Home > Technet > Finding Recently Deactivated Accounts at the Command Line

Finding Recently Deactivated Accounts at the Command Line

February 27th, 2009 Derek Schauland, MVP

Using the command line to manage things in Active Directory is just one of several options available. Using Active Directory Users and Computers, Using VB Script, and using DS Commands and the command shell. All of these can be of use to get and modify information about Active Directory Objects, making management of these objects easier to handle.

While looking around the Internet at commands and utilites to cover here I decided to look into something from the command line that will display a list of inactive user accounts.

Why should inactive accounts matter?

Paying attention to inactive accounts can help administrators track accounts that need to be deleted or located accounts that have been deactivated and need to be reactivated.

For example, Steve from Research and Development goes on a six week sabbatical in Africa, his account is disabled while he is away to prevent the security risks of leaving the account active where a compromised password could cause problems. When he returns, his account can be reactivated which will allow him to log on and access all the same resources as before he left.

Note: Deleting the user account will remove the SID for the account which removes all of the group and security properties for the account. Recreating the account with the same name and other common items will not help as the SID will be different.

The command line entries for finding inactive accounts is

dsquery <objecttype> -inactive n

The syntax for dsquery specifies an object type (user, computer, OU, etc) and a parameter, in this case inactive, and then the length of time which the object has been inactive.

To work with the above example for inactive users you would enter dsquery user -inactive 3

This will look for all of the user accounts in the environment that have been inactive for 3 weeks. The dsquery can look in multiple Organizational Units (OUs) throughout the directory.

For more information

There are many uses for the DS Command set, however the listing of inactive accounts can help an administrator determine quickly how many accounts with an inactive status exist anywhere in the environment. A single command line seems to be a very efficient way to retrieve this information.

While this command may not be the most advanced thing in the world for working with Active Directory it is a place to start. More info about the DSQuery command can be found here.

Categories: Technet Tags:
Comments are closed.