Keeping a clean AD environment is paramount for security and effectiveness. When asked how to clean up old active directory user accounts, I would point readers to this script and tell them to change out a few of the cmdlets. That was never a sufficient answer. The stale computer script was tailored for computer objects and relied upon the Quest AD cmdlets. The script below is customized for user objects and uses the native AD cmdlets. Let’s look at the script first and then explore a bit.
$Users = Get-ADUser -Filter * -Properties "LastLogonDate" $Date = Get-Date Foreach ($User in $Users){ If ($User.Enabled -eq $True){ If ($User.LastLogonDate -ne $Null){ If ((($User.LastLogonDate).Subtract($date) | Select -ExpandProperty Days) -le "-365"){ Set-ADUser -Identity $User -Description "Disabled on $Date for inactivity." -WhatIf Disable-ADAccount -Identity $User -WhatIf Move-ADObject -Identity $User -TargetPath "OU=Users_Stale,OU=Stale Objects,DC=Test,DC=local" -WhatIf } } } }
How We Remove Old Active Directory Users with PowerShell
We start by grabbing all users in our domain and stuffing them into our $Users variable. If you prefer to limit your search to a certain OU, you can add the SearchBase parameter. Next, we get the current date and start cycling through our users.
In Active Directory, there are two types of unused accounts. The first set of accounts are those that have never logged in before. These could be employees that haven’t started, test accounts, etc. The second set are those accounts that have logged in but haven’t been used in X amount of time. We are concerned with this second group and use the If ($User.LastLogonDate -ne $Null) line to filter those objects.
With our filtered search, we now need a way to see the last time that a user logged in. This information is stored in the LastLogonDate property.
By subtracting the current date from the lastlogondate, we can compare it against some value (ex: -365 days). This allows us to filter all of our users down to those that haven’t logged in within a year.
When changing objects with scripts, I like to tag the object for reference. The Set-ADUser line edits the description attribute so that we can see what users were disabled by this script and when it occurred. Finally, we disable and move the account to a dedicated OU. This OU can be cleaned up on a regular basis. Once you are comfortable with this script, you will want to remove the three -whatif parameters.
To ensure that users are accidently enabled and left in the stale OU, you will probably want an automated way to move them back. And yes, I recognize the irony of the previous link… 🙂
Have a great day and automate something!