🎉 Our Microsoft 365 Reporting & Management Tool is now available in Azure Marketplace 🚀
This website uses cookies to improve your experience. We'll assume you're ok with this. Know more.
Active Directory

How to Find Inactive Users in Active Directory

Keeping track of inactive accounts in Active Directory isn’t just a routine task—it’s essential for security. Failing to address these accounts can create entry points for unauthorized access, data breaches, and an increased attack surface. In this guide, we’ll walk you through effective methods to identify and export inactive users in AD to strengthen your defenses and keep potential risks at bay!

Solution 1
Solution 2
Solution 3
Important Tips
Errors and Resolution Steps
FAQs

List Inactive Users Using Active Directory Users and Computers

Active Directory Permission Required
Account Operators Least Privilege
Administrators Most Privilege
  • Open the Active Directory Users and Computers console.
  • Right-click the domain name in the left pane and select Find.
  • Then, under the Find drop-down, choose Common Queries from the menu.
  • In the Days since last logon field, select the number of inactive days (30, 60, 90, 120 or 180).
  • Click Find Now to display the list of stale users in Active Directory within the specified period.
List Inactive Users Using Active Directory Users and Computers

Get All Inactive Users Using Active Directory PowerShell

Active Directory Permission Required
Account Operators Least Privilege
Administrators Most Privilege
  • Use the following cmdlet to import the Active Directory PowerShell module.
  • Windows PowerShell Windows PowerShell 
     Import-Module ActiveDirectory
  • Run the cmdlet below to list all inactive users based on their ‘LastLogonDate’ attribute.
  • Windows PowerShell Windows PowerShell 
     $DaysSinceLastLogon = ((Get-Date).AddDays(-<Days>)).Date 
Get-ADUser -Filter {LastLogonDate -lt $DaysSinceLastLogon} -Properties * |
Select-Object SamAccountName, GivenName, LastLogonDate, Enabled |
Export-Csv -Path  "<FilePath>" -NoTypeInformation
  • Replace <Days> with the desired number of days and <FilePath> with the path where you want to save the results.
Get All Inactive Users Using Active Directory PowerShell
  • Note: You can also use the Search-ADAccount cmdlet with the -AccountInactive and -UsersOnly parameters to find inactive users in Active Directory. However, the results will also include users who have never logged in.
AdminDroid Active Directory Reporter

Simplify Active Directory Cleanup with Inactive User Reporting Offered by AdminDroid

AdminDroid’s Active Directory reporting tool not only lists inactive user accounts but also provides reports for enabled inactive users, never-logged-in users, locked-out accounts, etc. In addition to reporting, AdminDroid allows you to manage inactive users, enabling you to reset passwords, disable accounts, or delete users directly from the platform.

Track Inactive Users by Password Change History

Identify stale accounts based on the last password change using the user password details report to protect users against credential-based attacks.

Identify Login-Denied AD Users to Track Inactive Accounts

Monitor login-denied users for issues like password expiry or account lockout to spot inactive accounts over time and mitigate security risks in Active Directory.

Maximize Logon Security with Inactive Computers Report

Identify inactive computers in Active Directory based on the last logon time to efficiently clean up outdated resources and reduce potential vulnerabilities.

Find Inactive Admins in AD to Revoke Unnecessary Access

Discover inactive admins in Active Directory to reduce security risks, prevent unauthorized access, ensure compliance, and streamline account management.

Easily Spot Inactive Users Due to Expired Accounts

With the account expired users report, easily spot inactive users due to expiration and prevent dormant accounts from impacting directory efficiency.

Effortlessly Export Inactive AD User Reports Using AdminDroid

Export reports on inactive users in formats like HTML, PDF, RAW, etc., with AdminDroid to simplify monitoring user activity in Active Directory.

In conclusion, leveraging AdminDroid's detailed reports minimizes the risk of data breaches. It also empowers admins with enhanced visibility and streamlined Active Directory management.

Explore a full range of reporting options
Download Live Demo

Important Tips

Identify users who have never logged into Active Directory to manage inactive accounts, optimize resources, and encourage engagement.

Set account expiration for users in AD to automatically deactivate the accounts after a certain period and reduce the risk of potential security breaches.

Regularly monitor user logon details to detect any login attempts by inactive accounts, as these could indicate account compromise or unauthorized access.

Common Errors and Resolution Steps

The following are possible errors and troubleshooting hints while checking and managing inactive users in Active Directory.

Error You do not have sufficient privileges to delete <UserName>, or this object is protected from accidental deletion.

This error occurs when attempting to delete a user through the ADUC console if the user is protected by the "Protect object from accidental deletion " setting.

Fix To resolve this issue, uncheck the "Protect object from accidental deletion" option in the Object tab of the user's properties before attempting to delete the account again.

Error Get-ADUser : Error parsing query: 'LastLogonDate -lt ((Get-Date).AddDays(-10)).Date' Error Message: 'syntax error'.

The error occurs because the –Filter parameter in Get-ADUser does not support complex expressions like Get-Date directly in the query.

Fix Calculate the date separately in a variable and use it in the filter as shown below. 
$DaysSinceLastLogon = ((Get-Date).AddDays(-<Days>)).Date
Get-ADUser -Filter {LastLogonDate -lt $DaysSinceLastLogon} -Properties samaccountname, givenname, LastLogonDate, enabled | Select-Object samaccountname, givenname, LastLogonDate, enabled

Error Search-ADAccount : Parameter set cannot be resolved using the specified named parameters.

This issue arises when a necessary parameter is missing in the Search-ADAccount cmdlet, which prevents it from performing the intended search in Active Directory.

Fix Make sure to include an appropriate parameter, such as -AccountInactive, to successfully find inactive users.

Error Exception calling "AddDays" with "1" argument(s): "Value to add was out of range".

The error occurs due to an ArgumentOutOfRangeException caused by using a value in AddDays that results in a date outside the permissible DateTime range.

Fix To identify inactive users effectively, use values like 30, 60, 90, or 180 days in AddDays, which are optimal for tracking inactivity periods without exceeding the range limit.
Active Directory
Frequently Asked Questions

Mitigate Data Breaches by Eliminating Stale Accounts in Active Directory

Why is the last logon time attribute used to identify inactive users in Active Directory?
What are the risks of inactive user accounts in Active Directory?
How to manage inactive users in Active Directory?
How to delete an inactive user account in Active Directory?

1. Why is the last logon time attribute used to identify inactive users in Active Directory?

To answer this question, it's important to first understand the three key attributes that Active Directory provides for tracking user logon activity:

  • lastLogon: This attribute records the last logon time for a user on a specific domain controller alone. Because it is only updated on the particular domain controller, this attribute is not replicated across other controllers. As a result, it provides the most precise data but requires querying each domain controller individually to gather the latest logon time of the user.
  • lastLogonTimestamp: This attribute is a replicated version of 'lastLogon,' designed to track user activity over time. By default, this attribute replicates every 14 days, making it useful for identifying long-term inactivity. However, due to the delay in the replication, it may not provide the most current logon details, especially for frequently active users.
  • lastLogonDate: This is a user-friendly and readable version of the ‘lastLogonTimestamp’ attribute. It simplifies analysis with a human-readable format but shares the same limitation in terms of update frequency as the ‘lastLogonTimestamp’ attribute.
  • Use LastLogon for Accuracy:
    • The lastLogon attribute is the most accurate for identifying inactive users as it captures the most recent activity per domain controller. While it requires querying all domain controllers for a full picture, the data is highly reliable for assessing account inactivity.
  • Leverage LastLogonDate for Simplicity:
    • For standard timelines like 30, 60, or 90 days, the lastLogonDate attribute is ideal due to its human-readable format. However, its replication frequency makes it less reliable for shorter timelines (e.g., fewer than 14 days).
    • By focusing on precise last logon data, system admins can improve security and streamline Active Directory user management.

2. What are the risks of inactive user accounts in Active Directory?

Inactive Active Directory user accounts can pose several risks to an organization, including:

  • Increased Attack Surface: Inactive accounts can be exploited by attackers to gain access to sensitive data and resources, by inheriting the original user’s permissions. These accounts serve as vulnerable entry points and are often targeted by methods like brute-force attacks and credential stuffing.
  • Resource Consumption: Inactive accounts consume reclaimable database space in Active Directory. Managing these accounts also adds unnecessary complexity to IT operations and resources.
  • Threats from Former Employees: Accounts of former employees that are not disabled or deleted can be misused if login credentials are still valid. This creates the risk of unauthorized access to sensitive systems, leading to data leaks or malicious damage.
  • Compliance Violations: Regulatory frameworks often mandate active management of user accounts to ensure compliance. Failing to remove inactive accounts can violate standards like the General Data Protection Regulation (GDPR), the Payment Card Industry Data Security Standard (PCI DSS), and more. These violations may lead to penalties, fines, and significant reputational damage to your organization.

To mitigate these risks, organizations should regularly review and deactivate inactive accounts in Active Directory.

3. How to manage inactive users in Active Directory?

According to Microsoft, 10% of user accounts in Active Directory are typically inactive or stale, based on the last logon timestamp and the date of the last password change. These stale accounts pose security risks, as they can be exploited by attackers or misused by former employees who still have access.

Effectively managing these accounts is essential for both security and operational efficiency of Active Directory. This process involves two key steps: disabling inactive accounts to prevent potential misuse and deleting stale accounts once confirmed unnecessary. Let's begin by focusing on how to identify and disable inactive accounts.

How to disable an inactive user account in Active Directory?

  • Open the Active Directory Users and Computers console and navigate to the respective Organizational Unit (OU).
  • Right-click the identified inactive account and select Disable Account.
  • Click Yes in the confirmation prompt to deactivate the user account.
disable-inactive-accounts

Disable inactive AD user accounts using PowerShell

Manually identifying inactive user accounts in Active Directory Users and Computers snap-in is a time-consuming process. To streamline this, you can efficiently disable multiple or bulk inactive user accounts in Active Directory using PowerShell.

Execute the following cmdlet to disable all inactive user accounts.

Search-ADAccount -AccountInactive -UsersOnly | Disable-ADAccount

Tired of manually tracking enabled inactive users? AdminDroid has exactly what you need!

  • With AdminDroid’s inactive enabled users by last logon report, you can easily identify inactive users who are still enabled, along with details like inactivity days, organizational units, departments, etc.
  • Even better, you can instantly disable these users using the built-in management options available with AdminDroid’s reports!
inactive-enabled-users

Pro Tip: Automate the inactive report to receive regular insights and quickly spot trends using the schedule option (⏰).

4. How to delete an inactive user account in Active Directory?

Once you’ve confirmed that the disabled inactive accounts aren’t needed, it’s time to delete them to free up resources and reduce clutter in AD. However, before deleting, consider the following:

  • Check Dependencies: Deleting user accounts tied to critical projects can disrupt ongoing work, so it's important to review and reassign dependencies before deletion.
  • Compliance Requirements: Ensure that deletion complies with legal or organizational retention policies. Some industries may have strict requirements for retaining user data for a certain period, even after the account is inactive.

Here’s how to remove an inactive user account in Active Directory.

Remove inactive users in Active Directory

  • Open Active Directory Users and Computers snap-in.
  • Go to the respective Organizational Unit containing the inactive user accounts.
  • Right-click the inactive user account, select Delete, and confirm the deletion.
delete-inactive-users

Delete inactive user accounts in AD using PowerShell

  • Run the following PowerShell cmdlet to delete a specific inactive user account in the Active Directory. Ensure to replace <SAMAccountName> with the specific username before execution.
Remove-ADUser –Identity <SAMAcountName>
  • To find and delete all disabled user accounts, execute the following PowerShell cmdlet.
Search-ADAccount -AccountDisabled | where {$_.ObjectClass -eq 'user'} | Remove-ADUser

Disabling and deleting inactive accounts boosts security, reduces clutter, and ensures compliance, while monitoring deletions prevents errors and enables quick recovery.

Effortlessly Monitor Deleted Accounts in Active Directory Using AdminDroid!

  • The deleted users report from AdminDroid lists all removed AD users, including display name, SAM account name, logon name, email, account status, and more.
  • Additionally, audit deleted users to find out who deleted a user account in Active Directory, along with details like the time of deletion, target account domain, and more.
deleted-users-admindroid

Handy Tip: Need to find a report fast? Just press Ctrl + Shift + F to open the search bar and navigate to any report in seconds!

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs
All Guides 99+
Active Directory
How to Find Inactive Users in Active Directory
Active Directory Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo