Ad Clicks : Ad Views : Ad Clicks : Ad Views : Ad Clicks : Ad Views : Ad Clicks : Ad Views : Ad Clicks : Ad Views : Ad Clicks : Ad Views : Ad Clicks : Ad Views : Ad Clicks : Ad Views : Ad Clicks : Ad Views :

IT with everything IT

Disable Inactive Active Directory User Accounts


As the organization grows, employee count increases. As the employees increase, there will be increase in the number of employees leaving the company and join other organizations for their own growth. This is kind of employee cycle which will be happening every now and then.

But, what happens to the employee account who left the company. If the proper action is not taken at the right time, account will be in the active state until someone manually disables it. So, it becomes a part of IT Admins job.

Let’s look at how we can see the inactive user accounts in the Active Directory and disable it by using PowerShell.

To List Inactive Users

#Set the TimeSpan according to your company requirement.

[Datetime]$Timespan = (Get-Date).AddDays(-90)

#Searching for Inactive accounts for more than 90 days

(Search-ADAccount -UsersOnly -AccountInactive -SearchBase "OU=Contoso Users,OU=Contoso,DC=Contoso,DC=com" -TimeSpan $Timespan.Day | Select-Object DistinguishedName).count

#Exporting inactive user list

Search-ADAccount -UsersOnly -AccountInactive -TimeSpan $Timespan | Select-Object DistinguishedName,sAMAccountName | Export-Csv "./InactiveUsers.Csv"
Disable users who are inactive for more than 90 days

#Search for inactive users and select distinguishedName for future use

$InactiveUsers = (Search-ADAccount -UsersOnly -AccountInactive -TimeSpan $Timespan -SearchBase "OU=Contoso Users,OU=Contoso,DC=Contoso,DC=com" ).DistinguishedName

#Adding the time of account disabled in the extentionAttribute10 for all accounts. this will help while deleting the accounts

[string]$Time = ((Get-Date).Datetime)

Foreach ($InactiveUser in $InactiveUsers) {Set-ADUser $InactiveUser -add @{extensionAttribute10="$Time"}}

#Note: for any reason you want to clear the attribute value added to the user, run the below Cmdlet

Set-ADUser "User DistinguishedName" -Clear extensionAttribute10
Disabling the accounts
Foreach ($InactiveUser in $InactiveUsers) {Disable-ADAccount -Identity $InactiveUser}

#Move the disabled accounts to separate Organizational Unit

Get-ADUser -Filter {enabled -eq $false} -SearchBase "OU=Contoso,DC=Contoso,DC=com" | Move-ADObject -TargetPath "OU=Disabled Users,OU=Contoso,DC=Contoso,DC=com"
Delete Disabled Users after 180 Days

#set the deletion timespan

$DeltionTimespan = (Get-Date).AddDays(-180)

#Search for the users in OU

$UserToDelete = Get-ADUser -Filter {enabled -eq $false} -SearchBase "OU=Contoso,DC=Contoso,DC=com" -Properties extensionattribute10 | Where-Object{$DeltionTimespan -ge $_.extensionattribute10}

Export the user list to Csv file for future reference

$UserToDelete | Export-Csv "./UserAccountsDeleted.Csv"

#Deleting the user accounts

Foreach($User in $UserToDelete) {Remove-ADUser $User}

Leave a Comment

Your email address will not be published. Required fields are marked *

This div height required for enabling the sticky sidebar