I just started a contract to clean up an Active Directory system for a large company. I was told it would be quite the busy work but after reviewing the system and seeing how disorganized and messy it is, I realized that I will not be able to perform my duties to their fullest. Essentially this company has far too many accounts that are not active but cannot be deleted just yet. I want to perform a "Scream Test" for certain accounts and delete later. If this was only a few thousand inactive accounts it would be one story but unfortunately it is quite a few thousand (I haven't taken an exact number yet but it is over 20,000). I was curious if anyone knew of a way to sort through this information in an automated fashion other than using Hyena to get reports and then going through them one by one.
Powershell assistance for Active Directory Cleanup
active-directorypowershellusers
Best Answer
I'll presume your question lies in finding inactive accounts.
I use JoeWare's
Oldcmptool. http://www.joeware.net/freetools/tools/oldcmp/index.htm still after all these years.It can find inactive AD accounts by looking at password age and specifically
LLTS = lastLogonTimestampIt's simple enough to at least get you started and easier than powershell. Then disable those accounts and use ADUC to create a custom query window for disabled accounts. That way you don't have to move anything that might need re-enabled later.
BUT...I agree with Hopeless and Mfinni, and would say you better clearly lay out what you plan on doing with management BEFORE implementing anything.