How to Find Inactive User Accounts in Active Directory

Why is it Important to Find and Manage Inactive Users in AD?

Inactive users in Active Directory (AD) can present several security risks. Some of the major ones are:

• Unauthorized access: Inactive user accounts may still have access to certain resources, such as network drives or applications. If these accounts are not disabled or deleted, they can be used to gain unauthorized access to sensitive data.
• Password guessing attacks: Attackers can use inactive user accounts to launch password-guessing attacks. If the passwords for these accounts are weak or have not been changed for a long time, they may be easily guessed or cracked, which can lead to a security breach.
• Privilege escalation: Inactive user accounts that have administrative privileges can be used to escalate privileges and gain access to more sensitive systems and data.
• Malware propagation: Inactive user accounts can be used as a vector for malware propagation. Attackers can compromise an inactive account and use it to spread malware throughout the network.
• Compliance violations: Inactive user accounts can violate compliance requirements, such as the General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI DSS), and others. These regulations require organizations to maintain control over user accounts and ensure that only authorized personnel have access to sensitive data.

For the above reasons, it’s vital that you are able to proactively find and effectively manage inactive Active Directory user accounts.

How to List Inactive User and Computer Accounts using Native Methods

The period after which unused user and computer accounts become inactive varies from organization to organization, but it is usually around 15 to 90 days.

There are two methods to find inactive accounts:

1. Using dsquery
2. Using PowerShell

Method 1: Using dsquery

Run the commands given below in the “Command Prompt” to get a list of inactive user and computer accounts:

Run the command given below in the “Command Prompt” to get a list of inactive user accounts:

dsquery user -inactive 15

Run the command given below in the “Command Prompt” to get a list of inactive computer accounts:

dsquery computer -inactive 15

Method 2: Using PowerShell

Get List of Inactive Computer Accounts

To be able to run the Get-ADComputer Powershell cmdlet on a domain workstation, you will need to download and install the ActiveDirectory PowerShell module.

• Open the PowerShell ISE
• Run the following PowerShell commands, adjusting the value of the $DaysInactive variable as required. The sample script below will search for and collect all computers that have not logged in for the last 30 days:
  
  $DaysInactive = 30
• $time variable converts $DaysInactive to LastLogonTimeStamp property format for the -Filter switch to work
  
  $time = (Get-Date).Adddays(-($DaysInactive))
• Identify inactive computer accounts
  
  Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -ResultPageSize 2000 -resultSetSize $null -Properties Name, OperatingSystem, SamAccountName, DistinguishedName, LastLogonDate

Export List of Inactive Computer Accounts to CSV file

To export the list of stale computer accounts to a CSV file, add the Export-CSV PowerShell cmdlet, as shown in this updatedPowerShell script:

• Specify inactivity range value below:
  
  $DaysInactive = 90
• $time variable converts $DaysInactive to LastLogonTimeStamp property format for the -Filter switch to work
  
  $time = (Get-Date).Adddays(-($DaysInactive))
• Identify and collect inactive computer accounts:
  
  Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -ResultPageSize 2000 -resultSetSize $null -Properties Name, OperatingSystem, SamAccountName, DistinguishedName, LastLogonDate| Export-CSV “C:\Temp\StaleComps.CSV” –NoTypeInformation
• Open the file created by the script:

Get List of Inactive User Accounts and Export them to CSV

Please run below given commands:

• Specify inactivity range value below:
  
  $DaysInactive = 90
• $time variable converts $DaysInactive to LastLogonTimeStamp property format for the -Filter switch to work
  
  $time = (Get-Date).Adddays(-($DaysInactive))
• This command exports the list of inactive user accounts to StaleUsers.csv file.
  
  Get-ADUser -Filter {LastLogonTimeStamp -lt $time} -ResultPageSize 2000 -ResultSetSize $null -Properties Name, SamAccountName, DistinguishedName, LastLogonDate | Export-CSV "C:\Temp\StaleUsers.csv" -NoTypeInformation

How to Manage Inactive User and Computer Accounts using Native Methods

After listing inactive accounts, you manage them by performing the below given methods (you can choose any method from these):

1. Reset passwords of inactive accounts
2. Disable the Inactive Accounts
3. Move the account to an Organizational unit
4. Delete the inactive accounts

Method 1 – Reset Passwords of Inactive Accounts

Perform the following steps just after listing the inactive accounts.

• Navigate to “Start” → “Administrative Tools” → “Active Directory Users and Computers”.
• Right-click the inactive user and click “Reset Password”

  

• Enter new passwords.
• Click “OK”.

Method 2 – Disable the Inactive Accounts

The inactive accounts must be disabled within 15-60 days to prevent any further security threats, using the commands given below:

• To disable the user accounts, run the following command in “Command Prompt”.
  
  dsquery user -disabled -limit 30
• For disabling inactive computer accounts, run the following command in “Command Prompt”.
  
  dsquery computer -disabled -limit 30

  

  NOTE: Here, 30 days is the inactivity period and you can change it.

Method 3 – Move the account to an Organizational unit

After a few days of disabling the accounts, these should be moved to a stand-alone organizational unit. Right-click the username, select “Move” from the context menu and move the user to a standalone Organizational Unit. You can also drag-and-drop the user and computer account to any Organizational Unit.




Method 4 – Delete the inactive accounts

All the disabled inactive accounts after being moved to an organizational unit must be deleted to make sure that no one can use them at all. Execute the following commands.

• Run the command given below to delete the disabled user accounts
  
  dsquery user -inactive 50 | dsrm–noprompt
• Run the command given below to delete disabled computer accounts:
  
  dsquery computer -inactive 7 | dsrm –noprompt

  

  NOTE: Here, 50 days is the inactivity period and you can change it.

Disadvantages of Using the Native Method

All these steps have to be performed manually, which consumes a lot of time and effort. Also in the absence of an automated system, the steps mentioned above are not performed automatically at scheduled intervals, creating more manual work for IT teams.

This task becomes even more complicated when dealing with hundreds of accounts, as users will need an in-depth understanding of PowerShell cmdlets to extract the required information.

The Lepide Inactive User Reporter Freeware Tool

A more straightforward approach is to use the Lepide Active Directory Inactive User Reporter freeware tool. This solution will give you regular reports on stale accounts, helping you to identify and remove those that could be exploited by hackers or insiders. The steps to download and use this freeware tool are given below:

• Download the Freeware Inactive User Reporter
• Run the inactive-users.exe file and the dialog box shown below will be displayed
• Enter the Domain name, User Name and Password
• Click the button to Enumerate Domain Controllers
• Specify the Inactivity Period (Days)
• If required, check the box to Enable report to be sent via email
• If this option is checked, you will need to click Configure to configure the email settings and then click Save once done
  
  
• Click Scan Now and the report will be generated