How to find inactive computers and users in AD with Powershell

A frequent task for an Active Directory administrator is to make a list of disabled or inactive computer and / or user accounts. You can use LDAP queries saved in the ADUC console and PowerShell cmdlets to obtain a list of inactive objects in an Active Directory domain. 

In this article, we’ll show you how to use PowerShell to find inactive computer and user accounts.

Read more:

How to Remove Azure AD Connect
Lower the functional level of your domain or forest on Windows Server
Convert synchronized users to users in the Azure AD cloud only
How to hide user from address list (AD Connect)
The best Windows Server courses of 2021

To use all of the PowerShell cmdlets discussed below, at least PowerShell version 3.0 and the Remote Server Administration Toolkit ( RSAT ) must be installed on the computer. 

Enable the Active Directory Module for Windows PowerShell from RSAT (Control Panel -> Programs-> Enable and disable Windows features-> Remote Server Administration Tools -> Role Administration Tools -> AD DS and AD LDS tools ).

This PowerShell module can also be enabled using this command:

Add-WindowsFeature RSAT-AD-PowerShell

Launch the PowerShell console and import Active Directory into the PowerShell module:

Import-Module ActiveDirectory

How do I find inactive (old) computers in the Active Directory domain?

You can use the Get-ADComputer cmdlet to find inactive computer objects in a domain. The attribute LastLogonTimeStamp can be used as a search criterion. Note that this attribute cannot be used to retrieve real-time information about the last time that a computer logged on to the domain. However, due to the fact that this attribute is replicated between DCs every 9-14 days, you can obtain information about the last computer login time from any domain controller (as opposed to the attribute LastLogonDate , which is updated only on the DC through which the computer logged in).

You can check the current value of the LastLogonTimeStamp attribute in the computer properties in the ADUC console on the Attribute Editor tab.

Use the following commands to find all computers in a specific OU that have not logged on for more than 180 days:

$LastLogonDate = (Get-Date) .AddDays (-180) Get-ADComputer -Properties LastLogonTimeStamp -Filter {LastLogonTimeStamp -lt $LastLogonDate} -SearchBase 'OU = Computers, OU = Mun, DC = contoso, dc = com' | Sort LastLogonTimeStamp | FT Name, @ {N = 'lastlogontimestamp'; E = {[DateTime] :: FromFileTime ($_.lastlogontimestamp)}} -AutoSize | Export-CSV c: \ ps \ inactive_computers.csv

This command will generate a CSV file with a list of inactive computers that have not been registered with the domain for more than six months.

You can disable the computer accounts found:

Get-ADComputer -Properties LastLogonTimeStamp -Filter {LastLogonTimeStamp -lt $LastLogonDate} -SearchBase 'OU = Computers, OU = Mun, dc = contoso, dc = com' | Disable-ADAccount

Move these computer objects to a separate OU:

Get-ADComputer ... | Move-ADObject -TargetPath “OU = Disabled Computers, DC = contoso, DC = com”

Or delete inactive computers:

Get-ADComputer ... | Remove-ADComputer

Find inactive user accounts in Active Directory

You can also use the attribute lastLogonTimeStamp to find inactive user accounts. To build a list of inactive users, you need to use this attribute, not lastLogon (the lastLogon attribute is not replicated between domain controllers).

The following script allows you to select enabled user accounts that have not connected to the domain for more than six months (180 days) using the Get-ADUser cmdlet:

$LastLogonDate = (Get-Date) .AddDays (-180) Get-ADUser -Properties LastLogonTimeStamp -Filter {LastLogonTimeStamp -lt $LastLogonDate} -SearchBase 'OU = Users, OU = Mun, dc = woshub, dc = com' | ? {$_.Enabled –eq $True} | Sort LastLogonTimeStamp | FT Name, @ {N = 'lastlogontimestamp'; E = {[DateTime] :: FromFileTime ($_.lastlogontimestamp)}} -AutoSize | Export-CSV c: \ ps \ inactive_users.csv

You can disable inactive users:

Get-ADUser -Properties LastLogonTimeStamp -Filter {LastLogonTimeStamp -lt $LastLogonDate} -SearchBase 'OU = Users, OU = Mun, dc = woshub, dc = com' | Disable-ADAccount

If you need to remove inactive user accounts from AD, use the pipeline with Remove-ADUser.

Using Search-ADAccount to find inactive AD objects

You can use the Get-ADUser, Get-ADComputer or Get-ADObject cmdlets to find inactive objects in AD. However, creating the correct filter for these commands can be tricky. The ActiveDirectory PowerShell module has a more convenient cmdlet for performing these tasks -   Search-ADAccount . This cmdlet is used to find objects of any type (users and computers). Let's look at examples of using the Search-ADAccount cmdlet for typical tasks for searching for disabled, inactive, and blocked objects in AD.

Here is the list of the most important keys for the Search-ADAccount cmdlet:

Search-ADAccount keydescription
-AccountDisabledAccount search disabled
-AccountExpiredSearch for expired accounts
-AccountExpiring [-DateTime DateTime] [-TimeSpan TimeSpan]Search for accounts to be due in a certain period of time (-TimeSpan) or on a specific date (-DateTime)
-AccountInactive [-DateTime DateTime] [-TimeSpan TimeSpan]Search for accounts not logged in since a certain date (-DateTime) or during a certain period of time (-TimeSpan)
-LockedOutSearch for accounts blocked by domain password policy
-PasswordExpiredSearching for Accounts with Expired Passwords
-PasswordNeverExpiresAccounts with the PasswordNeverExpires attribute set (attribute UserAccountControl)

For example, let's display the list of disabled user accounts in the domain:

Search-ADAccount -UsersOnly –AccountDisabled

You can limit the scope of the search to a specific Active Directory container (OU):

Search-ADAccount -UsersOnly –AccountDisabled –searchbase "OU = Admins, OU = Accounts, DC = woshub, DC = com"

The same data can be presented in a more convenient table form using this command:

Search-ADAccount -UsersOnly -AccountDisabled -searchbase "OU = Admins, OU = Accounts, DC = woshub, DC = com" | ft -AutoSize

If you need to obtain the list of users with disabilities containing certain user attributes and present it as a graphical table to be classified, perform the following:

Search-ADAccount -UsersOnly AccountDisabled | sort LastLogonDate | Select Name, LastLogonDate, DistinguishedName | out-gridview -title "Disabled Users"

The list of blocked user accounts:

Search-ADAccount -UsersOnly –LockedOut

The list of user accounts that have been inactive in the last 60 days:

$timespan = New-Timespan –Days 60 Search-ADAccount –UsersOnly –AccountInactive –TimeSpan $timespan | ? {$_.Enabled –eq $True}

To count these user accounts:

Search-ADAccount –UsersOnly –AccountInactive –TimeSpan $timespan | ? {$_.Enabled –eq $True} | Measure

The list of computers not registered on the domain network in the last 90 days:

Search-ADAccount -AccountInactive –ComputersOnly -TimeSpan 90

Or since a certain date:

Search-ADAccount -AccountInactive -ComputersOnly -DateTime '1/1/2021' | Select Name, LastLogonDate | ft

To export the list of objects to a CSV, use this command:

Search-ADAccount -AccountDisabled -UsersOnly | Export-Csv "c: \ ps \ disabled_users.csv"

Was this article helpful?

To maintain a quality standard for you, we have invested in a great hosting plan, Paid CDN, Website Optimization Plugins, etc ...

Help us to keep the project active! 

Follow the news in real time. Follow our Instagram profile..

Felipe Santos
Felipe Santos is a Cloud and Security Architect, with experience in Windows Server, Cluster, Storages, Backups Veeam and Office 365 environments.



Do you want to upgrade your career? 

Invest in yourself and get ahead! Get that dream job in 2022!