KB ID 0001438
Problem
I do this a lot, (usually prior to big migrations), most organisations have no mechanism for removing old users and computers from Active Directory, some don’t even disable the accounts.
Find Users Who Have Never Logged On
Use the following PowerShell Command;
[box]
Get-ADUser -Filter { LastLogonDate -notlike "*" -and Enabled -eq $true } -Properties LastLogonDate | Select-Object @{ Name="Username"; Expression={$_.SamAccountName} }, Name, LastLogonDate, DistinguishedName | Export-Csv C:\temp\Users-Never-Logged-On.csv
[/box]
Note: This will output the users to a csv file, and requires you to have a C:\Temp directory.
Find Users Who Have Not Logged On In ‘x‘ Days
I’m going to use the value of 90 days (remember some staff might be on long term sick/maternity so check with HR!) Execute the following three commands;
[box]
$DaysInactive = 90
$TrueInactiveDate = (Get-Date).Adddays(-($DaysInactive))
Get-ADUser -Filter { LastLogonDate -lt $TrueInactiveDate -and Enabled -eq $true } -Properties LastLogonDate | Select-Object @{ Name="Username"; Expression={$_.SamAccountName} }, Name, LastLogonDate, DistinguishedName | Export-Csv C:\temp\Users-Inactive-90-days.csv
[/box]
Note: This will output the users to a csv file, and requires you to have a C:\Temp directory.
Find Computers Who Have Not Logged On In ‘x‘ Days
Again I’m using 90 days. Execute the following three commands;
[box]
$DaysInactive = 90
$TrueInactiveDate = (Get-Date).Adddays(-($DaysInactive))
Get-ADComputer -Filter { PasswordLastSet -lt $TrueInactiveDate} -properties PasswordLastSet | Select-Object Name, PasswordLastSet, DistinguishedName | Export-Csv C:\temp\Computers-Inactive-90-days.csv
[/box]
Note: This will output the users to a csv file, and requires you to have a C:\Temp directory.
Related Articles, References, Credits, or External Links
NA