How to Find Inactive Users from Active Directory and Export the List?

Stale user accounts in Active Directory are more than just clutter; they pose a significant security risk if left ignored. We understand why IT administrators have a hard time answering how to find inactive users in Active Directory. Unlike disabled computers, which have a different icon from regular computers, stale users show no such visual indication.

That is why I have prepared this guide that contains four distinct methods of identification. You can then use them to get a list of users who have not logged in for a while. So, let us stop dormant accounts from becoming a threat to your Active Directory environment together by identifying them through PowerShell, GUI, line, and more. First, we ensure that our environment is ready to run the cmdlets.

Prerequisites to Find Stale Users in Active Directory

First up, check that the latest compatible version of PowerShell is installed on your machine. PowerShell may need to be updated before you can use it to export a list of inactive AD users.

Once the PowerShell portal is up and running, add the necessary modules that allow you to search inside AD. more specifically the

You need to run PowerShell with sufficient permissions to query Active Directory, typically as a Domain Administrator or with delegated permissions.

• Press the Windows Icon > Open Settings Menu.
• Select System > Scroll till you see the Optional Features section in the left pane and click it.
• Inside the Optional Features, click on Add a feature.
• Use the Search bar in the pop-up to find the “RSAT: Active Directory Domain Services and Lightweight Directory Services Tools”
• Mark the check box next to it, then click on the Add button at the bottom.
• After some time, the utility would be ready for use.

These steps are for Windows 10/11 machines; if you operate a Windows Server, there might be a slight change, so you can use the Install-WindowsFeature RSAT-AD-PowerShell command instead.

Then, put  Import-Module ActiveDirectory

PowerShell Script(s) to Find Stale AD Users

The following script can help you get the list

 Search-ADAccount –AccountInactive –UsersOnly

If you want to search ad accounts that have been inactive for 90 days, put in that value instead

$d = [DateTime]::Today.AddDays(-180)
Get-ADUser -Filter '(PasswordLastSet -lt $d) -or (LastLogonTimestamp -lt $d)' -Properties PasswordLastSet,LastLogonTimestamp | ft Name,PasswordLastSet,@{N="LastLogonTimestamp";E={[datetime]::FromFileTime($_.LastLogonTimestamp)}}

If you find the code-based method to be too technical, then you might use additional options built into your Active Directory infrastructure.

Traditional Methods to List Inactive Users in Active Directory Using ADUC

There are a couple of areas you can look into to find those users who have not shown any signs of activity. First up I have the Users and Computers portal.

• Step 1. Open up ADUC.
• Step 2. Click on View to enable Advanced Features.
• Step 3. Right-click on a user and select the Properties option in the Context menu.
• Step 4. When the user properties portal opens, go to the attribute editor.
• Step 5. Type l and look for lastLogon and lastLogonTimestamp to see if the user has been inactive or not.

Repeat for Every User you suspect of not being active on the AD. You can ignore the users whose icon has a little black downward-pointing arrow, as it means that those users are disabled or expired, so by default, they are inactive.

Suppose you don’t know how to find inactive users from Active Directory without making multiple repetitive searches. When there is a large number of users, you can use ADUC in another way. This is filtering out the inactive users.

• Step 6. Click on the Filter.
• Step 7. Mark creates a custom filter > Press Customize… > toggle Advanced > Paste.
• (&(objectclass=user)(objectcategory=person)(userAccountControl:1.2.840.113556.1.4.803:=2)(whenchanged>=#LAST_DAYS#))
• Step 8. Replace #LAST_DAYS# with the time interval.
• Step 9. OK > OK.

This should hide all users who were active as well as other object types, so you can browse for the users and export the results via the built-in button on the toolbar.

Find All the Users Who Haven’t Logged in to AD Using the Command Line

There is a simple one-line query that does the job

dsquery user -inactive  <Number of Days> -limit 100

Replace the <Number of Days> part with your value and also increase or decrease the limit part.

The command line can be directly used to secure the AD. Admins can get rid of inactive accounts or put them in disabled status.

To Disable

dsquery user -inactive <Number of Days> | dsmod user –disabled yes

To Delete

dsquery user -inactive <Number of Days> | dsrm -noprompt

An easier script-free method that displays the list of non-active users is given below.

How to Find Inactive Users from Active Directory Professionally?

All the above methods can provide you with a list of inactive users, but they all have their limitations, as they require technical know-how, administrative privileges, etc. After all this, you can still face encounters while executing the same. To overcome all these complexities, I use the SysTools Active Directory Reporting tool, which can get you the list of all inactive AD users in just a few clicks. Not only can you use this tool, you can use the built-in Date picker that will help you see how many users have been inactive for 5, 7, 10, 30, 60, 90, to up to 1 year.

So you can export the most accurate list possible. Moreover, the custom option allows admins to set up a specific date range for inactivity tracking. So those who feel PowerShell to be confusing and the default AD options to be limited can make use of this software to remotely prepare the inactive user list inside the Active Directory

Download Now Purchase Now

The following steps will help you use the tool:

Step 1. Launch the tool and let the credentials autofill.

Step 2. Click on REGISTER DOMAIN CONTROLLER.

Step 3. Type the Domain Friendly Name and IP, and Save.

Step 4. In the Domain Details page, fill in admin credentials and save.

Step 4. Go to the Reports section, click on the Inactive category under the Users Workload.

Step 5. On the next Screen, add the Date Picker and press Preview.

Step 6. All inactive users in the Active Directory should appear on the Dashboard.

Step 7. Expand the Download Tab and Click on CSV.

Step 8. Then choose where you want to keep this report and view it in a text editor or spreadsheet program.

Conclusion

In this article, I have provided a thorough explanation of how to export inactive users from Active Directory. As we saw, there are multiple different ways to track inactive users, from ADUC, ADAC, Event Viewer, and PowerShell modules. Apart from the traditional way, I have shown you a modern approach to list out all users who have not been active for a while inside Active Directory.

Frequently Asked Questions

Q1. Is a Disabled user the same as an inactive user in Active Directory?
No, inactive users mean a particular user who can access the AD anytime but has not done so in a while. Whereas the disabled category is for those users who can no longer enter the AD unless the admin changes their account status. So, in a way, all disabled users can be put into the inactive category. However, the opposite is not true.

Q2. What is the threshold after which a user account is considered inactive?

Usually, admins start asking how to Find Inactive Users from Active Directory if a user stays stale for 90 days or more (roughly 3 months). However, it can be greater or lesser as per your organization’s policy.

Q3. What can I use if my AD does not have the Users and Computers portal? 

Other than ADUC, there is the Admin Center, which can be used for the same. Here, the process is quite similar, where admins have to launch the portal using the same LDAP query inside Global Search to bring out the inactive accounts. Select, copy, and paste the results into an external area like Notepad.

Q4. Can the Event Viewer tell me anything about the stale users?

Event Viewer can’t be used as it is designed to record live activity, so it can’t accurately measure user inactivity.