Disable Old Accounts

12th November 2019

To reduce your attack surface it makes sense to disable unused accounts. Here are some methods to figure out if an accout is unused.

For a small number of users, Start a command prompt as administrator, doesn’t need to be on a domain controller.

C:\>net user john /domain | findstr /C:"Last logon"
Last logon                   9/18/2013 10:18:41 AM

To list all users to a .csv file that can be opened in Excel, use the following Powershell script. Run powershell as administrator, be careful as notepad likes to add extra carriage returns.

Get-Aduser -Filter * -Properties *|select name,SamAccountName,PasswordExpired,PasswordLastSet,LastLogonDate,Enabled,DistinguishedName,DisplayName,GivenName,SurName|export-csv c:\UsersLastLogon.csv