Offer

News We Recently Launched AD Migrator and AD Reporter.

How to Find Inactive Users from Active Directory and Export the List

  author
Written By Mohit Jha
Anuraag Singh
Approved By Anuraag Singh  
Published On November 20th, 2024
Reading Time 7 Minutes Reading

Any admin who does not know how to find inactive users from Active Directory puts their AD environment at risk. However, it is not their fault entirely as it is rather difficult to correctly identify the active users from the ones that are not.

The default search becomes difficult as unlike disabled computers which can be easily identified thanks to the icon change, there is no such visual indicator for inactive users (Or any inactive object for that matter). So admins have to rely on secondary tactics.

No matter the reason don’t delay the identification and disabling process as inactive users pose an even greater security threat than disabled ones.

This is because if the credentials leak there is no second security barrier preventing a hijacked inactive user from accessing the AD resources. So let us start by seeing how the PowerShell command can help us achieve the needful. Nevertheless, we need to make some preparations first.

Prerequisites to Export Inactive Users from Active Directory via PowerShell

First up ensure that the latest compatible version of PowerShell is installed on your machine. PowerShell may need to be updated before you can use it to export a list of inactive AD users.

Once the PowerShell portal is up and running add the necessary modules that allow you to search inside AD. more specifically the

You need to run PowerShell with sufficient permissions to query Active Directory, typically as a Domain Administrator or with delegated permissions.

  • Press the Windows Icon > Open Settings Menu
  • Select System > Scroll till you See the Optional Features section in the left pane and click it.
  • Inside the Optional Features, setting Click on Add a feature.
  • Use the Search bar in the popup to find the “RSAT: Active Directory Domain Services and Lightweight Directory Services Tools”
  • Mark the check box next to it then click on the Add button at the bottom.
  • After some time the utility would be ready for use.

These steps are for Windows 10/11 machines, if you operate a Windows Server there might be slight changes so you can use the Install-WindowsFeature RSAT-AD-PowerShell command instead.

Then put  Import-Module ActiveDirectory

PowerShell Script(s) to Find Inactive AD Users

The following script can help you get the list

 Search-ADAccount –AccountInactive –UsersOnly

If you want to search ad accounts inactive for 90 days put in that value instead

$d = [DateTime]::Today.AddDays(-180)
Get-ADUser -Filter '(PasswordLastSet -lt $d) -or (LastLogonTimestamp -lt $d)' -Properties PasswordLastSet,LastLogonTimestamp | ft Name,PasswordLastSet,@{N="LastLogonTimestamp";E={[datetime]::FromFileTime($_.LastLogonTimestamp)}}

If you find the code-based method to be too technical then you might use additional options built into your Active Directory infrastructure.

Traditional Methods to List Inactive Users in Active Directory

There are a couple of areas you can look into to find those users who have not shown any signs of activity. First up we have the Users and Computers portal.

  • Open up ADUC
  • Click on View to enable Advanced Features.
  • Right Click on a user and Select the Properties option in the Context menu
  • When the user properties portal opens go to the attribute editor
  • Type “l” and look for lastLogon and lastLogonTimestamp to see if the user has been inactive or not.

Repeat for Every User you suspect of not being active on the AD. You can ignore the users whose icon has a little black downward pointing arrow as it means that those users are disabled or expired so by default they are inactive.

If you dont know how to find inactive users from Active Directory without making multiple repetitive searches. Like when there are a large number of users there is another way you can use ADUC. Which is filtering out the inactive users.

  • Click on the Filter
  • Mark create custom filter > Press Customize… > toggle Advanced > Paste
  • (&(objectclass=user)(objectcategory=person)(userAccountControl:1.2.840.113556.1.4.803:=2)(whenchanged>=#LAST_DAYS#))
  • Replace #LAST_DAYS# with the time interval
  • OK > OK

This should hide all users who were active as well as other object types so you can browse for the users and export the results via the built-in button on the toolbar.

Other than ADUC there is the Admin Center, which can be used for the same.

For ADAC the process is quite similar where admins have to launch the portal using the same LDAP query inside Global Search to bring out the inactive accounts. Select copy and paste the results on an external area like notepad.

Event Viewer can’t be used as it is designed to record live activity so it can’t accurately measure user inactivity.

Use the Command line to Get Every Inactive User in AD

There is a simple one-line query that does the job

dsquery user -inactive  <Number of Days> -limit 100

Replace the <Number of Days> part with your own value and also increase or decrease the limit part.

The command line can be directly used to secure the AD. Admins can get rid of inactive accounts or put them in disabled status.

To Disable

dsquery user -inactive <Number of Days> | dsmod user –disabled yes

To Delete

dsquery user -inactive <Number of Days> | dsrm -noprompt

An easier script-free method that displays the list of non-active users is given below.

How to Find Inactive Users from Active Directory Professionally and Export List in CSV

SysTools Active Directory Reporting tool can get you the list of all inactive AD users in just a few clicks. The inbuilt Date picker can help you see how many users have been inactive for 5, 7, 10, 30, 60, 90 to up to 1 year.

Download Now Purchase Now

So you can export the most accurate list possible.

The custom option allows admins to set up a specific date range for inactivity tracking.

So those who feel PowerShell to be confusing and default AD options to be limited can make use of this software to remotely prepare the inactive user list inside the Active Directory

The following steps will help you use the tool:

  • Launch the tool and let the credentials autofill.
    Type administrator
  • Click on REGISTER DOMAIN CONTROLLER.
    Register Domain Controller button to add the domain where you will find inactive users from active directory
  • Type the Domain Friendly Name and IP, and Save.
    browse-pdf-file
  • In the Domain Details page fill in admin credentials, save.
    permission validation before you can answer how to find inactive users from active directory
  • Go to the Reports section, Click on the Inactive category under the Users Workload.
    select the category you believe is the best answer to how to find inactive users from active directory
  • On the next Screen Add the Date Picker and press Preview.
    view date selection
  • All inactive users in the Active Directory should appear on the Dashboard.
    Preview
  • Expand the Download Tab and Click on CSV.
    successfull download message that helped you to answer how to find inactive users from active directory

Then choose where you want to keep this report and view it on a text editor or spreadsheet program.

Conclusion

In this article, we gave a thorough explanation of how to export inactive users from Active Directory. We saw saw there are multiple different ways to track inactive users, from ADUC, ADAC, Event Viewer, and PowerShell modules. Apart from the traditional ways we gave the readers a modern approach to list out all users who have not been active for a while inside Active Directory.

Frequently Asked Questions

Is a Disabled user the same as an inactive user in Active Directory?
No, inactive users mean a particular user that can access the AD anytime but has not done so in a while. Whereas the disabled category is for those users who can no longer enter the AD unless the admin changes their account status. So, in a way, all disabled users can be put into the inactive category. However, the opposite is not true.

Which is the threshold after which a user account is inactive?

Usually, the most common time period is 90 days (roughly 3 months). However, it can be greater or lesser as per the organization’s policy.

 

  author

By Mohit Jha

Mohit is a Microsoft Certified expert known for his cloud migration, cyber security, and digital forensics expertise. He specializes in Microsoft 365, Exchange Server, and Azure AD migration, ensuring seamless transitions for organizations worldwide. His multifaceted role as a meticulous tech writer, diligent researcher, and astute editor underscores his commitment to delivering cutting-edge digital forensics and cloud migration strategies.