Why Find Inactive Accounts?
Inactive accounts are security risks. They could be compromised without anyone noticing. Regular cleanup is essential for security compliance.
The Basic Script
Import-Module ActiveDirectory
$DaysInactive = 90
$InactiveDate = (Get-Date).AddDays(-$DaysInactive)
Get-ADUser -Filter {LastLogonDate -lt $InactiveDate -and Enabled -eq $true} -Properties LastLogonDate, Department, Title |
Select-Object Name, SamAccountName, Department, Title, LastLogonDate |
Export-Csv -Path "C:\InactiveUsers.csv" -NoTypeInformation
Write-Host "Report saved to C:\InactiveUsers.csv"Enhanced Version with Email Report
$InactiveUsers = Get-ADUser -Filter {LastLogonDate -lt $InactiveDate -and Enabled -eq $true} -Properties LastLogonDate
$Report = $InactiveUsers | ConvertTo-Html -Property Name, SamAccountName, LastLogonDate -PreContent "<h1>Inactive Users Report</h1>"
Send-MailMessage -From "reports@company.com" -To "admin@company.com" -Subject "Inactive AD Users - $((Get-Date).ToString('yyyy-MM-dd'))" -Body ($Report | Out-String) -BodyAsHtml -SmtpServer "smtp.office365.com"Step 3: Disable Inactive Accounts
After reviewing the list, disable accounts:
Get-ADUser -Filter {LastLogonDate -lt $InactiveDate} | Disable-ADAccountBest Practices
- Run this monthly as a scheduled task
- Review before disabling (check with managers)
- Move disabled accounts to special OU
- Delete accounts after 180 days of inactivity
💬 Comments (0)
💬 Join the conversation!
Login or create a free account to comment and get IT tips delivered to your inbox.