Use Powershell to Disable Computer and User accounts in Active Directory over XXX days

As a consultant for clients one common problem I come across is IT doing a poor job at managing old objects in Active Directory.  So generally I have to do that cleanup.  Here are some simple Powershell commands that I find help disable these objects for security reasons.  Once you have disabled them and let changes soak for a bit you can easily find the disabled accounts and delete them.

 

OpenPowershell as an Administrator

 

Import the ActiveDirectory Module for PowerShell.
Import-Module activedirectory

 

Set the number of days you want to check for inactivity, in my examples I will use 120 days.
$datecutoff = (Get-Date).AddDays(-120)

 

To Simply List those that have not been logged into in last 120 days (or # of days defined above)

Computers:

Get-ADComputer  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Sort LastLogonDate | FT Name, LastLogonDate –Autosize

Users:

Get-ADUser  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Sort LastLogonDate | FT Name, LastLogonDate –Autosize

 

To test the process but not execute the actual disable using the above criteria.

Computers:

Get-ADComputer  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Set-ADComputer -Enabled $false –whatif

Users:

Get-ADUser  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Set-ADUser -Enabled $false –whatif

 

Preform/Execute the process and execute the actual disable using the above criteria.

Computers:

Get-ADComputer  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Set-ADComputer -Enabled $false

Users:

Get-ADUser  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Set-ADUser -Enabled $false


Hope anyone who finds this article finds it as useful as the commands have been for me.