how-to-disable-inactive-user-accounts-using-powershell

Inactive Active Directory (AD) user accounts can pose a security risk to organizations, in situations such as when former employees still have active accounts months after leaving the company because HR failed to inform IT, or accounts might be created for a particular purpose but never deleted after the event. Whatever the reason for the existence of such accounts, Active Directory can quickly get out of control, in turn making your systems harder to audit and less secure.

Active Directory Module for PowerShell

The PowerShell module for Active Directory allows system administrators to query Active Directory and generate reports using the resulting data. The AD module for PowerShell is installed by default on Windows Server 2012 domain controllers, or alternatively you can download the Remote Server Administration Tools (RSAT) for Windows 8.1 and install the module using the command below.

Log in as a local administrator, open a PowerShell prompt, type the code below and press ENTER to install the AD module for PowerShell:

Install-WindowsFeature RSAT-AD-PowerShell

Search Active Directory for Inactive Accounts

The Search-ADAccount cmdlet provides an easy way to query Active Directory for inactive user accounts:

Search-ADAccount –UsersOnly –AccountInactive

clip_image002Figure 1

The above command returns all inactive accounts. To narrow down the results to a specific time range, you can add the –TimeSpanparameter to Search-ADAccount. In the example below, a variable defines the value for the –TimeSpan parameter, using the New-Timespan cmdlet to simplify the input:

$timespan = New-Timespan –Days 90

Search-ADAccount –UsersOnly –AccountInactive –TimeSpan $timespan

Alternatively, you can specify the –DateTime parameter to return accounts that have been inactive since a given date. In the command that follows, accounts not active since May 5th 2014 are returned:

Search-ADAccount –UsersOnly –AccountInactive -DateTime ‘5/20/2014’

To get more user-friendly information about the accounts, pipe the results to the Get-ADUser cmdlet and then choose the columns to display in the output using Select:

Search-ADAccount –UsersOnly –AccountInactive | Get-ADuser -Properties Department,Title | Select Name,Department,Title,DistinguishedName

clip_image004Figure 2

The results can also be sorted by a specified field, in this example by the LastLogOnDate attribute, which is derived from the LastLogonTimestamp and converted into a readable format:

Search-ADAccount –UsersOnly –AccountInactive | Get-ADuser -Properties Department,Title | Sort LastLogOnDate | Select Name,Department,Title,DistinguishedName

It’s worth noting that unlike the LastLogOn attribute, LastLogonTimestamp is synchronized between domain controllers, but can be 9 to 14 days out-of-date, so you should bear this in mind when processing your results.

Another way to simplify the output and count the number of inactive users is to pipe the results to the Measure cmdlet:

Search-ADAccount –UsersOnly –AccountInactive –TimeSpan $timespan | Measure

As with any other PowerShell cmdlets, the results can be piped to Out-GridView, or to a comma-delimited file so that the results can be imported into Excel.

Search-ADAccount –UsersOnly –AccountInactive –TimeSpan $timespan | Out-GridView

Disable Inactive Accounts

Once you’ve got the set of results you’re looking for, all you need to do is pipe them to the Disable-ADAccount cmdlet as shown here to disable the accounts:

Search-ADAccount –UsersOnly –AccountInactive –TimeSpan $timespan | Disable-ADAccount

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.