🎉 Our Microsoft 365 Reporting & Management Tool is available in Marketplace 🚀
Active Directory

How to Find Inactive Admins in Active Directory

Active Directory admin accounts have elevated privileges that allow them to manage users, control critical systems, and access sensitive data across the domain. When these privileged accounts become inactive, they can become high-risk entry points that attackers actively seek to exploit. Therefore, it is essential to identify and remove these accounts. In this guide, you'll learn how to quickly identify inactive admin accounts in Active Directory and reduce the risk of unauthorized access and potential security breaches.

Microsoft 365 tools
Solution 1
Solution 2
Solution 3
Important Tips
Errors and Resolution Steps
FAQs

Identify Inactive Admins Using Active Directory Users and Computers

Active Directory Permission Required
Account Operators Least Privilege
Administrators Most Privilege
  • Open the Active Directory Users and Computers (ADUC) console, then in the left pane, right-click on Saved Queries, and select New Â» Query.
  • Provide a suitable name and description for the query, ensure that the Include subcontainers checkbox is enabled, and click on Define Query.
  • From the Find drop-down, choose Custom Search and navigate to the Advanced tab.
  • Then, enter the following LDAP filter query and replace <AdminGroup_DistinguishedName> with the distinguished name of your respective admin group. 
    (&(objectCategory=person)(objectClass=user)(memberOf=<AdminGroup_DistinguishedName>)(lastLogonTimestamp<=134125000000000000))
  • Click OK twice to save and close the configuration window. This saved query lists all inactive admins more than 90 days from the respective admin group in your Active Directory.
Identify Inactive Admins Using Active Directory Users and Computers
  • Note: Instead of specifying an administrative group using the memberOf attribute, you can also use the adminCount=1 attribute to identify inactive admin accounts. However, the adminCount value may remain the same even after an account has been removed from privileged security groups. Therefore, relying solely on this may produce inaccurate results when identifying current administrative accounts.

Get Stale Admin Accounts in Active Directory Using PowerShell

Active Directory Permission Required
Domain User Least Privilege
Administrators Most Privilege
  • In the above solution, inactive admins will not be listed in a single view. You need to query each administrative group individually by replacing the group's distinguished name. This process can be time-consuming and repetitive.
  • To make this process easier, you can use PowerShell to retrieve all inactive admins from all Active Directory groups in your environment.
  • First import the Active Directory PowerShell module into your environment using the following cmdlet.
  • Windows PowerShell Windows PowerShell 
     Import-Module ActiveDirectory
  • Then, run the cmdlet below to list all inactive admins in Active Directory based on their LastLogonDate attribute.
  • Windows PowerShell Windows PowerShell 
     $privGroups = Get-ADGroup -LDAPFilter "(adminCount=1)" |
    Select-Object -ExpandProperty DistinguishedName
$privGroupSet = @{}
foreach ($g in $privGroups) {
    $privGroupSet[$g] = $true
}
Search-ADAccount -AccountInactive -TimeSpan 90.00:00:00 -UsersOnly |
Get-ADUser -Properties MemberOf, adminCount, LastLogonDate |
Where-Object { $_.adminCount -eq 1 } |
ForEach-Object {
    $user = $_
    $filteredGroups = @()
    foreach ($groupDN in $user.MemberOf) {
        if ($privGroupSet.ContainsKey($groupDN)) {
            $filteredGroups += (Get-ADGroup $groupDN).Name
        }}
    if ($filteredGroups.Count -gt 0) {
        [PSCustomObject]@{
            User          = $user.SamAccountName
            Name          = $user.Name
            LastLogonDate = $user.LastLogonDate
            AdminGroups   = ($filteredGroups -join ", ")
        }}}
  • The script retrieves administrative accounts that have been inactive for more than 90 days. It provides details such as the account name, SAM account name, last logon date, and associated admin groups.
Get Stale Admin Accounts in Active Directory Using PowerShell
  • Note: The above script identifies inactive admins by checking both the adminCount attribute and the account's current administrative group memberships. This helps reduce false positives that may occur when relying solely on adminCount = 1.
AdminDroid Active Directory Reporter

Gain Unified Visibility into Stale Admin Accounts in Active Directory!

AdminDroid’s Active Directory reporting tool provides clear visibility into inactive members of privileged group with AI-powered insights and simple filters. Below are some of the key capabilities that help you quickly identify and take action to secure privileged access in Active Directory.

Monitor Inactive Privileged Accounts from a Centralized Admin Dashboard

Leverage the Active Directory admins dashboard to quickly gain insights into inactive admins for 7, 30, or 90 days, never-logged-on accounts, and more through detailed metrics at a glance.

Manage Inactive but Enabled Admin Accounts in Active Directory

Use AdminDroid's filtering capabilities to find inactive enabled admins with high-level access, such as Domain Admins or Enterprise Admins, and take immediate action by disabling or removing stale privileged users.

Discover Never-Used Admin Accounts Through Advanced Customization

Use the never logged in users report by customizing the columns to include the Admin User field to identify improperly provisioned or unmanaged admin accounts that remain unused.

Set Alerts on Inactive Admin Accounts Changes in Active Directory

Use AdminDroid alerts to get notified whenever an inactive admin account is enabled, has its password reset, or undergoes other critical changes, and take timely action to reduce security risks.

Find Stale Computers Associated with Inactive Admin Accounts

Identify stale computers linked to inactive admin accounts to uncover forgotten privileged assets for cleanup and minimize the risk of cached credential exposure and unauthorized access.

Detect Admins with Outdated Passwords to Prevent Account Misuse

Find inactive admin accounts with old passwords to protect them from password spray, credential stuffing, or account takeover attempts.

Overall, AdminDroid Active Directory reports offers a complete solution for identifying and managing inactive admin accounts. Beyond this, it provides comprehensive capabilities to monitor, analyze, and remediate stale administrative accounts across the Active Directory environment.

Explore a full range of reporting options
Download Live Demo

Important tips

Explicitly identify and exclude break-glass accounts when managing inactive admins to avoid losing emergency access to your Active Directory environment.

Implement Just-In-Time admin access to automatically remove users from privileged groups after a defined period and prevent the accumulation of dormant privileged accounts.

Use fine-grained password policies for admin accounts to enforce stronger, shorter-lived credentials and reduce the risk of exposure if accounts become inactive.

Common Errors and Resolution Steps

The following are the possible errors and troubleshooting hints when managing inactive admins in Active Directory.

Error Remove-ADGroupMember : Insufficient access rights to perform the operation.

This error occurs when your account doesn’t have enough privileges to remove a user from the Domain Admins or any other privileged groups.

Fix Make sure you have at least Account Operator privileges before trying to remove a member from the Domain Admins group.

Error Windows cannot move object '<UserName>' because: Access is denied.

This error occurs when the user account is protected from accidental deletion. Active Directory prevents the object from being moved or deleted.

Fix Before moving the user account to the quarantine OU, disable accidental deletion protection using the following PowerShell cmdlet: 
Set-ADObject "<User_DistinguishedName>" -ProtectedFromAccidentalDeletion $false

Note: After moving the account, consider re-enabling accidental deletion protection by setting the protectedFromAccidentalDeletion param to $true to prevent unintended modifications or deletion of the account object.

Error Disable-ADAccount : Cannot find an object with identity: '<UserName>' under: 'DC=contoso,DC=com'.

This error occurs when the user account specified in the Disable-ADAccount cmdlet does not exist, is misspelled, or cannot be located in the current Active Directory domain.

Fix Before disabling the account, verify that the user exists and retrieve the correct account details using the following PowerShell cmdlet: 
Get-ADUser -Identity "<UserName>"
Active Directory
Frequently Asked Questions

Manage Inactive Admin Accounts in Active Directory to Secure Privileged Access

What are the risks of inactive admin accounts in Active Directory?
How to quarantine inactive admin accounts in Active Directory?
How to deny logon rights for inactive admin accounts in Active Directory?
How to remove inactive admin accounts from highly privileged groups?

1. What are the risks of inactive admin accounts in Active Directory?

Inactive admin accounts in Active Directory often result from role changes, employee departures, or temporary privileged access that is no longer required. When these accounts retain elevated privileges, they can pose significant security risks.

Key risks associated with inactive admin accounts include:

  • Privilege abuse and domain compromise: Administrative accounts often have access across multiple systems, such as servers, workstations, and domain controllers. If compromised, they can provide full control over domain resources, including users, critical systems, sensitive data, and Group Policies. They can also be used by attackers for lateral movement across the organization.
  • Credential-based attacks: Dormant privileged accounts are common targets for attacks such as password spraying, brute-force attempts, and pass-the-hash, as they are less frequently monitored and often have unchanged credentials. Attackers may use inactive admin accounts to maintain long-term access within an environment. Because these accounts are rarely used, suspicious activity associated with them may be less likely to trigger immediate investigation.
  • Outdated security configurations: Inactive admin accounts may not follow current security standards, such as password rotation policies, or modern authentication controls. These accounts often have old passwords and outdated security settings, making them easier to compromise than actively managed accounts.
  • Unauthorized access to critical resources: If administrative accounts belonging to former employees are not properly deprovisioned, these accounts may continue to provide unauthorized access to organizational resources. This creates unnecessary security and data protection risks.

2. How to quarantine inactive admin accounts in Active Directory?

Identified an inactive admin account and wondering if it's still needed? Instead of immediately deleting the account, follow a quarantine-based offboarding approach. This involves disabling the account and isolating it in a dedicated quarantine OU while retaining it for review.

Keeping the account in quarantine for a period helps identify hidden dependencies such as applications, scheduled tasks, services, or administrative processes that may still rely on it. If any issues are reported after the account is disabled, you can quickly investigate and restore access if required. This approach helps organizations safely decommission dormant privileged accounts before permanent removal.

Disable the inactive admin account in Active Directory

Disabling an inactive admin account immediately blocks all sign-in attempts while preserving the account and its associated information.

  • Open Active Directory Users and Computers (ADUC).
  • Locate the inactive admin account, right-click the account, and select Disable Account.
  • A down-arrow icon will appear, indicating that the account has been disabled.
disable-inactive-admin account-active-directory

To disable inactive admin accounts using a PowerShell, run the following cmdlet:

Disable-ADAccount -Identity "<User_DistinguishedName>"

Replace <User_DistinguishedName> with the distinguished name of the inactive admin account you want to disable.

Move the account to a quarantine OU in Active Directory

After disabling the account, move it to a dedicated quarantine OU. This OU can be configured with restrictive Group Policies to isolate inactive accounts from regular administrative and user environments.

  • Open Active Directory Users and Computers and locate the inactive admin account in the respective OU.
  • Right-click the disabled admin account and select Move.
  • Choose the Quarantine OU (create one if not already available).
  • Click OK to complete the move action.
move-inactive-admin-to-quarantine-ou

To move inactive admin accounts to a quarantine OU using PowerShell, follow the steps below:

Move-ADObject -Identity "<DistinguishedUserName>" -TargetPath "OU=<OU_DistinguishedName>"

Replace <User_DistinguishedName> with the admin's distinguished name and <OU_DistinguishedName> with the path of the quarantine OU.

Simplify disabling and quarantining inactive admins with AdminDroid!

  • With AdminDroid's Active Directory management actions, you can disable and move inactive admin accounts from a single centralized console.
  • Simply select the inactive admin accounts, click Disable User to block access, and then use Move User action to relocate them to a designated quarantine OU.
disabe-and-quarantine-inactive-admins-admindroid

Worried about accidental changes? Don't worry! With AdminDroid's built-in Undo option, you can revert both account disablements and OU moves in seconds.

3. How to deny logon rights for inactive admin accounts in Active Directory?

Blocking complete account access by disabling account is the generally recommended approach. However, some organizations may need to temporarily retain inactive admin accounts instead of immediately disabling or deleting them. This is often required for dependency validation, application compatibility testing, service account verification, auditing, or emergency recovery scenarios.

In such cases, instead of immediately disabling or deleting the account, admins can use deny logon policies to restrict interactive sign-ins while keeping the account available for monitoring and administrative review.

Deny logon locally for inactive Active Directory admin accounts

  • Open Group Policy Management Console (GPMC) from Server Manager Â» Tools.
  • Expand the forest, then right-click your domain and select Create a GPO in this domain, and Link it here option.
  • Enter a name for the GPO and click OK. Then, right-click the newly created GPO and select Edit.
  • Navigate to Computer Configuration  » Windows Settings  » Security Settings  » Local Policies  » User Rights Assignment.
  • Double-click Deny log on locally, click Add User or Group, and add the inactive admin account(s) or a dedicated security group containing those accounts.
  • Click OK, Apply, and then OK to save the policy settings.

Repeat the same steps for Deny log on through Remote Desktop Services to block Remote Desktop logons for inactive admin accounts.

After the policy is applied, inactive admins will be prevented from logging on locally while the accounts remain available for auditing and future reactivation if required.

deny-logon-rights-inactive-admin

4. How to remove inactive admin accounts from highly privileged groups?

Disabling an inactive admin account is only half the battle. Leaving disabled admins inside their privileged groups such as Domain Admins or Enterprise Admins creates a dangerous security blind spot. If the account is accidentally re-enabled or maliciously altered, it can immediately regain full domain-level privileges.

To eliminate this hidden privilege escalation path, revoking privileged group memberships for stale admin accounts is essential.

Remove inactive admin from highly privileged groups using ADUC

  • Open Active Directory Users and Computers (ADUC) and locate the stale admin account.
  • Right-click the account, select Properties, and navigate to the Member Of tab.
  • Select all privileged groups assigned to the account using Ctrl + Select, then click Remove.
  • Click Apply, then OK, to save your changes.
remove-ad-inactive-admin-highly-privileged-groups

Bulk Remove Inactive Admins from All Privileged Groups Using PowerShell

  • If you want to remove multiple admin accounts from all privileged groups in Active Directory in a single operation, use the PowerShell script below.
  • Before running the script, prepare an input CSV file containing the inactive admin accounts you want to remove. The CSV file must include the SamAccountName column.
  • Then, run the PowerShell script below after replacing <InputCSVFile> with the path to your CSV file.
$Users = Import-Csv "<Input_CSVFile>.csv" 
$PrivilegedGroups = Get-ADGroup -LDAPFilter "(adminCount=1)" | 
Select-Object -ExpandProperty DistinguishedName 
foreach ($User in $Users) { 
$ADUser = Get-ADUser $User.SamAccountName -Properties MemberOf -ErrorAction SilentlyContinue 
if ($ADUser) { 
foreach ($GroupDN in $ADUser.MemberOf) { 
if ($PrivilegedGroups -contains $GroupDN) { 
Remove-ADGroupMember -Identity $GroupDN -Members $ADUser -Confirm:$false 
Write-Host "$($ADUser.SamAccountName) removed from $(Get-ADGroup $GroupDN).Name" 
}}} 
else { 
Write-Host "User $($User.SamAccountName) not found" 
}}

The script identifies all privileged groups assigned to those inactive accounts and removes them from those groups.

Note: After removing an inactive admin account from privileged groups, review the account for any existing AdminSDHolder-protected ACLs that could continue to grant elevated permissions. So, ensure any residual elevated permissions are cleaned up as part of the remediation process.

Kickstart Your Journey With
AdminDroid

Your Microsoft 365 Companion with Enormous Reporting Capabilities

Download Now
Browse All Guides
User Help Manuals Compliance Docs Customer Stories
All Guides 99+
Active Directory
How to Find Inactive Admins in Active Directory
Active Directory Guides
x
Delivering Reports on Time
Delivering Reports on Time
Want a desired Microsoft 365 reports every Monday morning? Ensure automated report distribution and timely delivery with AdminDroid's Scheduling to your email anytime you need.
Delivering Reports on Time
Schedule tailored reports to execute automatically at the time you set and deliver straight to the emails you choose. In addition, you can customize report columns and add inteligent filtering to the activities just from the previous day to suit your Microsoft 365 report requirements.
Set It, Schedule It, See Results- Your Reports, Your Way, On Your Time!
Time Saving
Automation
Customization
Intelligent Filtering
Give Just the Right Access to the Right People
Give Just the Right Access to the Right People
Grant fine-tuned access to any Microsoft 365 user with AdminDroid’s Granular Delegation and meet your organization’s security and compliance requirements.
Give Just the Right Access to the Right People
Create custom roles loaded with just the right permissions and give access to admins or normal users within AdminDroid. The result? A streamlined Microsoft 365 management experience that aligns your organization's security protocols and saves your invaluable time and effort.
Align, Define, Simplify: AdminDroid's Granular Delegation
Smart Organizational Control
Effortless M365 Management
Simplified Access
Advanced Alerts at a Glance
Advanced Alerts at a Glance
Receive quick notifications for malicious Microsoft 365 activities. Engage with the AdminDroid’s real-time alert policies crafted to streamline your security investigations.
Advanced Alerts at a Glance
Stay informed of critical activities like suspicious emails and high-risk logins, bulk file sharing, etc. Through creating and validating ideal alert policies, AdminDroid provides a comprehensive approach to real-time monitoring and management of potential threats within your organization.
AdminDroid Keeps You Always Vigilant, Never Vulnerable!
Proactive Protection
Real-time Monitoring
Security Intelligence
Threat Detection
Merge the Required Data to One Place
Merge the Required Data to One Place
Combine multiple required columns into one comprehensive report and prioritize the information that matters most to you with AdminDroid’s Advanced Column Customization.
Merge the Required Data to One Place
This column merging capability offers a flexible way to add different columns from various reports and collate all the essential data in one place. Want to revisit the customized report? Save it as a 'View’, and your unique report is ready whenever you need it.
Merge with Ease and Save as Views!
Custom Reporting
Unique View
Desired Columns
Easy Data Interpretation
Insightful Charts and Exclusive Dashboards
Insightful Charts and Exclusive Dashboards
Get a quick and easy overview of your tenant's activity, identify potential problems, and take action to protect your data with AdminDroid’s Charts and Dashboards.
Insightful Charts and Exclusive Dashboards
With AdminDroid charts and dashboards, visualize your Microsoft 365 tenant in ways you've never thought possible. It's not just about viewing; it's about understanding, controlling, and transforming your Microsoft 365 environment.
Explore Your Microsoft 365 Tenant in a Whole New Way!
Executive overviews
Interactive insights
Decision-making
Data Visualization
Efficient Report Exporting for Microsoft 365
Efficient Report Exporting for Microsoft 365
Downloading your reports in the right file format shouldn’t be a hassle with AdminDroid’s Report Export. Experience seamless report exporting in various formats that cater to your needs.
Efficient Report Exporting for Microsoft 365
Navigate through diverse options and export Microsoft 365 reports flawlessly in your desired file format. Tailor your reports precisely as you need them and save them directly to your computer.
Take Control, Customize and Deliver- Your Office 365 Data, Exported in Your Way!
Easy Export
Seamless Downloading
Data Control
Manage Microsoft 365

Get AdminDroid Office 365 Reporter Now!

Free Download Live Demo