Powershell to fine inactive accounts

I am trying to setup a powershell to find accounts that have been inactive 90 days or longer. I found the one below, but when compared against the LastLogonDate, several of the accounts have been logged in within the 90 day period.

Search-ADAccount -UsersOnly -AccountInactive -TimeSpan 90 | Get-ADUser -Properities Name, sAMAccountName, LastLogonDate | Where {($_.userAccountControl -band 2) -eq $False} | Select Name, sAMAccountName, LastLogonDate

How can I get a correct listing of users that have not been active 90 days or longer?
jjwolvenAsked:
Who is Participating?
 
David Johnson, CD, MVPOwnerCommented:
import-module activedirectory 
$domain = "example.com" 
$DaysInactive = 90 
$time = (Get-Date).Adddays(-($DaysInactive))
 # Get all AD User with lastLogonTimestamp less than our time and set to enable
Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp |
select-object Name,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}} |
 export-csv OLD_User.csv -notypeinformation

Open in new window

0
 
Tom CieslikIT EngineerCommented:
Replace domain name and path for export

import-module activedirectory  
$domain = "domain.mydom.com"  
$DaysInactive = 90  
$time = (Get-Date).Adddays(-($DaysInactive)) 
  
# Get all AD User with lastLogonTimestamp less than our time and set to enable 
Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp | 
  
# Output Name and lastLogonTimestamp into CSV  
select-object Name,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp).ToString('yyyy-MM-dd_hh:mm:ss')}} | export-csv c:\temp\OLD_User.csv -notypeinformation

Open in new window

0
 
Shaun VermaakTechnical Specialist/DeveloperCommented:
0
How do you know if your security is working?

Protecting your business doesn’t have to mean sifting through endless alerts and notifications. With WatchGuard Total Security Suite, you can feel confident that your business is secure, meaning you can get back to the things that have been sitting on your to-do list.

 
Ajit SinghCommented:
Something like:

Search-ADAccount -UsersOnly -AccountInactive -TimeSpan 30 | ?{$_.enabled -eq $True} | Get-ADUser -Properties Name, EmailAddress, Department, Description, lastLogonTimestamp | Select Name, EmailAddress, Department, Description,@{n='lastLogonTimestamp';e={[DateTime]::FromFileTime($_.lastLogonTimestamp)}} | Export-Csv D:\temp\testfunytest.csv

Open in new window


https://www.experts-exchange.com/questions/29064401/Disable-a-User-account.html

https://www.experts-exchange.com/questions/29033302/How-do-you-keep-your-AD-clean-of-old-stale-Computer-records.html

Hope this helps!
0
 
jjwolvenAuthor Commented:
Testing now.

The one from Ajit gave me results that had entries that had logged in within the TimeSpan.
Shaun's cleanup tool would do too much automatically; we have other plans for accounts.

Tom and David had the same script, which I will be testing next.
0
 
jjwolvenAuthor Commented:
It is working now, thanks.
I almost forgot to take into account that your script removed the inactive ones.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.