As best practice to check regularly on stale accounts in the active directory, we want to query to get ad user not logged in for specific days. This will help to find inactive user accounts in the active directory.
PowerShell Get-ADUser cmdlet gets one or more specific users in the active directory. Using Get-ADUser Filter parameter to get specific user accounts based on search criteria.
In this article, I will explain how to get ad users not logged in 90 days or find the users not logged in the last 30 days.
Get AD users not logged in last 90 days
To find the active directory users not logged last 90 days, run the following command
$InactiveDays = 90
$Days = (Get-Date).Adddays(-($InactiveDays))
Get-ADUser -Filter {LastLogonTimeStamp -lt $Days -and enabled -eq $true} -SearchBase 'OU=SALES,DC=SHELLPRO,DC=LOCAL' -Properties LastLogonTimeStamp |
select-object Name,@{Name="Date"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp).ToString('MM-dd-yyyy')}} | export-csv C:\inactive_Users.csv -notypeinformation
In the above PowerShell script to find inactive user accounts not logged in 90 days,
Get-ADUser filter parameter gets ad users who have not logged in last 90 days. It uses Get-Date AddDays() method and has the status as Enabled.
SearchBase parameter specifies to get ad users from specific OU and pass output to the second command.
The second command, select Name and LastLogonTimeStamp of users and export inactive users to CSV file using Export-CSV cmdlet.
Inactive_Users.csv file contains information about active directory users not logged in the last 90 days.
Cool Tip: How to export the list of disabled users in PowerShell!
Get AD user not logged in last 30 days
If you want to get ad user not logged in last 30 days and export to CSV file, use the Get-ADUser filter parameter to specify conditions as below
$InactiveDays = 30
$Days = (Get-Date).Adddays(-($InactiveDays))
Get-ADUser -Filter {LastLogonTimeStamp -lt $Days -and enabled -eq $true} -Properties LastLogonTimeStamp |
select-object Name,@{Name="Date"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp).ToString('MM-dd-yyyy')}} | export-csv C:\LastLogOn_Users.csv -notypeinformation
In the above PowerShell script to find the users not logged in 30 days,
$InactiveDays โ variable contains 30
$Days โ variable contains inactive days, in our example, it is 30 days
Using PowerShell Get-ADUser filter parameter, it compares ad user lastlogonTimestamp property less than specified inactive days and user status is enabled in active directory.
It then passes ad user objects to the second command to select Name, LastLogonDate of users and export users not logged in last 30 days to CSV file using Export-Csv cmdlet.
Cool Tip: How to find a disabled aduser in OU in PowerShell!
Conclusion
I hope the above article about get ad users not logged in for 30 days or finding inactive users in the active directory is helpful to you.
You can also find computers not logged in last 30 days in the active directory.
Read more about on get-aduser blog posts where I explained to get-aduser by email, get aduser properties, get-aduser filter from specific ou
You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.
Thank you
Thank You. good job