Find out which AD user has never logged in

Anyone who operates a network with an Active Directory domain always creates new user accounts for new users or for services. Devices on networks with several hundred or thousands of users, the administrator quickly loses the overview of all Active Directory accounts. It is therefore advisable to check from time to time which accounts in the Active Directory have never logged on to the domain .

Detect unused AD accounts

To determine these unused Active Directory accounts , you can use a PowerShell query. Some time ago, in our article ” LastLogon (last login) of a user in AD using Get-ADUser ” we already discussed the wonderful possibilities that PowerShell offers us in connection with Active Directory.

If you want to list the accounts that have never previously logged on to the domain, please open a PowerShell console and then issue the following commands.

Import modules ActiveDirectory
Get-ADUser -Filter {(lastlogontimestamp -notlike “*”)} | Select Name, DistinguishedName

We have shown you the process below as an example.

First, the necessary function extensions of the PowerShell for querying the Active Directory are loaded via the ” Import-Module ActiveDirectory ” command , so that the inactive or unused Active Directory accounts are then listed with the ” Get-ADUser ” command.

The list shows the AD account name and the ” DistinguishedName “, as you can see in the picture.

This command should actually be carried out at regular intervals in each AD domain so that old and unused AD accounts can be recognized and possibly deactivated or deleted .

If you are looking for other interesting tips about Active Directory, you should take a closer look at these posts here on our blog:

–
Delete organizational units (containers) despite protection in Active Directory – Create a list of all XP PCs in AD (Active Directory)
– Find outdated computers or users in Active Directory
– Installation of Active Directory failed….