Locating Derelict User Accounts

Prior to migrating from one version of Active Directory to another, you should perform some “spring cleaning”. This means performing a general tidy up, including removing derelict user accounts.

A derelict user account is simply a user account that is no longer being used. The longer your organization’s Active Directory deployment has been around, the more likely there will be derelict user accounts. This is simply because when users leave the organization, the accounts that are associated with them aren’t always removed. If the IT department doesn’t know that a user has left the organization, they are unlikely to remove that user’s account from Active Directory.

The trick with removing derelict user accounts is finding them. The easiest way to do that is to locate all those accounts that haven’t performed a logon in the last 180 days. In most cases for most organizations, someone who hasn’t signed on for 180 days is probably never going to logon again.

You can find user accounts that haven’t signed on for 180 days with the following PowerShell command which leverages the Search-ADAccount cmdlet, located in the Active Directory PowerShell module:

Search-ADAccount -AccountInactive -TimeSpan 180.00:00:00 | where {$_.ObjectClass -eq 'user'} | FT Name,ObjectClass –A