How to Track Down Inactive Users in Active Directory

How to Track Down Inactive Users in Active Directory

Failing to keep check of inactive users in your Active Directory environment can pose potential security risk in addition to the space that it takes up on your database. Compliance audits like the SOX requires administrators to track down and disable inactive users.  These inactive accounts are to be managed to ensure that security is maintained around the use of these accounts.

There are three commonly used methods to find out inactive user accounts and deleting them. They are as follows:

Method 1: PowerShell

You can also use the lastLogonTimeStamp attribute to find inactive user accounts. The following script allow to select user accounts that have not logged into the domain for more than six months using the Get-ADUser cmdlet.

$LastLogonDate= (Get-Date).AddDays(-180)
Get-ADUser -Properties LastLogonTimeStamp -Filter {LastLogonTimeStamp -lt $LastLogonDate }  -SearchBase ‘OU=Users,OU=Mun,dc=woshub,dc=com’| ?{$_.Enabled –eq $True} |  Sort LastLogonTimeStamp| FT Name, @{N='lastlogontimestamp'; E={[DateTime]::FromFileTime($_.lastlogontimestamp)}} -AutoSize | Export-CSV c:\ps\inactive_users.csv
This cmdlet will return a CSV file with a list of inactive users. If you'd want to disable the inactive users use the following cmdlet: 

Get-ADUser -Properties LastLogonTimeStamp -Filter {LastLogonTimeStamp -lt $LastLogonDate }  -SearchBase ‘OU=Users,OU=Mun,dc=woshub,dc=com’| Disable-ADAccount
Method 2: Using common queries

1. Open Active Directory Users and Computer.
2. Click the "Find Objects" button.
3. In the "Find Common Queries" window, select “Common Queries” from the Find drop down and “Entire Directory” from the In: drop down. Check the box “Disabled accounts”

Once you have selected the above settings and clicked “Find Now” you will have a list of all the disabled accounts.

Method 3: Saved Queries
The saved queries in ADUC can be used to create simple LDAP search filters.

1. Open "Active Directory Users and Computers"
2. Right click on "Saved Queries" and select "New Query".
3. Give the query a name then click the "Define Query" button. 
4. On the "Find Common Queries" box click the "Disable Accounts" box and click "OK".
5. The query string box should now be populated with the LDAP syntax. Click "OK".
6. Click on the "Disabled Users" query under "Saved Queries". You should now see all the disabled accounts.

Follow any of the above three methods to quickly find disabled accounts in your Active Directory environment.

    • Related Articles

    • How to Spot which Users are Logged in and Track their Logon/Logoff times

      How to Track User Logon and Logoff Events in Active Directory User logon and logoff are events that happen on an everyday basis in an organization. Administrators need to track the user logon and logoff activities as these events also play an ...
    • How to Find and Delete Inactive User Accounts in Windows Active Directory

      Finding and Deleting Obselete User Accounts Stale user accounts in Active Directory are a significant security risk since they could be used by an attacker or a former employee to wreak havoc in your Windows environment. In addition to the security ...
    • Track Down Active Directory Attack Attempts

      A large number of failed logon attempts within a short span of time usually indicates a security threat. This is why, it is essential for administrators to keep an eye out for such events and get to the root of the source of the failed logons. This ...
    • How to navigate to Active Directory users and computers

      Launching Active Directory Users and Computers (ADUC)    Introduction  Active Directory (AD), a service provided by Microsoft, functions as a central database for securely storing and managing information about user accounts, user groups, ...
    • Three Best Practices for Securing Active Directory

      Active Directory Security: Three Recommended Best Practices  Active Directory places a central role in authorizing user access and applications. Hence it is no surprise that organizations, world over depend on it for day-to-day IT operations such as ...