When maintaining and cleaning up your active directory it can be useful to know if any user accounts have become obsolete. Account of users who have left the company and old application accounts may still exist in your active directory causing a mess and/or potential gaps in your security. With this script you can scan the active directory for user accounts who haven’t authenticated or logged in for a given number of days. The results will be exported to a CSV file which will allow you to review the results and take any appropriate actions.
I have divided the script into two sections “variables” and “script main” which I will go over below.
Variables
#VARIABLES $scriptpath = $MyInvocation.MyCommand.Path $dir = Split-Path $scriptpath #$dir is the path to the directory which the script is being run from $outputFile = "$dir\$(get-date -format "yyyy-MM-dd HH-mm-ss")_ObsoleteUsers.csv" #parameters $DaysBack = 30 #Gets users who haven't logged in for this number of days
$outputFile is the path of the CSV file which will be created each time you run the script. It includes a time stamp for future reference and to avoid overwriting.
Before running the script you need to set the $DaysBack parameter to the desired number of days.
Script Main
#SCRIPT MAIN if (-not(Get-Module -name "activedirectory")) { Import-Module ActiveDirectory | out-null } $Date = (Get-Date).addDays(-$DaysBack) $Users = @() #Create blank array to hold users who haven't logged in for $DaysBack days Get-ADUser -filter {(LastLogon -le $Date) -and (Name -like "*")} -Properties Lastlogon,whenCreated | % { $LastLogon = $_.LastLogon $LastLogon_DT = [datetime]::FromFileTime("$LastLogon") #convert logon time to a datetime object $User = "" | select Name,LastLogon,FullName,WhenCreated #creating a custom object $User.Name = $_.SamAccountName $User.LastLogon = $LastLogon_DT $User.FullName = $_.Name $User.WhenCreated = $_.WhenCreated $Users += @($User) #Add user to $Users array } $ObsoleteUsers = $Users | sort-object Lastlogon #sorting results by last logon time $ObsoleteUsers | Export-CSV $outputFile -force -NoTypeInformation #Export results to CSV in script directory
The first thing to happen is that the active directory module for powershell is imported (if not already imported). I then create the blank array $users to hold results of the coming AD search. The cmdlet Get-ADUser is then used to get the users who haven’t authenticated/logged on for $DaysBack days. For each user found, a custom object with the properties “name”, “lastlogon”, “fullname” and “whencreated” is created and added to the $users array. The results are then sorted by last logon time and then exported to a CSV file.
I have copied in the full script below. I hope you find this script useful!
################################################################################################################## ##Script: Get-ObsoleteUsers.ps1 ##Description: Gets users in the active directory who haven't logged in for a given number of days (specified #+ in the parameter $DaysBack) and then exports the results to CSV. ##Created by: Noam Wajnman ##Creation Date: March 5, 2013 ##Updated: March 31, 2014 ################################################################################################################### #VARIABLES $scriptpath = $MyInvocation.MyCommand.Path $dir = Split-Path $scriptpath $outputFile = "$dir\$(get-date -format "yyyy-MM-dd HH-mm-ss")_ObsoleteUsers.csv" #parameters $DaysBack = 30 #Gets users who haven't logged in for this number of days #SCRIPT MAIN if (-not(Get-Module -name "activedirectory")) { Import-Module ActiveDirectory | out-null } $Date = (Get-Date).addDays(-$DaysBack) $Users = @() #Create blank array to hold users who haven't logged in for $DaysBack days Get-ADUser -filter {(LastLogon -le $Date) -and (Name -like "*")} -Properties Lastlogon,whenCreated | % { $LastLogon = $_.LastLogon $LastLogon_DT = [datetime]::FromFileTime("$LastLogon") #convert logon time to a datetime object $User = "" | select Name,LastLogon,FullName,WhenCreated #creating a custom object $User.Name = $_.SamAccountName $User.LastLogon = $LastLogon_DT $User.FullName = $_.Name $User.WhenCreated = $_.WhenCreated $Users += @($User) #Add user to $Users array } $ObsoleteUsers = $Users | sort-object Lastlogon #sorting results by last logon time $ObsoleteUsers | Export-CSV $outputFile -force -NoTypeInformation #Export results to CSV in script directory
This is pretty sweet. Thanks man
I’m glad to hear that it helped you 🙂