Using PowerShell to Find Inactive Users in AD and Exchange

2 minute read

Recently, I was working with a client to consolidate of several Active Directory and LDAP domains into a single unified domain. To ensure we were starting with a clean slate, one of the first steps I performed was an audit to find any inactive accounts in the Active Directory domains. This allowed the client to investigate and/or remove any stale accounts prior to consolidation. There are many professional (and possibly expensive) tools which can be used to automate this process, but for small to mid-sized domains, this can be done fairly easily using the following PowerShell command and some Excel manipulation.

Get-AdUser -SearchBase "ou=users,dc=company,dc=com" -Filter * -Properties * | select SamAccountName, distinguishedName, LastLogonDate, Department, Title, Enabled | Export-Csv C:\Temp\AdUserLastLogonDate.csv


In this example, I have focused on the the users OU, although this script could be used to investigate stale computer or service accounts as well. While I only needed the user’s account name and LastLogonDate in this report, I also included fields such as Department and Title to assist in identifying the users. The CSV file produced by PowerShell could then be opened in Excel to quickly locate any inactive accounts by sorting on the LastLogonDate field. That said, there are some specific issues to be aware of using this process.

  1. The LastLogonDate attribute can be out by up to 14 days (due to how this field is replicated in AD).
  2. If the LastLogonDate is blank, this indicates the account has never logged in.

With the information provided in this report, I was able to work with the client to identify stale accounts which could be removed or further investigated. In at least one case, using this report the client identified a service which had not been working in months and was only brought to their attention when the service account showed up as inactive.

Once this was done, the client decided to perform a similar audit of user mailboxes in Exchange. As above, this can be done fairly easily with a few PowerShell commands and Excel.

$UserCredential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
Get-mailbox -OrganizationalUnit "ou=users,dc=company,dc=com" -resultsize unlimited | Get-MailboxStatistics | select DisplayName, TotalItemSize, Itemcount, legacyDN, lastlogontime | Export-Csv C:\Temp\ExchangeMBOXReport.csv


In this example, the client mailboxes are hosted on Office 365. The first two commands are required to authenticate and connect to the Exchange Online PowerShell interface. Once connected, the Get-Mailbox command is used to export all user mailboxes, and filtered through the Get-MailboxStatistics command, giving the client a quick and dirty report of mailbox usage as well. Once again, the CSV file produced by PowerShell could be opened and manipulated in Excel to quickly locate any inactive mailboxes by sorting on the lastlogontime field.

Unfortunately, in more complex environments where Blackberry BES (yes, that is still being used out there) or some other Server-Side Antivirus tools, the lastlogontime field may not be correct, as this date is updated every time the mailbox is scanned. In these cases, you will need to use a different process to identify inactive mailboxes. One possible way is to report based on the date of the last item in the Sent Items folder. Rather than get into the details here, I’ll refer you to this article on the Microsoft Script Center which covers the process in depth.

As always, I hope you found this post useful, or at least interesting. To contact me, please use the Contact page, or message me on Twitter.

Thanks for reading.