PowerShell is increasingly the tool of choice for Windows administrators. The Active Directory PowerShell module includes more than 450 cmdlets that you can use to collect information about every object in Active Directory, check the health of domain controllers, collect GPO information and more.
This article details how you can use PowerShell to find disabled and inactive user and computer accounts in your Active Directory domains.
Prerequisites
To use the scripts provided here, you need to:
- Install the Active Directory PowerShell module on the machine where you will execute the script. That computer must be running Windows Server 2012 or later.
- Open the PowerShell window in an elevated mode.
- Run the script using credentials that have permission to access all the Active Directory domains where you are collecting data.
Checking a Single Domain
If you need to check whether a particular user or computer account is disabled or inactive, you can do so manually using the Active Directory Users and Computers (or ADUC) snap-in. If you need to identify disabled and inactive accounts across a domain, however, it is best to automate the task using PowerShell.
For example, to collect disabled computer accounts, you can use the Get-ADComputer cmdlet to look for computer accounts that have the Enabled property set to $False, which indicates that the account is disabled:
Get-ADComputer -Filter {(Enabled -eq $False)} -ResultPageSize 2000 -ResultSetSize $null -Server <AnyDomainController> -Properties Name, OperatingSystem
Here are scripts for related tasks:
- Check whether a single user account is disabled
- Get a list of disabled users
- Find inactive computer accounts
- Find inactive user accounts
Checking Across Multiple Domains
If you want to collect information from multiple Active Directory domains, you need a PowerShell script that can loop through each domain in your Active Directory forest and store the data collected for each domain in a separate CSV file for the IT team responsible for that domain.
Before you run the script provided below, be sure to:
- Create a directory with the name “C:Temp” on the local computer to store the CSV files.
- Replace “enterprise.com” in the $CurForestName variable with the name of your forest.
Sample script
$DomList = "C:TempDomList.TXT"
remove-item $DomList -ErrorAction SilentlyContinue
$CurForestName="enterprise.com"
$GetForest=Get-ADForest $CurForestName
$Items = $R.Domains
ForEach ($Domains in $Items)
{
Add-Content $DomList $Domain.Name
}
Write-Host "Starting Script..."
ForEach ($DomInFile in $DomList)
{ $DisabledCompsCSV = "C:TempDisabledAccounts_Computers_"+$DomInFile+".CSV"
Remove-item $DisabledCompsCSV -ErrorAction SilentlyContinue
$DisabledUsersCSV = "C:TempDisabledAccounts_Users_"+$DomInFile+".CSV"
Remove-item $DisabledUsersCSV -ErrorAction SilentlyContinue
$InActiveUsersReport = "C:TempInactiveUsers_"+$DomInFile+".CSV"
Remove-item $InActiveUsersReport -ErrorAction SilentlyContinue
Get-ADComputer -Server $DomInFile –Filter {(Enabled –eq $False)} –ResultPageSize 2000 –ResultSetSize $null -Properties Name, OperatingSystem | Export-CSV $DisabledCompsCSV -NoTypeInformation
Search-ADAccount -Server $DomInFile –AccountDisabled –UsersOnly –ResultPageSize 2000 –ResultSetSize $null | Select-Object SamAccountName, DistinguishedName | Export-CSV $DisabledUsersCSV –NoTypeInformation
Search-ADAccount -Server $DomInFile –AccountInActive –TimeSpan 90:00:00:00 –ResultPageSize 2000 –ResultSetSize $null | ?{$_.Enabled –eq $True} | Select-Object Name, SamAccountName, DistinguishedName | Export-CSV $InActiveUsersReport –NoTypeInformation}
Write-Host "Script Finished collecting required information. Please check report files under C:Temp folder"
Sharing the reports
Once the CSV reports are generated, you can send the appropriate file to each IT team via email. Alternatively, you can embed the Send-MailMessage cmdlet in the script so the script sends those emails automatically. We will discuss this cmdlet in an upcoming article in this series.
How Netwrix Can Help
Although using PowerShell is a lot faster than checking for disabled and inactive accounts manually, it still takes a lot of work to create, maintain and execute scripts. If you are a busy person, consider looking into tools that automate the work and save you time. For instance, armed with the free Inactive User Tracker, you will be able to quickly clean out or lock down all of your stale user accounts. And a robust solution like Netwrix Auditor for Active Directory will empower you to report on account status in just a few clicks, as well as to automate auditing, discover security weak spots and streamline incident investigations.
