Checking when Active Directory users logged on last should not be the only criteria if you want to pinpoint stale user accounts reliably. Another method that can help with this judgement involves analyzing when user accounts had their password changed.
Indeed, in a well managed Active Directory environment password policies are normally set to anything between 30 and 90 days until user passwords expire. If passwords are expired, users can’t logon. Isn’t it a sign that such user accounts are no longer used?
Let’s take a look at the following PowerShell code snippet:
$90Days = (get-date).adddays(-90)
Get-ADUser -SearchBase “DC=TORONTO,DC=LOCAL” -filter {passwordlastset -le $90days} -Properties passwordlastset | Select-Object name, passwordlastset
Just like with the lastlogondate example we search for all user accounts that had their passwordlastset attribute updated longer than 90 days ago. This should pick up a lion share of users with old passwords.
There are a couple of exceptions though. If passwordlastset equals 0, then user account password is expired and user must change password at next logon. If passwordlastset equals -1, then user account password is set to never expire. Depending on the intended use of such accounts you might want to include them into a list of stale user accounts or not.
Combined analysis of lastlogondate and passwordlastset attributes will yield a more reliable conclusion about the status of user accounts and whether or not they should be disabled or removed. Here is another PowerShell script that shows how to find and remove inactive Active Directory Users in one turn.
<< Active Directory User and Group Reporting: A practical guide for administrators