Cleaning Active Directory
As part of the annual review of our clients systems, I have been tasked to generate a list of all Users in Active Directory and also find out if any accounts have not been accessed for 30 days or longer. Luckily both of these can be achieved quite easily using the Active Directory Users and Computers and Powershell consoles. Here’s how it’s done!
Exporting Users from Active Directory
1. Open Active Directory Users and Computers on a domain controller and browse to your Users OU.
2. Open the View menu and open Filter Options…
3. Select Show only the following types of objects: and tick the Users option before clicking OK.
4. Open the View menu and open Add/Remove Columns.
5. Choose which columns you would like to display in the .csv file once the data has been exported and click OK.
6. Right click in a blank space within your Users OU and select Export List… from the menu.
7. Name your export and save as a .csv file.
The end result is a list of your Active Directory Users using the columns that you selected earlier.
Finding Inactive Active Directory Users
1. Open an elevated Powershell console on a domain controller as an Administrator.
2. Import the Active Directory module by using the command: Import-Module ActiveDirectory.
3. Use the Search-ADAccount cmdlet to search for inactive accounts. Our example searches for accounts which have been inactive for 30 days or longer. You can change the -TimeSpan parameter to use meet your requirements. Search-ADAccount -AccountInactive -TimeSpan 30.00:00:00 -usersonly | get-aduser -property name,CanonicalName | fl.
Powershell will then display the list of inactive accounts within the timeframe that you set in the command. In this example the Steve, Jed and Tempadmin accounts are inactive.
4. You can also export the results of the command to a .csv file by using the export-csv cmdlet. Example: Search-ADAccount -AccountInactive -TimeSpan 30.00:00:00 -usersonly | get-aduser -property name,CanonicalName | export-csv “C:\ADinactive.csv”.
The results are now displayed in a list which is much easier to view. We can now quickly determine that the Jed, Steve and Tempadmin accounts are enabled in Active Directory but have been inactive for at least 30 days.
We can then pass on this information to the client and they can let us know if any of the accounts need to be removed.
Follow us
A quick overview of the topics covered in this article.
Latest articles
September 20, 2024
September 20, 2024
September 20, 2024