Export inactive users from Active Directory report

How to export inactive AD users to CSV file? Sometimes you want to know which user account is inactive so you can block the account or see what’s happening. You can use the Active Directory Users and Computers console to check that. What if you need to check inactive users in a specific OU or group? Doing it with PowerShell will save you time. In this article, you will learn how to export inactive users from Active Directory.

Table of contents

The Center for Internet Security (CIS) recommends to delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.

See 5.3: Disable Dormant Accounts.

Export inactive users from Active Directory CIS

Export Active Directory inactive users PowerShell script

It’s good to know how the PowerShell script works and what you need to do or change for the perfect export results:

  1. Run PowerShell as administrator.
  2. The results appear in an Out-GridView and are exported to a CSV file.
  3. Users that are not logged in the last 45 days are exported. Suppose you want more or fewer days; change the $DaysInactive variable in the script.
  4. The script will filter on enabled accounts only.
  5. Create a temp folder in (C:) drive. That’s where the script will export the CSV file.

Export Active Directory inactive users

Get all inactive users from Active Directory and export to CSV file.

# Set the number of days for inactivity
# Change to 0 if you want to export all users
$DaysInactive = 45

# Define the path for the CSV file
$CSVPath = "c:\temp\InactiveUsers.csv"

# Calculate the time based on the number of days for inactivity
$Time = (Get-Date).AddDays(-$DaysInactive)

# Import the Active Directory module
Import-Module ActiveDirectory

# Retrieve inactive users from Active Directory based on specified criteria
$InactiveUsers = Get-ADUser -Filter { enabled -eq $true } -Properties LastLogonDate, UserPrincipalName |
ForEach-Object {
    [PSCustomObject]@{
        Name                = $_.Name
        UserPrincipalName   = $_.UserPrincipalName
        LastSignInDate      = if ($_.LastLogonDate) { $_.LastLogonDate } else { "Never signed in" }
        DaysSinceLastSignIn = if ($_.LastLogonDate) { ((Get-Date) - $_.LastLogonDate).Days } else { "N/A" }
    }
} | Where-Object { $_.DaysSinceLastSignIn -gt $DaysInactive -or $_.LastSignInDate -eq "Never signed in" } | Sort-Object -Property Name

# Display data using Out-GridView
$InactiveUsers | Out-GridView -Title "Inactive Users"

# Export data to CSV file
try {
    $InactiveUsers | Export-Csv $CSVPath -Encoding UTF8 -NoTypeInformation
    Write-Host "CSV file has been successfully exported to $CSVPath." -ForegroundColor Cyan
}
catch {
    Write-Host "An error occurred while exporting the CSV file: $($_.Exception.Message)" -ForegroundColor Red
}

An Out-GridView will show columns with all the inactive users and more information.

Out-GridView results

Open the CSV file with your favorite editor. For example, Microsoft Excel.

Export inactive users from Active Directory CSV file

Export Active Directory inactive users from OU

Get all inactive users from specific OU in Active Directory and export to CSV file.

You need to copy the OU distinguishedName.

Export inactive users Active Directory OU

Paste the OU distinguishedName in the below $OU variable on line 6.

# Set the number of days for inactivity
# Change to 0 if you want to export all users
$DaysInactive = 45

# Define OU path
$OU = "OU=Finance,OU=Users,OU=Company,DC=exoip,DC=local"

# Define the path for the CSV file
$CSVPath = "c:\temp\InactiveUsers.csv"

# Calculate the time based on the number of days for inactivity
$Time = (Get-Date).AddDays(-$DaysInactive)

# Import the Active Directory module
Import-Module ActiveDirectory

# Retrieve inactive users from Active Directory based on specified criteria
$InactiveUsers = Get-ADUser -Filter { enabled -eq $true } -SearchBase "$OU" -Properties LastLogonDate, UserPrincipalName |
ForEach-Object {
    [PSCustomObject]@{
        Name                = $_.Name
        UserPrincipalName   = $_.UserPrincipalName
        LastSignInDate      = if ($_.LastLogonDate) { $_.LastLogonDate } else { "Never signed in" }
        DaysSinceLastSignIn = if ($_.LastLogonDate) { ((Get-Date) - $_.LastLogonDate).Days } else { "N/A" }
    }
} | Where-Object { $_.DaysSinceLastSignIn -gt $DaysInactive -or $_.LastSignInDate -eq "Never signed in" } | Sort-Object -Property Name

# Display data using Out-GridView
$InactiveUsers | Out-GridView -Title "Inactive Users"

# Export data to CSV file
try {
    $InactiveUsers | Export-Csv $CSVPath -Encoding UTF8 -NoTypeInformation
    Write-Host "CSV file has been successfully exported to $CSVPath." -ForegroundColor Cyan
}
catch {
    Write-Host "An error occurred while exporting the CSV file: $($_.Exception.Message)" -ForegroundColor Red
}

Export Active Directory inactive users from group

Get all inactive users from specific group in Active Directory and export to CSV file.

You need to copy the group name (pre-Windows 2000).

Export inactive users Active Directory OU group

Paste the group name in the below $Group variable on line 6.

# Set the number of days for inactivity
# Change to 0 if you want to export all users
$DaysInactive = 45

# Define the group name
$Group = "Management-1620248956"

# Define the path for the CSV file
$CSVPath = "c:\temp\InactiveUsers.csv"

# Calculate the time based on the number of days for inactivity
$Time = (Get-Date).AddDays(-$DaysInactive)

# Import the Active Directory module
Import-Module ActiveDirectory

# Retrieve inactive users from Active Directory based on specified criteria
$InactiveUsers = Get-ADGroupMember -Identity $Group -Recursive |
Where-Object { $_.objectClass -eq 'user' } |
Get-ADUser -Properties LastLogonDate, UserPrincipalName |
ForEach-Object {
    [PSCustomObject]@{
        Name                = $_.Name
        UserPrincipalName   = $_.UserPrincipalName
        LastSignInDate      = if ($_.LastLogonDate) { $_.LastLogonDate } else { "Never signed in" }
        DaysSinceLastSignIn = if ($_.LastLogonDate) { ((Get-Date) - $_.LastLogonDate).Days } else { "N/A" }
    }
} | Where-Object { $_.DaysSinceLastSignIn -gt $DaysInactive -or $_.LastSignInDate -eq "Never signed in" } | Sort-Object -Property Name

# Display data using Out-GridView
$InactiveUsers | Out-GridView -Title "Inactive Users"

# Export data to CSV file
try {
    $InactiveUsers | Export-Csv $CSVPath -Encoding UTF8 -NoTypeInformation
    Write-Host "CSV file has been successfully exported to $CSVPath." -ForegroundColor Cyan
}
catch {
    Write-Host "An error occurred while exporting the CSV file: $($_.Exception.Message)" -ForegroundColor Red
}

That’s it!

Read more: Bulk move AD users to another OU with PowerShell »

Conclusion

You learned how to export inactive users from Active Directory. We showed three possibilities for exporting inactive users from Active Directory with PowerShell. Check your environment for inactive users for security measures, as dormant accounts can be a significant risk if left unmonitored or unattended.

Did you enjoy this article? You may also like Export AD users to CSV with PowerShell. Don’t forget to follow us and share this article.

ALI TAJRAN

ALI TAJRAN

ALI TAJRAN is a passionate IT Architect, IT Consultant, and Microsoft Certified Trainer. He started Information Technology at a very young age, and his goal is to teach and inspire others. Read more »

X TwitterLinkedIn

What Others Are Reading

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *