How to Find Inactive Users in Active Directory using PowerShell or Netwrix Auditor

Native Solution vs. Netwrix Auditor for Active Directory

Native Solution Netwrix Auditor for Active Directory

Native Solution

Netwrix Auditor for Active Directory

Steps

Prerequisite: Before you can run any of the following scripts, you need to import Active DirectoryPowerShell module with the following command:

Import-Module ActiveDirectory

Open the Windows PowerShell ISE on your domain controller.
To get users inactive for 90 days or longer, run one of the following PowerShell scripts:

With the Search-ADAccount cmdlet:

Search-ADAccount –AccountInActive -UsersOnly –TimeSpan 90:00:00:00 –ResultPageSize 2000 –ResultSetSize $null |?{$_.Enabled –eq $True} | Select-Object Name, SamAccountName, DistinguishedName| Export-CSV “C:\Temp\InactiveUsers.CSV” –NoTypeInformation

With the Get-ADUser cmdlet:

$date= (get-date).AddDays(-90)

Get-ADUser-Filter {LastLogonDate-lt $date} -Property Enabled|Where-Object {$_.Enabled -like “true”} |SelectName,SamAccountName,DistinguishedName|Export-CSV “C:\Temp\InactiveUsers.CSV” -NoTypeInformation

If necessary, you can generate a report with extensive user information by dropping the “Select-Object Name” pipeline portion from the scripts above.

Open the CSV file produced by the script in MS Excel:

How to Find Inactive Users in Active Directory using PowerShell

Run Netwrix Auditor → Navigate to "Reports" → Expand the "Active Directory" section → Go to "Active Directory – State-in-Time" → Select "User Accounts" → Click "View".
Set the "Days Inactive" parameter to the required timeframe (such as 90 days) → Click "View Report".

How to Find Inactive Users in Active Directory using Netwrix Auditor

To save the report, click the "Export" button → Choose a format from the dropdown menu → Click "Save".

Find Inactive Users in Active Directory without Tinkering with PowerShell Scripts

Stale user accounts in an Active Directory domain are a significant security risk since they could be used by an attacker or a former employee with access to the account’s password. On top of that, these inactive accounts also consume database space; while that might not be an issue in small environments, it can affect overall performance in larger organizations. Most Active Directory management guidelines recommend that IT teams regularly check for and then either disable or remove inactive users in Active Directory for stronger security as well as for general housekeeping purposes.

While theoretically you can find inactive accounts by simply browsing Active Directory Users and Computers, reviewing each and every Active Directory group manually will be cumbersome — you will have to sift through the list of your AD groups and open every suspicious AD user’s properties to check when that user last logged in.

Using PowerShell is one way to reduce the work required to find inactive users in Active Directory. Specifically, the Get-ADUser and Search-ADAccount cmdlets from the Active Directory module will allow you to collect the necessary data relatively quickly. However, complex tools like PowerShell require a certain level of expertise, and you will have to still have sift through lengthy reports.

Or, in just a few clicks, Netwrix Auditor for Active Directory will give you a comprehensive report on inactive user accounts with all the necessary details, such as the AD path, user name, account status and last logon date. To further streamline your AD maintenance, you can subscribe the responsible employees to get the report automatically on a regular schedule. More broadly, Netwrix Auditor includes Google-like search functionality and supports a large number of systems, so you can track all the important events in your infrastructure from one place, driving efficiency and saving you precious time on incident investigations.

Previous How-to

How to Restore Deleted AD Objects

Next How-to

How to Check If AD User Account Is Disabled Using PowerShell and Netwrix Auditor