Remove Dormant User Accounts

Accounts that have not been logged on for some time are referred to as dormant accounts. Defining when a user account is considered dormant or inactive can be a challenge for any organisation. It can vary from 90 to 180 days, according to Microsoft.

For the majority of organisations, an account that has been inactive for a period of 90 days can be considered dormant.

Audit

Use PowerShell to check for inactive user accounts. Change the value as you prefer.

Get-ADUser -Filter * -Properties LastLogonDate | Where-Object {$_.LastLogonDate -lt (Get-Date).AddDays(-90)}

Configuration

Disable and remove inactive user account from the Active Directory.

User Impact

The disabled or removed user accounts are not able to authenticate anymore.