How to Find and Delete Inactive User Accounts in Windows Active Directory

How to Find and Delete Inactive User Accounts in Windows Active Directory

Finding and Deleting Obselete User Accounts

Stale user accounts in Active Directory are a significant security risk since they could be used by an attacker or a former employee to wreak havoc in your Windows environment. In addition to the security factor, these inactive accounts also consume reclaimable database space. These users should be regularly cleaned up as they pose a threat to the overall security of the environment.
The reasons why this practice is advocated by Microsoft and other security researchers are as follows: 
  1. Newly provisioned user accounts tend to use the same password knowing the user will be forced to change the password on next logon. If the user account was never used, it can very well be compromised and used as an attack vector. 
  2. Administrators also happen to group new accounts into the necessary groups while provisioning them. So, if the account is compromised, attackers will have access permissions granted based on the group membership.  
  3. Since these stale accounts are not tracked actively, administrators will not know if and when the account is abused, leaving the network at a high risk of an attack.  
Now that we have got our reasons out of the way, how do you find and remove such stale user accounts? Luckily, administrators can make use of PowerShell scripts to find out "never logged on" user accounts. 

Script 1: import-module activedirectory
  1. Get-ADUser -LDAPFilter "(&(&(objectCategory=person)(objectClass=user)(!isCriticalSystemObject=TRUE))(|(lastLogon=0)(!(lastLogon=*))))"

Script 2:

  1. import-module activedirectory
  2. get-aduser -Filter {-not (lastlogontimestamp -like "*") -and -not (iscriticalsystemobject -eq $true)}

Regular monitoring and cleanup of inactive and stale user accounts are necessary for the safety of the environment. You should carry out regular checks to look for any stale user accounts, and then disable and remove those accounts from Active Directory.

    • Related Articles

    • Find Locked out Service accounts in Active Directory

      We all have services running on our servers. Many of these services require Active Directory user accounts, which are ​referred to as service accounts. These service accounts are essential, as they allow ​services to perform their duties. However, ...
    • How to Track Down Inactive Users in Active Directory

      Failing to keep check of inactive users in your Active Directory environment can pose potential security risk in addition to the space that it takes up on your database. Compliance audits like the SOX requires administrators to track down and disable ...
    • How to Find Active Directory Accounts with Expiring Passwords

      In an organization with multiple employees, it becomes tedious for the administrators to track users who's passwords are about to expire. This is crucial because, if the users fails to reset their passwords, the phone at the helpdesk is bound to ...
    • PowerShell: Find and Delete Empty Groups in Active Directory

      Cleanup Empty AD Groups with PowerShell Administrators turn to groups to grant a set of users permissions and access rights to resources. However, once the work is done and the resources are no longer needed, the users are removed from the group, ...
    • How to block remote network access for local user accounts in Windows

      Introduction Local user accounts accessing other computers in the Active Directory (AD) network remotely may cause huge problems due to the security risk associated with the access privilege. The most commonly cited example is that if multiple user ...