Hunting for inactive Active Directory user accounts

Prerequisites

You will need PowerShell ActiveDirectory module installed. Go to Control Panel, Programs and Features, Turn Windows features on or off and select and install Remote Server Administration Tools. (For Windows 7 download them from here: https://www.microsoft.com/en-ca/download/details.aspx?id=7887)

Let’s go!

$list = Get-ADUser -Filter {Enabled -eq $true -and LastLogonDate -le $long_ago} -Properties *
$list = $list | where {$_.AccountExpirationDate -eq $null -or $_.AccountExpirationDate -gt $today}
$list | select SAMAccountName, DisplayName, Description, LastLogonDate, Created, AccountExpirationDate,`
PasswordLastSet, PasswordExpired, PasswordNeverExpires, EmailAddress, CanonicalName | `
Export-Csv -Encoding UTF8 -NoTypeInformation ".\inactive_users_$($today.ToString("yyyy_MM_dd")).csv"

Step-by-step

Get the current date and determine a “cut off” date — 6 months back:

Search Active Directory for all the user accounts that are not disabled and haven’t logged on since the “cut off” date. For selected users retrieve all the properties:

Keep only accounts that are not expired:

If you want to check how many user accounts are in your list at this stage:

“Select” the columns (user account properties) that you need and export results into a CSV file named with today’s date, use UTF8 encoding:

Random rumblings about #InfoSec. The opinions expressed here are my own and not necessarily those of my employer.

Random rumblings about #InfoSec. The opinions expressed here are my own and not necessarily those of my employer.