• The article explains how to find and manage inactive user accounts in Active Directory (AD) using PowerShell scripts or graphical tools, and why it is important to do so for security and performance reasons.
• The article also provides some best practices for managing inactive user accounts in AD, such as defining the criteria, implementing a deprovisioning process, scheduling regular audits and reports, testing and verifying the actions, and documenting and reviewing the policies.
• The article also answers some frequently asked questions related to managing inactive user accounts in AD, such as how to find inactive computer accounts, how to find inactive user accounts in Azure AD or Office 365, and what are the limitations and caveats of using the lastLogonTimeStamp attribute.

Active Directory (AD) is a directory service that stores information about users, computers, groups, and other objects in a network. AD helps administrators manage the network resources and provide authentication and authorization services. However, over time, some user accounts may become Inactive due to various reasons, such as employees leaving the organization, changing roles, or going on a long leave. Inactive user accounts pose a security risk, as they can be exploited by attackers or former employees to gain unauthorized access to the network. Inactive accounts also consume valuable database space that can be reclaimed by deleting them. Therefore, it is important for AD administrators to regularly check for and remove inactive user accounts in AD.

In this article, we will show you how to find and manage inactive user accounts in AD using different methods, such as PowerShell scripts, graphical tools, and best practices. We will also answer some frequently asked questions related to this topic.

How to Find Inactive User Accounts in AD

One of the common ways to identify inactive user accounts in AD is to use the lastLogonTimeStamp attribute. This attribute records the last time a user attempted to make an interactive sign-in to the network. Unlike the lastLogon attribute, which is not replicated between domain controllers (DCs), the lastLogonTimeStamp attribute is replicated every time it is updated, which makes it more convenient to query. However, this attribute is not updated every time a user logs on, but only when the current value is older than 9-14 days (the default replication interval). This means that the lastLogonTimeStamp attribute may not reflect the exact date and time of the last logon, but rather an approximation. Therefore, you should consider this factor when defining your criteria for inactive user accounts.

To find inactive user accounts in AD using the lastLogonTimeStamp attribute, you can use PowerShell cmdlets from the Active Directory module. To use these cmdlets, you need to have PowerShell version 3.0 or higher and the Remote Server Administration Tools (RSAT) installed on your computer. You also need to import the Active Directory module by running this command:

Import-Module ActiveDirectory

Then, you can use the Get-ADUser cmdlet to get user accounts from a specific organizational unit (OU) and filter them by the lastLogonTimeStamp attribute. For example, to get all user accounts from the Users OU that have not logged on for more than 90 days, you can run this command:

$LastLogonDate = (Get-Date).AddDays(-90)
Get-ADUser -Filter {lastLogonTimeStamp -lt $LastLogonDate} -SearchBase "OU=Users,DC=Contoso,DC=Com" -Properties lastLogonTimeStamp

This command will return the name and the lastLogonTimeStamp value of each inactive user account. You can also sort and format the output by using the Sort-Object and Format-Table cmdlets. For example:

$LastLogonDate = (Get-Date).AddDays(-90)
Get-ADUser -Filter {lastLogonTimeStamp -lt $LastLogonDate} -SearchBase "OU=Users,DC=Contoso,DC=Com" -Properties lastLogonTimeStamp | Sort-Object lastLogonTimeStamp | Format-Table Name,@{Name="LastLogonDate";Expression={[DateTime]::FromFileTime($_.lastLogonTimeStamp)}}

This command will display the name and the last logon date of each inactive user account in a table format.

Alternatively, you can use the Search-ADAccount cmdlet to find inactive user accounts based on different parameters, such as AccountInactive, DateTime, or TimeSpan. For example, to find all inactive user accounts in the domain that have not logged on for more than 90 days, you can run this command:

Search-ADAccount -AccountInactive -UsersOnly -TimeSpan 90

This command will return the name and other properties of each inactive user account.

You can also export the results of these commands to a CSV file by using the Export-CSV cmdlet. For example:

$LastLogonDate = (Get-Date).AddDays(-90)
Get-ADUser -Filter {lastLogonTimeStamp -lt $LastLogonDate} -SearchBase "OU=Users,DC=Contoso,DC=Com" -Properties lastLogonTimeStamp | Sort-Object lastLogonTimeStamp | Export-CSV C:\Temp\InactiveUsers.csv -NoTypeInformation

This command will save the list of inactive user accounts to a CSV file named InactiveUsers.csv in the C:\Temp folder.

How to Manage Inactive User Accounts in AD

After finding inactive user accounts in AD, you need to decide what actions to take on them. Depending on your organization’s policies and requirements, you may want to disable, delete, or move inactive user accounts to a different OU. You can also perform other tasks, such as resetting the password, updating the description, revoking the licenses, or setting the email forwarding for inactive user accounts.

To manage inactive user accounts in AD using PowerShell, you can use various cmdlets from the Active Directory module. For example, to disable all inactive user accounts in the Users OU that have not logged on for more than 90 days, you can run this command:

$LastLogonDate = (Get-Date).AddDays(-90)
Get-ADUser -Filter {lastLogonTimeStamp -lt $LastLogonDate} -SearchBase "OU=Users,DC=Contoso,DC=Com" | Disable-ADAccount

This command will disable each inactive user account in the Users OU.

To delete all inactive user accounts in the Users OU that have not logged on for more than 90 days, you can run this command:

$LastLogonDate = (Get-Date).AddDays(-90)
Get-ADUser -Filter {lastLogonTimeStamp -lt $LastLogonDate} -SearchBase "OU=Users,DC=Contoso,DC=Com" | Remove-ADUser -Confirm:$false

This command will delete each inactive user account in the Users OU without prompting for confirmation.

To move all inactive user accounts in the Users OU that have not logged on for more than 90 days to a different OU named InactiveUsers, you can run this command:

$LastLogonDate = (Get-Date).AddDays(-90)
Get-ADUser -Filter {lastLogonTimeStamp -lt $LastLogonDate} -SearchBase "OU=Users,DC=Contoso,DC=Com" | Move-ADObject -TargetPath "OU=InactiveUsers,DC=Contoso,DC=Com"

This command will move each inactive user account in the Users OU to the InactiveUsers OU.

You can also use other cmdlets to manage inactive user accounts in AD, such as Set-ADUser, Set-MsolUser, or Set-Mailbox. For more information on these cmdlets, see their respective help pages.

Best Practices for Managing Inactive User Accounts in AD

Managing inactive user accounts in AD is not a one-time task, but rather an ongoing process that requires regular monitoring and maintenance. Here are some best practices that can help you manage inactive user accounts in AD effectively and securely:

• Define your criteria for inactive user accounts: You need to determine what constitutes an inactive user account for your organization. For example, you may consider a user account inactive if it has not logged on for more than 90 days, or if it has not changed its password for more than 180 days. You should also consider any legitimate reasons for not logging on or changing passwords, such as vacations, leaves, or service accounts. You should document your criteria and communicate them to your users and managers.
• Implement a deprovisioning process: You should have a clear and consistent process for deprovisioning user accounts when employees leave the organization or change roles. This process should include disabling or deleting the user account in AD, as well as revoking any licenses, access rights, or permissions in other systems. You should also notify the user’s manager and backup any data or files associated with the user account. You should automate this process as much as possible to avoid human errors or delays.
• Schedule regular audits and reports: You should run periodic audits and reports to identify and review inactive user accounts in AD. You can use PowerShell scripts or graphical tools to generate these reports and export them to CSV files or email them to yourself or other stakeholders. You should review these reports and take appropriate actions on inactive user accounts based on your criteria and policies.
• Test and verify your actions: Before taking any actions on inactive user accounts in AD, such as disabling, deleting, or moving them, you should test and verify your actions on a test environment or a small subset of users. This will help you avoid any unintended consequences or errors that may affect your network performance or security. You should also backup your AD database before making any changes and restore it if needed.
• Document and review your policies: You should document your policies and procedures for managing inactive user accounts in AD and review them regularly. You should also update your policies and procedures as your organization’s needs and requirements change. You should communicate your policies and procedures to your users and managers and ensure they comply with them.

Frequently Asked Questions

Here are some frequently asked questions related to managing inactive user accounts in AD:

Question: How can I find inactive computer accounts in AD?

Answer: You can use the same methods and cmdlets that we discussed for finding inactive user accounts in AD, but with some modifications. For example, to find all inactive computer accounts in the Computers OU that have not logged on for more than 90 days, you can run this command:

$LastLogonDate = (Get-Date).AddDays(-90)
Get-ADComputer -Filter {lastLogonTimeStamp -lt $LastLogonDate} -SearchBase "OU=Computers,DC=Contoso,DC=Com" -Properties lastLogonTimeStamp

This command will return the name and the lastLogonTimeStamp value of each inactive computer account. You can also use the Search-ADAccount cmdlet with the -ComputersOnly parameter to find inactive computer accounts.

Question: How can I find inactive user accounts in Azure AD?

Answer: Azure AD is a cloud-based identity and access management service that integrates with your on-premises AD. To find inactive user accounts in Azure AD, you can use the Azure AD PowerShell module or the Azure portal. For example, to find all inactive user accounts in Azure AD that have not logged on for more than 90 days, you can run this command:

Connect-AzureAD
$LastLogonDate = (Get-Date).AddDays(-90)
Get-AzureADUser -All $true | Where-Object {$_.LastSignInDateTime -lt $LastLogonDate}

This command will return the name and other properties of each inactive user account in Azure AD. You can also use the Azure portal to view the sign-in activity reports for your users and filter them by date range or status.

Question: How can I find inactive user accounts in Office 365?

Answer: Office 365 is a cloud-based suite of productivity and collaboration applications that integrates with your Azure AD. To find inactive user accounts in Office 365, you can use the Microsoft 365 admin center or the Microsoft 365 PowerShell module. For example, to find all inactive user accounts in Office 365 that have not logged on for more than 90 days, you can run this command:

Connect-MsolService
$LastLogonDate = (Get-Date).AddDays(-90)
Get-MsolUser -All | Where-Object {$_.LastPasswordChangeTimestamp -lt $LastLogonDate}

This command will return the name and other properties of each inactive user account in Office 365. You can also use the Microsoft 365 admin center to view the active users report for your organization and filter it by date range or license status.

Disclaimer: This article is for informational purposes only and does not constitute professional advice. You should always consult with your IT department or a qualified expert before making any changes to your AD environment. We are not responsible for any damages or losses that may result from following the instructions or recommendations in this article. Use them at your own risk.

The post How to Manage Inactive User Accounts in Active Directory appeared first on PUPUWEB - Information Resource for Emerging Technology Trends and Cybersecurity.