It is essential to regularly review stale and inactive Active Directory (AD) user accounts to maintain security and eliminate any potential threats to your Active Directory environment.
Situations where user accounts become inactive might be when former employees still have active accounts long after leaving the company because nobody informed IT that their account was no longer required. Or, it may be the case that accounts may have been created for a particular purpose but were not deleted after the event. Whatever the cause of the existence of such accounts, monitoring them and having visibility over any inactive accounts will help to protect company data and mitigate the risk of a data breach.
In this article we will look at two ways to find inactive user accounts and then disable them. The first is the native method using PowerShell and the second is to look at using the Lepide Active Directory Cleaner which provides a straightforward approach to this and requires no knowledge of PowerShell scripting.
Using PowerShell
The PowerShell module for Active Directory allows system administrators to run Active Directory queries and use the data output to generate reports.
To find inactive accounts with PowerShell you will need the Remote Server Administration Tools (RSAT) installed or run these commands on the domain controller.
To install the AD module for PowerShell:, log in as a local administrator, open a PowerShell prompt, type the code below and press ENTER:
Install-WindowsFeature RSAT-AD-PowerShell
1. How to Find Inactive Accounts in Active Directory
The Search-ADAccount cmdlet provides an easy way to query Active Directory for inactive user accounts:
Search-ADAccount –UsersOnly –AccountInactive
The above command lists all inactive accounts. To narrow down the results to a specific time range, you can add the –TimeSpanparameter to Search-ADAccount. In the example below, a variable defines the value for the –TimeSpan parameter, using the New-Timespan cmdlet to simplify the input:
$timespan = New-Timespan –Days 90
Search-ADAccount –UsersOnly –AccountInactive –TimeSpan $timespan
Alternatively, you can use the –DateTime parameter to return accounts that have been inactive since a given date. In the command that follows, accounts not active since October 1st 2025 are returned:
Search-ADAccount –UsersOnly –AccountInactive -DateTime ‘10/01/2025’
To get more user-friendly information about the accounts, pipe the results to the Get-ADUser cmdlet and then choose the columns to display in the output using Select:
Search-ADAccount –UsersOnly –AccountInactive | Get-ADuser -Properties Department,Title | Select Name,Department,Title,DistinguishedName
The results can also be sorted by a specified field, in this example by the LastLogOnDate attribute, which is derived from the LastLogonTimestamp and converted into a readable format:
Search-ADAccount –UsersOnly –AccountInactive | Get-ADuser -Properties Department,Title | Sort LastLogOnDate | Select Name,Department,Title,DistinguishedName
It’s worth noting that unlike the LastLogOn attribute, LastLogonTimestamp is synchronized between domain controllers, but can be 9 to 14 days out-of-date, so you should bear this in mind when processing your results.
Another way to simplify the output and count the number of inactive users is to pipe the results to the Measure cmdlet:
Search-ADAccount –UsersOnly –AccountInactive –TimeSpan $timespan | Measure
As with any other PowerShell cmdlets, the results can be piped to Out-GridView, or to a comma-delimited file so that the results can be imported into Excel.
2. How to Find Disable Inactive Accounts
Once you’ve got the set of results you’re looking for, all you need to do is pipe them to the Disable-ADAccount cmdlet as shown here to disable the accounts:
Search-ADAccount –UsersOnly –AccountInactive –TimeSpan $timespan | Disable-ADAccount
How Lepide Helps
A simpler, more straightforward approach to disable inactive user accounts is to use the Lepide Data Security Platform. Lepide offers the Inactive User Reporter to find inactive accounts and the Active Directory Cleaner to disable the inactive accounts. These are explained below:
The Lepide Inactive User Reporter Free Tool
The Lepide Inactive User Reporter is a freeware tool from Lepide. This solution will give you regular reports on stale accounts, helping you to identify and remove those that could be exploited by hackers or insiders. The steps to download and use this freeware tool are given below:
- Download the Freeware Inactive User Reporter
- Run the inactive-users.exe file and the dialog box shown below will be displayed
- Enter the Domain name, User Name and Password
- Click the button to Enumerate Domain Controllers
- Specify the Inactivity Period (Days)
- If required, check the box to Enable report to be sent via email
- If this option is checked, you will need to click Configure to configure the email settings and then click Save once done
- Click Scan Now and the report will be generated:
The Active Directory Cleanup Tool
The Lepide Active Directory Cleanup Tool is part of the Lepide Data Security Platform and is designed to reduce risk from forgotten accounts. Routine cleaning of Active Directory is intricate and time consuming and the AD Cleaner included within the Lepide Solution provides the facility to automate and schedule Active Directory cleanup actions at regular intervals.
Once inactive user accounts have been identified, they can be safely remediated. This means they can be disabled, deleted, moved to an OU or the password can be reset and can be done on a schedule, so the cleanup becomes routine and straight forward.
An example of the active Directory Cleaner Settings is shown below. This shows how you can schedule and automate the tasks of setting a password, disabling, moving or deleting inactive accounts and maintain a clean and secured Active Directory.
