Hunting for inactive Active Directory user accounts

Prerequisites

You will need PowerShell ActiveDirectory module installed. Go to Control Panel, Programs and Features, Turn Windows features on or off and select and install Remote Server Administration Tools. (For Windows 7 download them from here: https://www.microsoft.com/en-ca/download/details.aspx?id=7887)

Let’s go!

$today = Get-Date
$long_ago = $today.AddMonths(-6)
$list = Get-ADUser -Filter {Enabled -eq $true -and LastLogonDate -le $long_ago} -Properties *
$list = $list | where {$_.AccountExpirationDate -eq $null -or $_.AccountExpirationDate -gt $today}
$list | select SAMAccountName, DisplayName, Description, LastLogonDate, Created, AccountExpirationDate,`
PasswordLastSet, PasswordExpired, PasswordNeverExpires, EmailAddress, CanonicalName | `
Export-Csv -Encoding UTF8 -NoTypeInformation ".\inactive_users_$($today.ToString("yyyy_MM_dd")).csv"

Step-by-step

Get the current date and determine a “cut off” date — 6 months back:

$today = Get-Date
$long_ago = $today.AddMonths(-6)
$list = Get-ADUser -Filter {Enabled -eq $true -and LastLogonDate -le $long_ago} -Properties *
$list = $list | where {$_.AccountExpirationDate -eq $null -or $_.AccountExpirationDate -gt $today}
$list | measure
$list | select SAMAccountName, DisplayName, Description, LastLogonDate, Created, AccountExpirationDate,`
PasswordLastSet, PasswordExpired, PasswordNeverExpires, EmailAddress, CanonicalName | `
Export-Csv -Encoding UTF8 -NoTypeInformation ".\inactive_users_$($today.ToString("yyyy_MM_dd")).csv"

Random rumblings about #InfoSec. The opinions expressed here are my own and not necessarily those of my employer.

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store