PowerShell: Find Those Inactive Users and Computers

One of the most common tasks you’ll perform in Active Directory on a regular basis is finding the users and computers that are no longer active. You may want to disable them, or even remove them, depending upon your organization’s policies.

While it’s not overly difficult to do this in Active Directory Users and Computers, there are some compelling reasons to tackle this task in Windows PowerShell. For one, you’ll be able to schedule this to run as a task, meaning it’s one less thing you have to worry about. Another advantage is that you could have PowerShell disable the accounts (for example) and e-mail you a report – again saving time and effort.

Your first task will be to define what an “inactive user” looks like. In any Windows Server 2003 and later domain, you could rely on the lastLogonTimestamp attribute, which is replicated between domain controllers. Keep in mind that it’s not a high-priority attribute, which means it can be off by a few days if you’re querying a domain controller other than the one a user last logged on to. A problem with that attribute, though, is that it’s in a really weird format rather than a normal date/time format.

Another option might be to look at an attribute such as passwordLastSet. After all, if a user hasn’t set their password in a given amount of time, then they’re very likely inactive. Even if they’re still with the organization, you’ll want to look into why they’ve got an old password!

There are a couple of ways you could go about querying this information. I’ll rely on the Active Directory module that ships with Windows Server 2008 R2; it’s also available for Windows 7 as part of the downloadable Remote Server Administration Toolkit (RSAT - http://www.microsoft.com/download/en/details.aspx?id=7887). This can natively talk to a Windows Server 2008 R2 domain controller regardless of the domain functional level; it can also talk to older domain controllers if you’ve installed the Management Gateway Service, which is a free download from Microsoft (http://www.microsoft.com/download/en/details.aspx?id=2852).

Here’s the first way you might make the query:

PS C:\> Import-Module ActiveDirectory
PS C:\> Get-ADUser –filter * | Where { $_.passwordLastSet –lt (Get-Date).AddDays(-365) }

I’ve set that to retrieve all users whose passwords haven’t been set in the last 365 days – certainly worth looking into, even if they’re still with the organization. The problem with this approach is that it queries every single user from Active Directory, then filters through them in your computer’s memory. Not exactly efficient. A better approach would be to have Active Directory just return the users that match your criteria:

PS C:\> $cutoff = (Get-Date).AddDays(-365)

PS C:\> $cutoff

Tuesday, November 30, 2010 8:31:13 AM

PS C:\> Get-ADUser -Filter { passwordLastSet -lt $cutoff } | Select Name

That’s much more efficient, although keep in mind it won’t find any users who have never changed their password, because passwordLastSet will be $null for those users. Unfortunately, I’ve not found an efficient way of putting “null” into that –Filter parameter. Instead, I’ve had to resort to pulling over every user:

PS C:\> Import-Module ActiveDirectory
PS C:\> Get-ADUser –filter * -prop PasswordLastSet | Where { $_.passwordLastSet –eq $null }

Again, that’s not very efficient, so you’re going to want to run it when your domain controller has some free time. In a test domain of 20,000 users, that took about 5 minutes to run, so it’s not horrible, but I’m sure the domain controller and my PC each had to work pretty hard. Notice that I had to explicitly tell Get-ADUser to retrieve the passwordLastSet property, because that isn’t included in the default property set that Active Directory delivers.

Don Jones is a Senior Partner and Principal Technologist for Concentrated Technology, LLC, an IT consulting and analysis firm. He’s the author of more than 35 books.