Find Stale Accounts in Active Directory

Find Stale Accounts in Active Directory

Everyone who has managed Active Directory knows that keeping it free of “stale” accounts is a tough task.  Typically no one cares about this until it’s time for the Microsoft True Up.  Then we’ve got to hustle to get rid of all these unused accounts before we have to pay for them again!  Pre-PowerShell it was tough because well… you didn’t have POWERSHELL!  Now the hardest part about finding these accounts is defining what stale means to your company.  There is no right or wrong answer to this question, but there are some things that we can check to help lead us to an optimal answer.

Get-ADUser

This is the cmdlet that we will be using to gather our AD account information.  For our example we are just going to find the accounts.  You may want move them or delete them, but that is up to you.  The first thing we want to do is grab a list of ALL accounts in your AD environment.  That way we don’t have to keep making calls back to AD, instead we will store all this information into a variable.

Disabled Accounts

The next thing we will do is search through each one of these accounts and find all of the accounts that are NOT enabled.  A word of advice…if this is the first time your company has tried to implement a system to remove stale accounts, I would suggest MOVING the accounts into another OU.  If you go off and delete a bunch of account you may make some people really upset.

Expired Passwords

The next thing should check is whether or not an account has an expired password and how long it has been since they last changed their passwords.  If an account has an expired password then they are no longer able to use their account.  This would lead us to believe that their account should be removed.  However, we should also check to see when the last time they changed their password.  If it’s only been a couple of days then they might have been out on vacation, but if it’s been several weeks it’s a good bet that this account is no longer in use.  For our example we will assume 2 weeks.

Last Logon Date

This will be our last line of defense and the one that will be the hardest to define.  Since all we are looking at is when the last time a give account was logged into determining how long an account should be allowed to sit idle is up to you and your management.  For our example we are going to look at all accounts that have not been logged into for at least 30 days and were not created within the last 21 days.  This will help keep the number of false positives a little lower.

There you have it, three different ways to find stale accounts in your Active Directory environment.  With this information you and your team can start to develop some policies on how to handle these stale accounts, but I’ll leave that up to you.  Like I stated earlier, my recommendation is to come up with the lists first, then manually review the list with your peers and supervisor to come up with the best course of action.

As always your comments and questions are welcomed.  I will be posting a full script in the Script Repository shortly.  If you like what you’ve read please leave a comment or review and make sure you sign up for our newsletter so you know when the latest blog post arrive.

Thanks!

  • testing comments

  • Mark Smith

    This looks great Matt! 😀