By chatting and providing personal info, you understand and agree to our Terms of Service and Privacy Policy.
Corporate Site
Overview
How it works
For Home
Step-by-Step Guides
Get Tech Support
|
1-808-210-2095

How to Manage Inactive User and Computer Accounts in Active Directory

Authored by: Support.com Tech Pro Team

1. Introduction

How to Manage Inactive User and Computer Accounts in Active Directory

 

2. Step 1: List Inactive Accounts

Execute the following commands to search the dormant accounts in the Active Directory.

  • Run the command given below in the “Command Prompt” to get a list of inactive user accounts:

dsquery user -inactive 15

  • Run the command given below in the “Command Prompt” to get a list of inactive computer accounts:

dsquery computer -inactive 15

3. Step 2: Manage Inactive Accounts

After listing inactive accounts, you manage them by performing the below-given methods (you can choose any method from these):

  1. Reset passwords of inactive accounts
  2. Disable the Inactive Accounts
  3. Move the account to an Organizational unit
  4. Delete the inactive accounts

Method 1 – Reset Passwords of Inactive Accounts

Perform the following steps just after listing the inactive accounts.

  • Navigate to “Start” → “Administrative Tools” → “Active Directory Users and Computers”.
  • Right-click the inactive user and click “Reset Password”
  • Enter new passwords.
  • Click “OK”.

Method 2 – Disable the Inactive Accounts

The inactive accounts must be disabled within 15-60 days to prevent any further security threats, using the commands given below:

  • To disable the user accounts, run the following command in “Command Prompt”.

dsquery user -disabled -limit 30

  • For disabling inactive computer accounts, run the following command in “Command Prompt”.

dsquery computer -disabled -limit 30

Here, 30 days is the inactivity period and you can change it. 

Method 3 – Move the account to an Organizational unit

After a few days of disabling the accounts, these should be moved to a stand-alone organizational unit. Right-click the username, select “Move” from the context menu and move the user to a standalone Organizational Unit. You can also drag and drop the user and computer account to any Organizational Unit.

Method 4 – Delete the inactive accounts

All the disabled inactive accounts after being moved to an organizational unit must be deleted to make sure that no one can use them at all. Execute the following commands.

  • Run the command given below to delete the disabled user accounts

dsquery user -inactive 50 | dsrm–noprompt

  • Run the command given below to delete disabled computer accounts:

dsquery computer -inactive 7 | dsrm –noprompt

Here, 50 days is the inactivity period and you can change it 

Privacy Matters

Support.com is committed to your privacy
We do not share or sell your data to third parties. We do use cookies and other third-party technologies to improve our site and services. The California Consumer Privacy Act (CCPA) gives you the ability to opt out of the use of cookies, third-party technologies and/or the future sale of your data. Do not sell my personal information.

Support.com is committed to your privacy
Read our Privacy Policy for a clear explanation of how we collect, use, disclose and store your information

©2024 RealDefense LLC. Support.com is a trademark owned by RealDefense LLC.
PRIVACY
TERMS OF USE