Script Repository

Inactive users

January 11, 2017

The script creates and emails an HTML-formatted report on inactive users. It can be used to locate inactive users in a particular AD domain, Organizational Unit or container.

To create a report upon request, you can create a Custom Command that runs the script. To schedule the report, you need to create a Scheduled Task. When creating a Custom Command or a Scheduled Task, configure it to be executed on the type of Active Directory objects that you want to search in. For example, if you want to search for users located in an Organizational Unit, configure a command or task for the Organizational Unit objects, and execute them on the OU you need.

To add the script to a Custom Command or Scheduled Task, use the Run a program or PowerShell script action.


  • $to - specifies the email address of the recipient;
  • $inactivityDurationThreshold - specifies the number of days a user account needs to be inactive to be included in the report;
  • $sortBy - specifies the LDAP display name of the attribute to sort users by. For example, if you want to sort users by username, specify sAMAccountName;
  • $sortDirection - specifies the email sort direction. Possible values: Ascending or Descending;
  • $baseDN - specifies the Distinguished Name (DN) of an object where to search for inactive users. You can specify either a DN of a specific object or a value reference that will be substituted with the DN of a specific container when the script is run. For example, if you specify the following value reference: %distinguishedName%, the search will be performed within the Organizational Unit or container on which the script is executed. More examples:
    • DC=example,DC=com - domain;
    • %adm-ParentDN% - OU or container that holds the object on which the script is executed;
    • %adm-InitiatorParentDN% - OU or container that holds the account of the user who triggered execution of the script.
Edit Remove
$to = "" # TODO: modify me
$inactivityDurationThreshold = "30" # Days
$sortBy = "name" # TODO: modify me
$sortDirection = "Ascending" # TODO: modify me
$baseDN = "%distinguishedName%" # TODO: modify me

function GetObjectDisplayName($objectDN)
   $objectPath = New-Object -TypeName "Softerra.Adaxes.Adsi.AdsPath"`
       -ArgumentList @($null, $objectDN)    
   return [Softerra.Adaxes.Utils.ObjectNameHelper]::GetObjectName(
       $objectPath, "IncludeParentPath")

$htmlBuilder = New-Object "System.Text.StringBuilder"
$htmlBuilder.append("<meta http-equiv=""Content-Type""`
   content=""text/html charset=UTF-8""></head>")
$baseObjectDisplayName = GetObjectDisplayName($baseDN)
   "<p>Inactive Users (<b>{0}</b>)</p>",
$htmlBuilder.append("<table width=""100%%"" border=""1"">")
$htmlBuilder.append("<th>User Name</th>
    <th>User Logon Name (pre-Windows 2000)</th><th>Parent</th>
    <th>Inactivity Duration</th>")

# Find inactive users
$searcher = $Context.BindToObjectByDN($baseDN)
$searcher.PageSize = 500
$searcher.SearchScope = "ADS_SCOPE_SUBTREE"
$date = [System.DateTime]::UtcNow.AddDays(-$inactivityDurationThreshold)
$dateGenerilized = [Softerra.Adaxes.Utils.Transform]::ToGeneralizedTime($date)
$dateFileTime = $date.ToFileTimeUTC().ToString()
$searcher.SearchFilter = "(&(sAMAccountType=805306368)(|(&(!(lastLogonTimestamp=*))(whenCreated<=$dateGenerilized))(lastLogonTimestamp<=$dateFileTime)))"
$searcher.ReferralChasing = "ADS_CHASE_REFERRALS_NEVER"
$sortOption = New-Object "Softerra.Adaxes.Adsi.AdmSortOption"
$sortOption.PropertyName = $sortBy
$sortOption.Direction = $sortDirection
$searcher.Sort = $sortOption

    $searcherResult = $searcher.ExecuteSearch()
    $users = $searcherResult.FetchAll()
    # Add inactive users to report
    if ($users.Count -gt 0)
       foreach ($user in $users)
           $user = $Context.BindToObject($user.AdsPath)
           $inactivityDuration = $user.Get("adm-InactivityDuration")
           if ($inactivityDuration -lt $inactivityDurationThreshold)
           $userDN = New-Object "Softerra.Adaxes.Ldap.DN" $user.Get("distinguishedName")
           $parentDisplayName = GetObjectDisplayName($userDN.Parent.ToString())
           $htmlBuilder.appendFormat("<td>{0}</td>", $user.Get("name"))
           $htmlBuilder.appendFormat("<td>{0}</td>", $user.Get("sAMAccountName"))
           $htmlBuilder.appendFormat("<td>{0}</td>", $parentDisplayName)
           $htmlBuilder.appendFormat("<td>{0} day(s)</td>", $inactivityDuration)
    # Finish building report
    # Send report
    $Context.SendMail($to, "[AD Report] Inactive Users", $NULL,
    # Release resources used by the search

Comments ( 0 )
No results found.
Leave a comment