Finding unused User Accounts in Active Directory

As we move towards the end of the year I thought it’s a good time to do some housekeeping activities within the lab infrastructure in which we work on a daily basis. Throughout the year we often create test user and computer objects within Active Directory and of course sometimes we forget to delete them.

As I don’t want to reinvent a wheel again I searched the web and soon found a whole bunch of tools and scripts that would help me identifying unused user accounts. I decided that I wanted to use a script. I first found the Last Logon Dates scripts from Richard L. Mueller which are written in WSH. But then I found the Managing AD User Accounts with PowerShell article on WindowsITPro and decided to use the opportunity of using PowerShell to accomplish my task.

Unfortunately the administration console I use hasn’t been migrated to Windows 7 yet, so I installed PowerShell 2.0 onto that Windows Vista client and then installed the Quest AD cmdlets.

On I found the following script that I modified a bit so that the output is written into an HTML file.

Get-QADUser -sizeLimit 0 | where {$_.lastlogontimestamp -lt (get-date).AddDays(-30)} | Select NAme,description,lastlogontimestamp | convertto-HTML | Out-File c:\temp\adlastloggedon.htm

I wanted to do the same to find old computers, but it appears that the Get-QADComputer cmdlet has a bug, as it doesn’t return any LastLogonTimestamp values and I found various comments that this was identified as a bug which should have been fixed by now, but either the bug is still there or I might be doing something wrong. However I found a “find old computer objects” script on the Microsoft TechNet Script Center Gallery it just has a bid more lines of code 🙂

Note that your Windows domain must be at Windows 2003 Domain Functional Level for updates to the llastLogontimeStamp to occur.

If you are looking for a command-line tool to find Old Computers in your domain, I recommend the OldCmp tool from Joe.

Related content:
The LastLogonTimeStamp Attribute” – “What it was designed for and how it works

2 Replies to “Finding unused User Accounts in Active Directory”

Leave a Reply