As part of the annual review of our clients systems, I have been tasked to generate a list of all Users in Active Directory and also find out if any accounts have not been accessed for 30 days or longer.  Luckily both of these can be achieved quite easily using the Active Directory Users and Computers and Powershell consoles. Here’s how it’s done!

Exporting Users from Active Directory

1. Open Active Directory Users and Computers on a domain controller and browse to your Users OU.

2. Open the View menu and open Filter Options…

Filter Options

3. Select Show only the following types of objects: and tick the Users option before clicking OK.

Filtering

4. Open the View menu and open Add/Remove Columns.

Add Remove Columns

5. Choose which columns you would like to display in the .csv file once the data has been exported and click OK.

Columns

6. Right click in a blank space within your Users OU and select Export List… from the menu.

Export List

7. Name your export and save as a .csv file.

Save File

The end result is a list of your Active Directory Users using the columns that you selected earlier.

Accounts List

 

Finding Inactive Active Directory Users

1. Open an elevated Powershell console on a domain controller as an Administrator.

Run as Administrator

2. Import the Active Directory module by using the command: Import-Module ActiveDirectory.

Import Module

3. Use the Search-ADAccount cmdlet to search for inactive accounts. Our example searches for accounts which have been inactive for 30 days or longer. You can change the -TimeSpan parameter to use meet your requirements. Search-ADAccount -AccountInactive -TimeSpan 30.00:00:00 -usersonly | get-aduser -property name,CanonicalName | fl.

Powershell command

Powershell will then display the list of inactive accounts within the timeframe that you set in the command. In this example the Steve, Jed and Tempadmin accounts are inactive.

Result

4. You can also export the results of the command to a .csv file by using the export-csv cmdlet. Example: Search-ADAccount -AccountInactive -TimeSpan 30.00:00:00 -usersonly | get-aduser -property name,CanonicalName | export-csv “C:\ADinactive.csv”.

export csv

The results are now displayed in a list which is much easier to view. We can now quickly determine that the Jed, Steve and Tempadmin accounts are enabled in Active Directory but have been inactive for at least 30 days.

Inactive Accounts List

We can then pass on this information to the client and they can let us know if any of the accounts need to be removed.