Stale user accounts can be a big problem…even more so when they are not disabled. I’m a firm believer that if you have an account that is not being used it should be disabled. However depending on the size of your Active Directory that can be a daunting challenge. Below you will find a snippet of code that will identify where user accounts are not being used for 10 weeks and then it has the ability to disable them.
dsquery user -inactive 10 -limit 0
The 10 value is for the number of weeks an account has been inactive. If you think you are going to have a lot of these then you may want to change your limit from 0 to something like 50 or so.
Now if you would like to disable them as well you simply add on another portion of code. For safety reasons I prefer to run the code above first to see who is inactive and then once I’ve validated those accounts can be inactive I run the following code to disable them.
dsquery user -inactive 10 -limit 0 | dsmod user -disabled yes
Obviously the account needs to have the appropriate permissions for dsmod to work so watch out for that. Good luck and happy hunting!