A Windows System Admin's Blog

Covering Server Administration, Endpoint Management, Scripting and Network Management

Get a list of users in Active Directory who have not logged in for specified number of days using PowerShell

, ,

A client is currently in the planning stages of doing a migration to Azure AD and Office 365 and one of the things we needed was a list of users who have not logged on in the last few months but are still active in our AD.

Well it’s PowerShell to the rescue again (with Visual Studio Code my IDE of choice) with the following snippet of code which will query an AD environment looking for accounts which haven’t been touched in this case for 90 days and give me a nice CSV of their name and last logon timestamp.

import-module ActiveDirectory 
$domain = "adatum.com.au" 
$DaysInactive = 90
$time = (Get-Date).Adddays(-($DaysInactive))
 
# Get AD Users with lastLogonTimestamp less than time specified and is enabled
Get-ADUser -Filter {LastLogonTimeStamp -lt $time -and enabled -eq $true} -Properties LastLogonTimeStamp |
 
# Output Name and lastLogonTimestamp attributes into CSV
select-object Name,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp).ToString('yyyy-MM-dd')}} | export-csv Inactive_Users.csv -notypeinformation

Save the above into a PS1 and then run this on a server which has the AD PowerShell modules (usually one of your DCs) and will then create a CSV located where the script is with a list of all the users who are still enabled but haven’t logged on in your environment.

7 responses to “Get a list of users in Active Directory who have not logged in for specified number of days using PowerShell”

  1. Jose Avatar
    Jose

    Great ! Thanks a lot!
    I’ve found some others scripts but this one works like a charm.

    Reply
  2. Farouk Avatar
    Farouk

    Thanks! Great job.

    Do you know how to disable these account that are not used since 90 days?

    Thanks a lot!

    Reply
    1. John Avatar
      John

      Hey Farouk, something like the below should do what you’re after (not using the Quest AD module)…

      Get-ADUser -Properties name,lastLogonDate,mail -Filter * | Where { $_.lastLogonDate -lt (get-date).addmonths(-3) }

      Reply
      1. FAROUK Avatar
        FAROUK

        Hey John, Thanks for your reply, this command can show me wich users are unused since 90 days but this don’t disable them right?

        I want to disable them by using something like this, but it show me an error with Identity parameter

        $user = Import-csv -path “C:\X\Disabled_Accounts.csv”

        forEach ($user in $users) {
        Disable-ADAccount -Identity $($user.samaccountname)
        }

        Regards

        Farouk

        Reply
  3. Sahul Meeran Avatar
    Sahul Meeran

    Hi, Thanks for great share. Can you share me how to get the OU wise not for all domain wise.
    Can u guide on this

    Reply
    1. Joe L Avatar
      Joe L

      Hi Sahul-
      You can add the -searchBase option:
      Get-ADUser -Properties name,lastLogonDate -Filter * -searchBase ‘OU=users,OU=enterprise,dc=thisDomain,dc=com’ | Where { $_.lastLogonDate -lt (get-date).adddays(-90) }

      Reply
  4. Fred Davisson Avatar
    Fred Davisson

    If I wanted to sort the date on that export file by the oldest date at the top and the newest at the bottom, where would i place that sort command?

    Reply

Leave a Reply

More Posts

Fixing Maximum connections reached by Clearing Connected Sessions on an APC UPS

I was trying to log into an APC UPS with the correct login but still received an error, The maximum number of web connections has been reached or simply Maximum connections reached. Knowing I had the right login credentials, and that no one else was logged into, I was a little perplexed.  There is a […]

Getting a list of users in Active Directory as well as their Logon Script using dsquery and dsget

So I’m preparing on doing a clean-up of our NETLOGON/SYSVOL folder containing about 50 or so different logon scripts (plenty of which I know are no longer used).  I wanted to create a list of all of our active directory users along with what logon script they were assigned (I could then feed this list […]

Configuring SharePoint 2007 to accept blocked file types

One of my clients using SharePoint 2007 were uploading some files to their site recently and got the following error: The following file(s) have been blocked by the administrator By going through Central Administration, I was able to unblock the file and allow them to upload the particular file to the library they were wanting […]