Powershell assistance for Active Directory Cleanup

Solution 1:

I'll presume your question lies in finding inactive accounts.

I use JoeWare's Oldcmp tool. http://www.joeware.net/freetools/tools/oldcmp/index.htm still after all these years.

It can find inactive AD accounts by looking at password age and specifically LLTS = lastLogonTimestamp

It's simple enough to at least get you started and easier than powershell. Then disable those accounts and use ADUC to create a custom query window for disabled accounts. That way you don't have to move anything that might need re-enabled later.

BUT...I agree with Hopeless and Mfinni, and would say you better clearly lay out what you plan on doing with management BEFORE implementing anything.

Solution 2:

I use Powershell to do so, calling the lastlogondate propertie.

Here i return all samaccountname that have a last logon date older than 30 days (from today) :

$datenow = Get-date
$treshold=$datenow.AddDays(-30)
$users=Get-ADuser -Filter * -properties samaccountname,lastlogondate
foreach($user in $users) {
  $lastlogon = $user.lastlogondate
  if($lastlogon -lt $treshold) { 
    echo $user.samaccountname
    echo $user.lastlogondate
    echo "------------------------------------------------"
  }
}

From here, you can :

• Adjust the date treshold to your needs
• Disable the AD Account (Disable-ADAccount)
• Whatever else you want (at least, most of things)