How to Find Inactive Users from Active Directory and Export the List?

When it comes to managing and maintaining an optimal AD infrastructure, it is only the responsibility of an Active Directory (AD) administrator. He has to ensure secure and efficient user account management and has to oversee the centralized control of user access to network resources.

However, there are several instances when the admin himself faces technical complexities in configuring and performing regular tasks such as finding inactive users from Active Directory.

Recently I have seen several forums where admins were asking – how to find inactive users from Active Directory. However, it is not their fault entirely as it is rather difficult to correctly identify the active users from the ones that are not.

Knowing the significance of this task I have come up with a detailed guide, here I am going to share four ways using which you can easily export the list of inactive users from Active Directory.

The default search option becomes difficult as unlike disabled computers which can be easily identified thanks to the icon change, there is no such visual indicator for inactive users (Or any inactive object for that matter). So admins have to rely on secondary tactics.

No matter the reason don’t delay the identification and disabling process as inactive users pose an even greater security threat than disabled ones.

This is because if the credentials leak there is no second security barrier preventing a hijacked inactive user from accessing the AD resources. So let us start by seeing how the PowerShell command can help us achieve the needful. Nevertheless, I need to make some preparations first.

Prerequisites to Export Inactive Users from Active Directory via PowerShell

First up ensure that the latest compatible version of PowerShell is installed on your machine. PowerShell may need to be updated before you can use it to export a list of inactive AD users.

Once the PowerShell portal is up and running add the necessary modules that allow you to search inside AD. more specifically the

You need to run PowerShell with sufficient permissions to query Active Directory, typically as a Domain Administrator or with delegated permissions.

• Press the Windows Icon > Open Settings Menu.
• Select System > Scroll till you See the Optional Features section in the left pane and click it.
• Inside the Optional Features, setting Click on Add a feature.
• Use the Search bar in the popup to find the “RSAT: Active Directory Domain Services and Lightweight Directory Services Tools”
• Mark the check box next to it then click on the Add button at the bottom.
• After some time the utility would be ready for use.

These steps are for Windows 10/11 machines, if you operate a Windows Server there might be slight changes so you can use the Install-WindowsFeature RSAT-AD-PowerShell command instead.

Then put  Import-Module ActiveDirectory

PowerShell Script(s) to Find Inactive AD Users

The following script can help you get the list

 Search-ADAccount –AccountInactive –UsersOnly

If you want to search ad accounts inactive for 90 days put in that value instead

$d = [DateTime]::Today.AddDays(-180)
Get-ADUser -Filter '(PasswordLastSet -lt $d) -or (LastLogonTimestamp -lt $d)' -Properties PasswordLastSet,LastLogonTimestamp | ft Name,PasswordLastSet,@{N="LastLogonTimestamp";E={[datetime]::FromFileTime($_.LastLogonTimestamp)}}

If you find the code-based method to be too technical then you might use additional options built into your Active Directory infrastructure.

Traditional Methods to List Inactive Users in Active Directory Using ADUC

There are a couple of areas you can look into to find those users who have not shown any signs of activity. First up I have the Users and Computers portal.

• Step 1. Open up ADUC.
• Step 2. Click on View to enable Advanced Features.
• Step 3. Right-click on a user and Select the Properties option in the Context menu.
• Step 4. When the user properties portal opens go to the attribute editor.
• Step 5. Type l and look for lastLogon and lastLogonTimestamp to see if the user has been inactive or not.

Repeat for Every User you suspect of not being active on the AD. You can ignore the users whose icon has a little black downward pointing arrow as it means that those users are disabled or expired so by default they are inactive.

If you don’t know how to find inactive users from Active Directory without making multiple repetitive searches. Like when there are a large number of users there is another way you can use ADUC. Which is filtering out the inactive users.

• Step 6. Click on the Filter.
• Step 7. Mark create custom filter > Press Customize… > toggle Advanced > Paste.
• (&(objectclass=user)(objectcategory=person)(userAccountControl:1.2.840.113556.1.4.803:=2)(whenchanged>=#LAST_DAYS#))
• Step 8. Replace #LAST_DAYS# with the time interval.
• Step 9. OK > OK.

This should hide all users who were active as well as other object types so you can browse for the users and export the results via the built-in button on the toolbar.

Other than ADUC there is the Admin Center, which can be used for the same.

For ADAC the process is quite similar where admins have to launch the portal using the same LDAP query inside Global Search to bring out the inactive accounts. Select copy and paste the results on an external area like notepad.

Event Viewer can’t be used as it is designed to record live activity so it can’t accurately measure user inactivity.

Find All the Inactive Users in AD Using the Command Line

There is a simple one-line query that does the job

dsquery user -inactive  <Number of Days> -limit 100

Replace the <Number of Days> part with your value and also increase or decrease the limit part.

The command line can be directly used to secure the AD. Admins can get rid of inactive accounts or put them in disabled status.

To Disable

dsquery user -inactive <Number of Days> | dsmod user –disabled yes

To Delete

dsquery user -inactive <Number of Days> | dsrm -noprompt

An easier script-free method that displays the list of non-active users is given below.

Right Way to Find Inactive Users from Active Directory Professionally

All the above methods can provide you with a list of inactive users but they all have their limitations, as they require technical know-how, administrative privileges, etc. After all this, you can still face encounters while executing the same. To overcome all these complexities I use the SysTools Active Directory Reporting tool, which can get you the list of all inactive AD users in just a few clicks. Not only this using this tool you can use the built-in Date picker that will help you see how many users have been inactive for 5, 7, 10, 30, 60, 90 to up to 1 year.

So you can export the most accurate list possible. Moreover, the custom option allows admins to set up a specific date range for inactivity tracking. So those who feel PowerShell to be confusing and default AD options to be limited can make use of this software to remotely prepare the inactive user list inside the Active Directory

Download Now Purchase Now

The following steps will help you use the tool:

Step 1. Launch the tool and let the credentials autofill.

Step 2. Click on REGISTER DOMAIN CONTROLLER.

Step 3. Type the Domain Friendly Name and IP, and Save.

Step 4. In the Domain Details page fill in admin credentials, save.

Step 4. Go to the Reports section, Click on the Inactive category under the Users Workload.

Step 5. On the next Screen Add the Date Picker and press Preview.

Step 6. All inactive users in the Active Directory should appear on the Dashboard.

Step 7. Expand the Download Tab and Click on CSV.

Step 8. Then choose where you want to keep this report and view it on a text editor or spreadsheet program.

Conclusion

In this article, I have described a thorough explanation of how to export inactive users from Active Directory. As we saw there are multiple different ways to track inactive users, from ADUC, ADAC, Event Viewer, and PowerShell modules. Apart from the traditional ways I have shown you a modern approach to list out all users who have not been active for a while inside Active Directory.

Frequently Asked Questions

Q1. Is a Disabled user the same as an inactive user in Active Directory?
No, inactive users mean a particular user that can access the AD anytime but has not done so in a while. Whereas the disabled category is for those users who can no longer enter the AD unless the admin changes their account status. So, in a way, all disabled users can be put into the inactive category. However, the opposite is not true.

Q2. What is the threshold after which a user account is inactive?

Usually, the most common time period is 90 days (roughly 3 months). However, it can be greater or lesser as per the organization’s policy.