How to Find Inactive Users in Active Directory

Don’t we tend to inflict nightmares on ourselves? When a small company decided to go public, SOX audit reared its ugly head. And the internal SOX auditors were very quick to jump on those self-inflicted wounds. Allow me to explain. Someone left, and the most that was done to their account was that it was disabled. Some of them were moved to an OU called “Inactive Users”. Most of the time, they weren’t.

1. One of the simplest ways to do this is to use dsquery. The full command would look like this:

Dsquery user –inactive X –limit 0

2. X, of course, you’ll replace with the number of weeks back you want to look. Want to export your findings to a CSV for the auditors? Alter your command this way:

Dsquery user –inactive X>C:\Folder you want the reports in\inactive users.csv

3. If you have PowerShell and Active Directory module plugged in, open PowerShell once you connect up to a Domain Controller and try this script:

# Get time stamps for all User in the domain that have NOT logged in since after specified date
 
# Mod by Tilo 2014-04-01
 
import-module activedirectory
 
$domain = “domain.mydom.com”
 
$DaysInactive = 90
 
$time = (Get-Date).Adddays(-($DaysInactive))
 
# Get all AD User with lastLogonTimestamp less than our time and set to enable
 
Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp |
 
# Output Name and lastLogonTimestamp into CSV
 
select-object Name,@{Name=”Stamp”; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp).ToString(‘yyyy-MM-dd_hh:mm:ss’)}} | export-csv OLD_User.csv –notypeinformation

4. Replace 90 with the number of days you want to go back, and it will run through and export everything to a file.

5. Now the big trick here is to determine which users and service accounts are still around and which aren’t. Unfortunately, in a lot of cases, this is where you have to put on your detective hat, and start looking.

In this case, not only did we come up with inactive users, but a whole bunch of enabled users who were no longer around, hundreds of service accounts. So welcome to the sifting process. The old users were easy to deal with, but with the service accounts, once we had them identified, we had to decide if they were still being used or not, get rid of ones that weren’t, and then mark the remainder as “service accounts” to aid future identification.

6. Credits: Originally posted - http://blog.netwrix.com/2015/09/21/finding-disabled-users-for-sox-audit/