Finding Inactive Users and Computers in Active Directory (30-Day Check-In Report)

Kommands

15 hours ago

Inactive users and computers are a common security and housekeeping issue in Active Directory. This report identifies accounts that have not authenticated with AD in the last 30 days and presents the results in clear table format for easy review.

How inactivity is determined

Active Directory uses lastLogonTimestamp, which:

Is replicated across domain controllers
Is accurate enough for inactivity reporting
Is best used with a 30+ day window

PowerShell Script (Table Output)

Import-Module ActiveDirectory

$DaysInactive = 30
$InactiveDate = (Get-Date).AddDays(-$DaysInactive)

# Inactive Users
$InactiveUsers = Get-ADUser `
    -Filter { lastLogonTimestamp -lt $InactiveDate -or -not lastLogonTimestamp } `
    -Properties lastLogonTimestamp, Enabled |
    Select-Object `
        Name,
        SamAccountName,
        Enabled,
        @{Name="LastLogonDate";Expression={
            if ($_.lastLogonTimestamp) {
                [DateTime]::FromFileTime($_.lastLogonTimestamp)
            } else {
                "Never"
            }
        }}

# Inactive Computers
$InactiveComputers = Get-ADComputer `
    -Filter { lastLogonTimestamp -lt $InactiveDate -or -not lastLogonTimestamp } `
    -Properties lastLogonTimestamp, Enabled |
    Select-Object `
        Name,
        Enabled,
        @{Name="LastLogonDate";Expression={
            if ($_.lastLogonTimestamp) {
                [DateTime]::FromFileTime($_.lastLogonTimestamp)
            } else {
                "Never"
            }
        }}

# Display Tables
Write-Host "`nInactive Users (30+ Days)`n"
$InactiveUsers | Sort-Object LastLogonDate | Format-Table -AutoSize

Write-Host "`nInactive Computers (30+ Days)`n"
$InactiveComputers | Sort-Object LastLogonDate | Format-Table -AutoSize

Sample Table Output

Inactive Users

Name	SamAccountName	Enabled	LastLogonDate
John Doe	jdoe	True	2025-11-02
Temp User	temp.user	False	Never
Mary Smith	msmith	True	2025-10-29

Inactive Computers

Name	Enabled	LastLogonDate
WS-014	True	2025-10-28
OLD-LAPTOP-07	False	Never
LAB-PC-03	True	2025-11-01

How this table is typically used

Administrators commonly use this output to:

Identify candidates for account disablement
Move stale computers to a quarantine OU
Review service or lab accounts separately
Provide auditors with a clear inactivity list

Notes

Do not rely on this for forensic timelines

“Never” usually means:

Account was created but never used

Computer was joined but never logged in

Always validate accounts before disabling or deleting