As a consultant for clients one common problem I come across is IT doing a poor job at managing old objects in Active Directory. So generally I have to do that cleanup. Here are some simple Powershell commands that I find help disable these objects for security reasons. Once you have disabled them and let changes soak for a bit you can easily find the disabled accounts and delete them.

OpenPowershell as an Administrator

Import the ActiveDirectory Module for PowerShell.

Import-Module activedirectory

Set the number of days you want to check for inactivity, in my examples I will use 120 days.

$datecutoff = (Get-Date).AddDays(-120)

To Simply List those that have not been logged into in last 120 days (or # of days defined above)

Computers:

Get-ADComputer -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Sort LastLogonDate | FT Name, LastLogonDate –Autosize

Users:

Get-ADUser -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Sort LastLogonDate | FT Name, LastLogonDate –Autosize

To test the process but not execute the actual disable using the above criteria.

Computers:

Get-ADComputer -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Set-ADComputer -Enabled $false –whatif

Users:

Get-ADUser -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Set-ADUser -Enabled $false –whatif

Preform/Execute the process and execute the actual disable using the above criteria.

Computers:

Get-ADComputer -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Set-ADComputer -Enabled $false

Users:

Get-ADUser -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Set-ADUser -Enabled $false





Hope anyone who finds this article finds it as useful as the commands have been for me.