How to Export Inactive Users from Active Directory to Secure AD
Any admin who does not know how to export inactive users from Active Directory puts their AD environment at risk. However, it is not their fault entirely as it is rather difficult to correctly identify the active users from the ones that are not.
The default search becomes difficult as unlike disabled users which can be easily identified thanks to the icon change, there is no such visual indicator for inactive users. So admins have to rely on secondary tactics.
No matter the reason don’t delay the identification and disabling process as inactive users pose an even greater security threat than disabled ones.
This is because if the credentials leak there is no second security barrier preventing a hijacked inactive user from accessing the AD resources. So let us start by seeing how the PowerShell command can help us achieve the needful. Nevertheless, we need to make some preparations first.
Prerequisites to Export Inactive Users from Active Directory via PowerShell
First up ensure that the latest compatible version of PowerShell is installed on your machine. PowerShell may need to be updated before you can use it to export a list of inactive AD users.
Once the PowerShell portal is up and running add the necessary modules that allow you to search inside AD. more specifically the
You need to run PowerShell with sufficient permissions to query Active Directory, typically as a Domain Administrator or with delegated permissions.
- Press the Windows Icon > Open Settings Menu
- Select System > Scroll till you See the Optional Features section in the left pane and click it.
- Inside the Optional Features setting Click on Add a feature.
- Use the Search bar in the popup to find.
- “RSAT: Active Directory Domain Services and Lightweight Directory Services Tools”
- Mark the check box next to it then click on the Add button at the bottom.
- After some time the utility would be ready for use.
These steps are for Windows 10/11 machines, if you operate a Windows Server there might be slight changes so you can use the Install-WindowsFeature RSAT-AD-PowerShell command instead.
Then put Import-Module ActiveDirectory
PowerShell Script(s) to Get Inactive AD Users
The following script can help you get the list
Search-ADAccount –AccountInactive –UsersOnly
If you want to search ad accounts inactive for 90 days put in that value instead
$d = [DateTime]::Today.AddDays(-180)
Get-ADUser -Filter '(PasswordLastSet -lt $d) -or (LastLogonTimestamp -lt $d)' -Properties PasswordLastSet,LastLogonTimestamp | ft Name,PasswordLastSet,@{N="LastLogonTimestamp";E={[datetime]::FromFileTime($_.LastLogonTimestamp)}}
If you find the code-based method to be too technical then you might use additional options built into your Active Directory infrastructure.
Traditional Methods to List Inactive Users in Active Directory
There are a couple of areas you can look into to find those users who have not shown any signs of activity. First up we have the Users and Computers portal.
- Open up ADUC
- Click on View to enable Advanced Features.
- Right Click on a user and Select the Properties option in the Context menu
- When the user properties portal opens go to the attribute editor
- Type “l” and look for lastLogon and lastLogonTimestamp to see if the user has been inactive or not.
Repeat for Every User you suspect of not being active on the AD. You can ignore the users whose icon has a little black downward pointing arrow as it means that those users are disabled or expired so by default they are inactive.
If you dont want to make this repetitive search for a large number of users there is another way you can use ADUC. Which is filtering out the inactive users.
- Click on the Filter
- Mark create custom filter > Press Customize… > toggle Advanced > Paste
- (&(objectclass=user)(objectcategory=person)(userAccountControl:1.2.840.113556.1.4.803:=2)(whenchanged>=#LAST_DAYS#))
- Replace #LAST_DAYS# with the time interval
- OK > OK
This should hide all users who were active as well as other object types so you can browse for the users and export the results via the built-in button on the toolbar.
Other than ADUC there is the Admin Center, which can be used for the same.
For ADAC the process is quite similar where admins have to launch the portal using the same LDAP query inside Global Search to bring out the inactive accounts. Select copy and paste the results on an external area like notepad.
Event Viewer can’t be used as it is designed to record live activity so it can’t accurately measure user inactivity.
Use the Command line to Get Every Inactive User in AD
There is a simple one-line query that does the job
dsquery user -inactive <Number of Days> -limit 100
Replace the <Number of Days> part with your own value and also increase or decrease the limit part.
The command line can be directly used to secure the AD. Admins can get rid of inactive accounts or put them in disabled status.
To Disable
dsquery user -inactive <Number of Days> | dsmod user –disabled yes
To Delete
dsquery user -inactive <Number of Days> | dsrm -noprompt
An easier script-free method that displays the list of non-active users is given below.
How to Export Inactive Users from Active Directory Professionally
SysTools Active Directory Reporting tool can get you the list of all inactive AD users in just a few clicks. The inbuilt Date picker can help you see how many users have been inactive for 5, 7, 10, 30, 60, 90 to up to 1 year.
So you can export the most accurate list possible.
The custom option allows admins to set up a specific date range for inactivity tracking.
So those who feel PowerShell to be confusing and default AD options to be limited can make use of this software to remotely prepare the inactive user list inside the Active Directory
- The following steps will help you use the tool:
- Launch the tool and let the credentials autofill.
- Click on REGISTER DOMAIN CONTROLLER
- Type the Domain Friendly Name and IP, Save
- In the Domain Details page fill in admin credentials, save.
- Go to the Reports section, Click on the Inactive category under the Users Workload.
- On the next Screen Add the Date Picker and press Preview.
- All inactive users in the Active Directory should appear on the Dashboard.
- Expand the Download Tab and Click on CSV.
Then choose where you want to keep this report and view it on a text editor or spreadsheet program.
Conclusion
In this article, we gave a thorough explanation of how to export inactive users from Active Directory. We saw saw there are multiple different ways to track inactive users, from ADUC, ADAC, Event Viewer, and PowerShell modules. Apart from the traditional ways we gave the readers a modern approach to list out all users who have not been active for a while inside Active Directory.