$_.accountisdisabled -eq $true} | select givenname,sn,SamAccountName,PrimarySMTPAddress | Export-Csv -Encoding utf8 c:tempdisabled_users.csv

In Order to Move Disabled Active Directory Users and Computers to New OU
Let’s assume you have two OU’s in Active Directory; DisabledUserAccounts and DisabledComputerAccounts.

Get-ADUser -Filter ‘Enabled -eq $False’ | ForEach {Move-ADObject -Identity "$_" -TargetPath "OU=DisabledUserAccounts,DC=domain,DC=com"} #Substitute your domain for “DC=domain,DC=com”

Get-ADComputer -Filter ‘Enabled -eq $False’ | ForEach {Move-ADObject -Identity "$_" -TargetPath "OU=DisabledComputerAccounts,DC=domain,DC=com"} #Substitute your domain for “DC=domain,DC=com”

By following above steps you can easily find and remove Active Directory inactive user and computer accounts or you can move them to different OU by using Powershell.