Active directory user has an attribute “lastLogonTimeStamp” that stores the user last login timestamp. This attribute helps to find inactive users in Active Directory.
Inactive user accounts may lead to security threats, hence it is important for system administrators to monitor inactive users or disable accounts on regular basis.
Use the Get-AdUser cmdlet in PowerShell with the lastLoginTimeStamp attribute to check the user inactive time period and find inactive users accounts in the active directory.
In this example, we will discuss how to retrieve inactive users in the active directory using the Get-AdUser cmdlet in PowerShell.
List Inactive Users in the Active Directory
Use the Get-AdUser cmdlet to search for one or more users in the active directory. To get the inactive users who didn’t login in the last 60 days, use the following command.
$inactiveDays = ((Get-Date).AddDays(-60)).Date Get-ADUser -Filter {LastLogonDate -lt $inactiveDays} -Properties * | select-object samaccountname,LastLogonDate
In the above PowerShell script, the $inactiveDays
variable stores the date retrieved using the Get-Date cmdlet. It contains 60 days older date.
The Get-AdUser cmdlet uses the Filter
parameter to check the condition where the LastLogonDate attribute is less than 60 days and select its samaccountname and LastLogonDate.
The output of the above PowerShell script finds the inactive users in the active directory.
Use the Export–CSV cmdlet in PowerShell to export the list of inactive users in the active directory to CSV file.
The following command downloads all the users who have not logged on for the last 60 days.
$inactiveDays = ((Get-Date).AddDays(-60)).Date Get-ADUser -Filter {LastLogonDate -lt $inactiveDays} -Properties * | select-object samaccountname,LastLogonDate | Export-Csv -Path C:\PowerShell\inactive_Users_ad.csv -NoTypeInformation
Cool Tip: How to find out what active directory group am i in using PowerShell!
Find Inactive Users in AD not Logon for 45 days
Use the Get-Aduser command to get the active directory users from the active directory and use the filter parameter to identify the users account that shows no logon activity for 45 days or more.
$inactiveDays = ((Get-Date).AddDays(-45)).Date Get-ADUser -Filter {LastLogonDate -lt $inactiveDays} -Properties * | select-object samaccountname,LastLogonDate
In the above PowerShell script, the $inactiveDays
variable stores the date which is current date - 45 days
.
The Get-AdUser cmdlet uses the Filter parameter to check and retrieve the user accounts in the active directory that shows no logon activity in the last 45 days.
Cool Tip: How to use the export list of disabled users from the active directory in PowerShell!
Conclusion
I hope the above article on how to find inactive users in the active directory using the lastlogontimestamp attribute of the Get-AdUser cmdlet is helpful to you.
The lastLogonTimestamp attribute can also be used to find inactive computers in the active directory.
You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.