The below can be run as a scheduled task to detect and disable accounts that have not been used for a specified amount of days or for accounts which have never been used.
Report outputs to a CSV and is displayed as follows:

$Output = @()
#Dates
$DaysSinceLastLogon = $(Get-Date).AddDays(-5)
$MinimumAccountAge = $(Get-Date).AddDays(-1)
$TodaysDate = Get-Date
#OU
$OUSearchbase = ""
$DomainUsers = Get-ADDomainController -Filter * |
ForEach-Object {
Get-ADUser -Filter * -SearchBase $OUSearchbase -Properties LastLogon -Server $_.HostName |
Select-Object SamAccountName, Name, @{Name = 'LastLogon'; Expression = {[DateTime]::FromFileTime($_.LastLogon)}}
}
$Accounts = foreach ($User in $DomainUsers | Group-Object SamAccountName) {
$User.Group | Sort-Object -Property LastLogon -Descending | Select-Object -First 1
}
foreach ($Account in $Accounts) {
$AccountSAM = $Account.SamAccountName
$AccountDetail = Get-ADUser $AccountSAM -Properties whencreated, name
$Name = $AccountDetail.Name
$Enabled = $AccountDetail.Enabled
if ($Account.LastLogon -eq "01/01/1601 00:00:00" -and $Enabled -eq $True -and $AccountDetail.whencreated -lt $MinimumAccountAge) {
Set-ADUser $Account.SamAccountName -Enabled $false -whatif
$Output += New-Object psobject -Property @{
Name = $Name
"Inactive For (Days)" = "Never logged on"
Action = "Disabled account"
Created = $AccountDetail.WhenCreated
}
}
elseif ($Account.LastLogon -lt $DaysSinceLastLogon -and $Enabled -eq $True -and $AccountDetail.whencreated -lt $MinimumAccountAge) {
$LastLogon = $Account.LastLogon
$DaysSinceLogon = ($TodaysDate - $Account.LastLogon).Days
Set-ADUser $Account.SamAccountName -Enabled $False -whatif
$Output += New-Object psobject -Property @{
Name = $Name
"Inactive For (Days)" = "$DaysSinceLogon"
Action = "Disabled account"
Created = $AccountDetail.WhenCreated
}
}
elseif ($Account.LastLogon -eq "01/01/1601 00:00:00" -and $Enabled -eq $False -and $AccountDetail.whencreated -lt $MinimumAccountAge) {
$Output += New-Object psobject -Property @{
Name = $Name
"Inactive For (Days)" = "Never logged on"
Action = "Account Already Disabled"
Created = $AccountDetail.WhenCreated
}
}
elseif ($Account.LastLogon -lt $DaysSinceLastLogon -and $Enabled -eq $False -and $AccountDetail.whencreated -lt $MinimumAccountAge) {
$lastlogon = $Account.LastLogon
$DaysSinceLogon = ($todaysdate - $Account.LastLogon).days
$Output += New-Object psobject -Property @{
Name = $Name
"Inactive For (Days)" = "$DaysSinceLogon"
Action = "Account Already Disabled"
Created = $AccountDetail.WhenCreated
}
}
}
$Output | Export-Csv 'c:\ps\ADUReport.csv' -NoClobber -NoTypeInformation -Force
3 replies on “Auditing: Report and Disable Inactive AD User Accounts”
You should drop your code into a textbox or something that maintains spacing. Copying + pasting what you have above doesn’t paste properly, causing syntax errors.
Hi Dave,
Thanks for this . Will look to reformat later in the week. Meanwhile if you would like me to send a working copy then let me know
Hey Michael, thanks for this share. Would you be able to send me a working copy? Thanks