Failing to keep check of inactive users in your Active Directory environment can pose potential security risk in addition to the space that it takes up on your database. Compliance audits like the SOX requires administrators to track down and disable inactive users. These inactive accounts are to be managed to ensure that security is maintained around the use of these accounts.
There are three commonly used methods to find out inactive user accounts and deleting them. They are as follows:
Method 1: PowerShell
You can also use the lastLogonTimeStamp attribute to find inactive user accounts. The following script allow to select user accounts that have not logged into the domain for more than six months using the Get-ADUser cmdlet.
$LastLogonDate= (Get-Date).AddDays(-180)
Get-ADUser -Properties LastLogonTimeStamp -Filter {LastLogonTimeStamp -lt $LastLogonDate } -SearchBase ‘OU=Users,OU=Mun,dc=woshub,dc=com’| ?{$_.Enabled –eq $True} | Sort LastLogonTimeStamp| FT Name, @{N='lastlogontimestamp'; E={[DateTime]::FromFileTime($_.lastlogontimestamp)}} -AutoSize | Export-CSV c:\ps\inactive_users.csv
This cmdlet will return a CSV file with a list of inactive users. If you'd want to disable the inactive users use the following cmdlet:
Get-ADUser -Properties LastLogonTimeStamp -Filter {LastLogonTimeStamp -lt $LastLogonDate } -SearchBase ‘OU=Users,OU=Mun,dc=woshub,dc=com’| Disable-ADAccount
Method 2: Using common queries
1. Open Active Directory Users and Computer.
2. Click the "Find Objects" button.
3. In the "Find Common Queries" window, select “Common Queries” from the Find drop down and “Entire Directory” from the In: drop down. Check the box “Disabled accounts”
Once you have selected the above settings and clicked “Find Now” you will have a list of all the disabled accounts.
Method 3: Saved Queries
The saved queries in ADUC can be used to create simple LDAP search filters.
1. Open "Active Directory Users and Computers"
2. Right click on "Saved Queries" and select "New Query".
3. Give the query a name then click the "Define Query" button.
4. On the "Find Common Queries" box click the "Disable Accounts" box and click "OK".
5. The query string box should now be populated with the LDAP syntax. Click "OK".
6. Click on the "Disabled Users" query under "Saved Queries". You should now see all the disabled accounts.
Follow any of the above three methods to quickly find disabled accounts in your Active Directory environment.