To find and manage inactive users in Active Directory, you can use PowerShell and the LastLogonTimestamp attribute. This attribute indicates the last time a user logged on to the domain and can be used to identify inactive users. Here are the steps to do this:
- Open PowerShell on your domain controller or a computer with the Active Directory PowerShell module installed.
- Run the following command to import the Active Directory module:
Import-Module ActiveDirectory
- Run the following command to retrieve a list of user accounts that have not logged on to the domain in the last 90 days:
$inactiveDays = 90
$inactiveUsers = Get-ADUser -Filter {Enabled -eq $true -and LastLogonTimestamp -lt (Get-Date).AddDays(-$inactiveDays)} -Properties Name, SamAccountName, LastLogonTimestamp | Select-Object Name, SamAccountName, @{Name="LastLogon"; Expression={[DateTime]::FromFileTime($_.LastLogonTimestamp)}}
Replace “90” with the number of days of inactivity you want to use. The command retrieves all enabled user accounts that have not logged on to the domain in the last 90 days and returns the “Name,” “SamAccountName,” and “LastLogon” attributes in a table format.
- Review the list of inactive users and decide whether to disable or delete their accounts.
- To disable an inactive user account, run the following command:
Disable-ADAccount -Identity username
Replace “username” with the SamAccountName of the user account you want to disable.
- To delete an inactive user account, run the following command:
Remove-ADUser -Identity username -Confirm:$false
Replace “username” with the SamAccountName of the user account you want to delete.
Note that disabling or deleting a user account may have an impact on the user’s access to resources and data. It is important to communicate any changes to the affected users and their managers before taking action.