Active Directory, Security, PowerShell and My Life
Stale user accounts can be a big problem…even more so when they are not disabled. I’m a firm believer that if you have an account that is not being used it should be disabled. However depending on the size of your Active Directory that can be a daunting challenge. Below you will find a snippet of code that will identify where user accounts are not being used for 10 weeks and then it has the ability to disable them.
dsquery user -inactive 10 -limit 0
The 10 value is for the number of weeks an account has been inactive. If you think you are going to have a lot of these then you may want to change your limit from 0 to something like 50 or so.
Now if you would like to disable them as well you simply add on another portion of code. For safety reasons I prefer to run the code above first to see who is inactive and then once I’ve validated those accounts can be inactive I run the following code to disable them.
dsquery user -inactive 10 -limit 0 | dsmod user -disabled yes
Obviously the account needs to have the appropriate permissions for dsmod to work so watch out for that. Good luck and happy hunting!
December 11th, 2014 at 4:49 pm
Hi , i am working on active directory , could you please let me know how to manage total active directory with power shell
November 6th, 2015 at 4:06 pm
Way cool! Some very valiid points! I appreciate you
writing this write-up plus the rest of the website
is very good.
June 23rd, 2016 at 1:38 pm
Nice article !
Thanks for sharing this with us.
Here is another informative stuff which summarizes to find and remove stale users and computer accounts in active directory without having interruption – https://community.spiceworks.com/how_to/125704-how-to-find-and-remove-stale-users-and-computers-in-active-directory