Inactive users and computers are a common security and housekeeping issue in Active Directory. This report identifies accounts that have not authenticated with AD in the last 30 days and presents the results in clear table format for easy review.
How inactivity is determined
Active Directory uses lastLogonTimestamp, which:
- Is replicated across domain controllers
- Is accurate enough for inactivity reporting
- Is best used with a 30+ day window
PowerShell Script (Table Output)
Import-Module ActiveDirectory
$DaysInactive = 30
$InactiveDate = (Get-Date).AddDays(-$DaysInactive)
# Inactive Users
$InactiveUsers = Get-ADUser `
-Filter { lastLogonTimestamp -lt $InactiveDate -or -not lastLogonTimestamp } `
-Properties lastLogonTimestamp, Enabled |
Select-Object `
Name,
SamAccountName,
Enabled,
@{Name="LastLogonDate";Expression={
if ($_.lastLogonTimestamp) {
[DateTime]::FromFileTime($_.lastLogonTimestamp)
} else {
"Never"
}
}}
# Inactive Computers
$InactiveComputers = Get-ADComputer `
-Filter { lastLogonTimestamp -lt $InactiveDate -or -not lastLogonTimestamp } `
-Properties lastLogonTimestamp, Enabled |
Select-Object `
Name,
Enabled,
@{Name="LastLogonDate";Expression={
if ($_.lastLogonTimestamp) {
[DateTime]::FromFileTime($_.lastLogonTimestamp)
} else {
"Never"
}
}}
# Display Tables
Write-Host "`nInactive Users (30+ Days)`n"
$InactiveUsers | Sort-Object LastLogonDate | Format-Table -AutoSize
Write-Host "`nInactive Computers (30+ Days)`n"
$InactiveComputers | Sort-Object LastLogonDate | Format-Table -AutoSize
Sample Table Output
Inactive Users
| Name | SamAccountName | Enabled | LastLogonDate |
|---|---|---|---|
| John Doe | jdoe | True | 2025-11-02 |
| Temp User | temp.user | False | Never |
| Mary Smith | msmith | True | 2025-10-29 |
Inactive Computers
| Name | Enabled | LastLogonDate |
|---|---|---|
| WS-014 | True | 2025-10-28 |
| OLD-LAPTOP-07 | False | Never |
| LAB-PC-03 | True | 2025-11-01 |
How this table is typically used
Administrators commonly use this output to:
- Identify candidates for account disablement
- Move stale computers to a quarantine OU
- Review service or lab accounts separately
- Provide auditors with a clear inactivity list
Notes
Do not rely on this for forensic timelines
“Never” usually means:
Account was created but never used
Computer was joined but never logged in
Always validate accounts before disabling or deleting