Find and Disable Stale User Accounts

Stale user accounts can be a big problem…even more so when they are not disabled.  I’m a firm believer that if you have an account that is not being used it should be disabled.  However depending on the size of your Active Directory that can be a daunting challenge.  Below you will find a snippet of code that will identify where user accounts are not being used for 10 weeks and then it has the ability to disable them. 

dsquery user -inactive 10 -limit 0

The 10 value is for the number of weeks an account has been inactive.  If you think you are going to have a lot of these then you may want to change your limit from 0 to something like 50 or so.

Now if you would like to disable them as well you simply add on another portion of code.  For safety reasons I prefer to run the code above first to see who is inactive and then once I’ve validated those accounts can be inactive I run the following code to disable them.

dsquery user -inactive 10 -limit 0 | dsmod user -disabled yes

Obviously the account needs to have the appropriate permissions for dsmod to work so watch out for that.  Good luck and happy hunting!

3 Responses to “Find and Disable Stale User Accounts”

  1.   Sairam Says:

    Hi , i am working on active directory , could you please let me know how to manage total active directory with power shell


  2.   Rosaura Says:

    Way cool! Some very valiid points! I appreciate you
    writing this write-up plus the rest of the website
    is very good.


  3.   john piterson Says:

    Nice article !
    Thanks for sharing this with us.
    Here is another informative stuff which summarizes to find and remove stale users and computer accounts in active directory without having interruption – https://community.spiceworks.com/how_to/125704-how-to-find-and-remove-stale-users-and-computers-in-active-directory


Leave a Reply