A Windows System Admin's Blog

Covering Server Administration, Endpoint Management, Scripting and Network Management

Get a list of users in Active Directory who have not logged in for specified number of days using PowerShell

, ,

A client is currently in the planning stages of doing a migration to Azure AD and Office 365 and one of the things we needed was a list of users who have not logged on in the last few months but are still active in our AD.

Well it’s PowerShell to the rescue again (with Visual Studio Code my IDE of choice) with the following snippet of code which will query an AD environment looking for accounts which haven’t been touched in this case for 90 days and give me a nice CSV of their name and last logon timestamp.

import-module ActiveDirectory 
$domain = "adatum.com.au" 
$DaysInactive = 90
$time = (Get-Date).Adddays(-($DaysInactive))
 
# Get AD Users with lastLogonTimestamp less than time specified and is enabled
Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp |
 
# Output Name and lastLogonTimestamp attributes into CSV
select-object Name,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp).ToString('yyyy-MM-dd')}} | export-csv Inactive_Users.csv -notypeinformation

Save the above into a PS1 and then run this on a server which has the AD PowerShell modules (usually one of your DCs) and will then create a CSV located where the script is with a list of all the users who are still enabled but haven’t logged on in your environment.

7 responses to “Get a list of users in Active Directory who have not logged in for specified number of days using PowerShell”

  1. Jose Avatar
    Jose

    Great ! Thanks a lot!
    I’ve found some others scripts but this one works like a charm.

    Reply
  2. Farouk Avatar
    Farouk

    Thanks! Great job.

    Do you know how to disable these account that are not used since 90 days?

    Thanks a lot!

    Reply
    1. John Avatar
      John

      Hey Farouk, something like the below should do what you’re after (not using the Quest AD module)…

      Get-ADUser -Properties name,lastLogonDate,mail -Filter * | Where { $_.lastLogonDate -lt (get-date).addmonths(-3) }

      Reply
      1. FAROUK Avatar
        FAROUK

        Hey John, Thanks for your reply, this command can show me wich users are unused since 90 days but this don’t disable them right?

        I want to disable them by using something like this, but it show me an error with Identity parameter

        $user = Import-csv -path “C:\X\Disabled_Accounts.csv”

        forEach ($user in $users) {
        Disable-ADAccount -Identity $($user.samaccountname)
        }

        Regards

        Farouk

        Reply
  3. Sahul Meeran Avatar
    Sahul Meeran

    Hi, Thanks for great share. Can you share me how to get the OU wise not for all domain wise.
    Can u guide on this

    Reply
    1. Joe L Avatar
      Joe L

      Hi Sahul-
      You can add the -searchBase option:
      Get-ADUser -Properties name,lastLogonDate -Filter * -searchBase ‘OU=users,OU=enterprise,dc=thisDomain,dc=com’ | Where { $_.lastLogonDate -lt (get-date).adddays(-90) }

      Reply
  4. Fred Davisson Avatar
    Fred Davisson

    If I wanted to sort the date on that export file by the oldest date at the top and the newest at the bottom, where would i place that sort command?

    Reply

Leave a Reply

More Posts

Hide the Bing button in Edge

I’m not a fan of the Bing button that now appears in Edge. Microsoft seem to have rushed it out as there isn’t an easy way to remove it. We’ll do this via a registry key (that can also be deployed via Group Policy) Close out of Microsoft Edge completely and open the Registry Editor […]

Change Windows 10 Taskbar Icons Script Deploying a custom taskbar for Windows 10

Over the summer holiday period, I was assisting a school with building out an SoE for the new year.  One of the things we used to do with Windows 7 was tweak the Taskbar to contain only items we were after instead of the default items of Internet Explorer, Windows Explorer and Windows Media Player. […]

How to reset the Remote Desktop Server Licensing Grace Period on Windows Server 2012 with Remote Desktop Services

So we recently started looking into Terminal Services and RemoteFX to power some of our admin users and move them off to thin clients instead of full blown desktops.  As a trial I begun setting up RDS on one of our Dev machines.  After going through the motions of enabling the Remote Desktop Features and […]