PowerShell: Find Disabled or Inactive Users and Computers in AD

PowerShell is becoming increasingly more popular and is the first choice for Windows administrators to collect information from target systems. Every Windows role ships with its own PowerShell modules. Active Directory ships with more than 450 PowerShell cmdlets that you can use to collect information about every object in Active Directory, such as disabled computer accounts and disabled user accounts; interact with the ADSI engine to perform certain useful operations; check the health of domain controllers; collect GPO information; and more.

In the first part of the article, we’ll explain how you can use simple PowerShell commands to find disabled user accounts, disabled computer accounts, and inactive user accounts from a single Active Directory domain. The second part of the article provides a handy PowerShell script that you can use to collect the same information from multiple Active Directory domains.

How to Find Disabled Accounts Information from a Single Domain

 

  • Collecting Disabled Computer Accounts Information

Although Microsoft has not designed any PowerShell cmdlet specifically to collect disabled computer accounts, you can use the Get-ADComputer cmdlet. To collect disabled user accounts information, you can always use the Search-ADAccount PowerShell cmdlet, which is explained shortly below.

Get-ADComputer -Filter {(Enabled -eq $False)} -ResultPageSize 2000 -ResultSetSize $null -Server <AnyDomainController> -Properties Name, OperatingSystem

As you can see in the command above, we are instructing the Get-ADComputer cmdlet to look for computer accounts that have the “Enabled” property set to $False, which indicates that the account is disabled.
If you wish to export the output to a CSV file, use the Export-CSV cmdlet, as shown in the PowerShell command below:

Get-ADComputer -Filter {(Enabled -eq $False)} -ResultPageSize 2000 -ResultSetSize $null -Server <AnyDomainController> -Properties Name, OperatingSystem | Export-CSV “C:\Temp\DisabledComps.CSV” -NoTypeInformation

 

  • Collecting Disabled User Accounts Information

To find disabled user accounts in Active Directory, you will be required to use the Search-ADAccount cmdlet, designed to query any accounts in Active Directory. It supports a number of properties. The main parameters that you can specify in Search-ADAccount are either –UsersOnly or –ComputersOnly. When you specify –UsersOnly, Search-ADAccount searches only for the user objects, and when –ComputersOnly is specified, only computer accounts are searched. To query disabled user accounts in Active Directory, you can execute the command below:

Search-ADAccount –AccountDisabled –UsersOnly –ResultPageSize 2000 –ResultSetSize $null | Select-Object SamAccountName, DistinguishedName

Note that Search-ADAccount supports the “-AccountDisabled” parameter. By using the “-AccountDisabled” parameter, you are instructing Search-ADAccount to look only for disabled user or computer accounts. If you need to export the output to a file, add the Export-CSV cmdlet, as shown in the command below:

Search-ADAccount –AccountDisabled –UsersOnly –ResultPageSize 2000 –ResultSetSize $null | Select-Object SamAccountName, DistinguishedName | Export-CSV “C:\Temp\DisabledUsers.CSV” -NoTypeInformation

 

  • Collecting Inactive User Accounts

If you wish to find inactive user accounts in Active Directory, you can use the Search-ADAccount cmdlet. All you need to do is use the “-AccountInActive” parameter with Search-ADAccount, as shown in the PowerShell command below:

Search-ADAccount –AccountInActive –TimeSpan 90:00:00:00 –ResultPageSize 2000 –ResultSetSize $null | ?{$_.Enabled –eq $True} | Select-Object Name, SamAccountName, DistinguishedName | Export-CSV “C:\Temp\InActiveUsers.CSV” –NoTypeInformation

The above command uses the –TimeSpan parameter to find user accounts that have been inactive for the last 90 days. The output is exported to the C:\Temp\InActiveUsers.CSV file.

 

How to Find Disabled Accounts Information from Multiple Domains

 

When collecting information from multiple Active Directory domains, you need to ensure that the PowerShell script is able to loop through the each domain it finds in an Active Directory forest and then execute the PowerShell commands against the domain to collect the required information. You can use ForEach PowerShell cmdlet to execute PowerShell commands against each Active Directory domain, but you also need to ensure that the data for each domain is collected in a separate CSV file. In a nutshell, when collecting disabled user accounts, disabled computer accounts, and inactive user accounts from Active Directory domains, you need to design a PowerShell script that can address the following needs:

  • A separate IT Team for each Active Directory domain.
  • A single script that can collect information from all Active Directory domains. In other words, you need to design a script that can be executed only once to collect required information from all Active Directory domains.
  • Ability to store disabled user accounts, disabled computer accounts, and inactive user accounts information in a separate CSV file for each domain. Once you have separate CSV files for each domain, you can distribute CSV files to the IT Team of each domain for them to take any actions.

Keeping the above needs in mind, we can use the PowerShell script below. However, before you use the script, make sure you address the requirements mentioned below:

  • You must execute the script from a Windows Server 2012 or later Operating Systems.
  • The current Active Directory forest name that is being used by the script is “NetWrix.Com.” You must change the Active Directory forest name in the $CurForestName variable and then execute the script.
  • Make sure to install Active Directory PowerShell modules on the computer from which you will run the script.
  • Make sure to create a directory with the name “C:\Temp” on the local computer.
  • You must open the PowerShell window in an elevated mode.
  • You must have permission to access all Active Directory domains.

Once you have met the above requirements, you can execute the PowerShell script below:

$DomList = "C:\Temp\DomList.TXT"
remove-item $DomList -ErrorAction SilentlyContinue
$CurForestName="NWBlog.Com"
$GetForest=Get-ADForest $CurForestName
$Items = $R.Domains
ForEach ($Domains in $Items)
{
    Add-Content $DomList $Domain.Name
}
Write-Host "Starting Script..."
ForEach ($DomInFile in $DomList)
{
    $DisabledCompsCSV = "C:\Temp\DisabledAccounts_Computers_"+$DomInFile+".CSV"
    Remove-item $DisabledCompsCSV -ErrorAction SilentlyContinue
    $DisabledUsersCSV = "C:\Temp\DisabledAccounts_Users_"+$DomInFile+".CSV"
    Remove-item $DisabledUsersCSV -ErrorAction SilentlyContinue
    $InActiveUsersReport = "C:\Temp\InactiveUsers_"+$DomInFile+".CSV"
    Remove-item $InActiveUsersReport -ErrorAction SilentlyContinue


    Get-ADComputer -Server $DomInFile –Filter {(Enabled –eq $False)} –ResultPageSize 2000 –ResultSetSize $null -Properties Name, OperatingSystem | Export-CSV $DisabledCompsCSV -NoTypeInformation   
    Search-ADAccount -Server $DomInFile –AccountDisabled –UsersOnly –ResultPageSize 2000 –ResultSetSize $null | Select-Object SamAccountName, DistinguishedName | Export-CSV $DisabledUsersCSV –NoTypeInformation   
    Search-ADAccount -Server $DomInFile –AccountInActive –TimeSpan 90:00:00:00 –ResultPageSize 2000 –ResultSetSize $null | ?{$_.Enabled –eq $True} | Select-Object Name, SamAccountName, DistinguishedName | Export-CSV $InActiveUsersReport –NoTypeInformation

}
Write-Host "Script Finished collecting required information. Please check report files under C:\Temp folder"

To sum up, it is easy to understand the complete script, but just to ensure you understand the objectives of the script, the script performs the following functions:

  • The above script collects all Active Directory domains from the Active Directory forest specified in the $CurForestName variable and then stores the domain names in the C:\Temp\DomList.CSV file.
  • The “C:\Temp\DomList.CSV” file is used by the second “ForEach” loop in the script.
  • The script collects disabled users, disabled computer accounts, and inactive user accounts from each domain by executing the Get-ADComputer and Search-ADAccount PowerShell commands.
  • The report is generated in a CSV file for each domain. You can find all CSV reports under the C:\Temp folder on the computer from which you run the script.

Once the CSV reports are generated, you can send output files to each IT Team via e-mail, or you can embed the “Send-MailMessage” cmdlet in the script so the script sends an e-mail with a CSV report to each IT Team. We will talk about the “Send-MailMessage” cmdlet in the upcoming part of this article series.

If you are a busy person you should try some free tools to automate the task and safe your time. For instance, armed with Inactive User Tracker you will be able to quickly clean out or lock down all of your stale user accounts.  Please share your thoughts and tools you use to detect stale accounts in the comments below.

How do you find inactive/disabled accounts in Active Directory?

Loading ... Loading ...