Inactive AD user disable review workflow

Good For

• Quarterly stale account review
• Disable candidate evidence for tickets and CAB review
• AD hygiene reviews with HR or service owner input
• Pre-disable reporting with rollback capture

How to Use It

1. Phase 1: Build the candidate list: Define the inactivity threshold in days, commonly 60, 90, or 120, and record it in the ticket. Export a current enabled-user baseline and a separate inactive-user candidate list using LastLogonDate-based evidence. Record the domain queried, date/time of query, operator name, and source DC or management host used. Keep raw CSV output unchanged; create a working copy for annotations.
2. Apply exclusions before review: Exclude known service, application, batch, integration, kiosk, shared mailbox-linked, break-glass, and vendor-managed accounts. Check for exclusion signals such as PasswordNeverExpires, ServicePrincipalName presence, privileged group membership, or description text indicating non-human use. Exclude accounts covered by active leave-of-absence, legal hold, or pending termination workflows if your organization requires separate handling. Mark each exclusion with an owner, evidence source, and review date.
3. Phase 2: Validate inactivity evidence per account: For each remaining candidate, review LastLogonDate, PasswordLastSet, WhenChanged, manager, department, and description. Confirm whether the account appears in high-risk or business-critical groups and capture group membership evidence. Cross-check with at least one non-AD source where available, such as HR roster, ticket history, VPN usage, email activity, IAM records, or endpoint management. Classify each account as Disable recommended, Hold for owner response, Excluded, or Insufficient evidence.
4. Capture approval and planned action: For each Disable recommended account, capture approver name, role, date, and approval channel such as ticket, email, or CAB note. Record the planned disable date, rollback window, and post-disable checks required. Capture rollback essentials before any action: OU, current group membership export, manager, description, and any known dependencies. If owner response is pending, set a review due date and escalation path.
5. Produce operator-ready evidence: Create a final review CSV with one row per account and columns for threshold, exclusion reason, evidence sources, decision, approver, and rollback notes. Attach raw baseline CSV, candidate CSV, per-user group exports for high-risk accounts, and operator notes to the ticket or evidence store. Summarize totals: candidates found, excluded, approved to disable, on hold, and unresolved. Ensure the checklist output is complete enough for a separate execution runbook to disable accounts later without re-discovery.

Execution Modes

• ad-filtered

Inputs and Outputs

Inputs

• InactivityThresholdDays
• TargetDomain
• ExclusionCriteria
• AuthoritativeSources

Outputs

• verbose-console
• operator-notes

Command Starter

Changes system state: review before running

Get-ADUser -Filter 'Enabled -eq $true' -Properties SamAccountName,UserPrincipalName,DisplayName,Enabled,LastLogonDate,PasswordLastSet,WhenCreated,Department,Title,Manager,Description,DistinguishedName | Select-Object SamAccountName,UserPrincipalName,DisplayName,Enabled,LastLogonDate,PasswordLastSet,WhenCreated,Department,Title,Manager,Description,DistinguishedName | Export-Csv .\ad-users-baseline.csv -NoTypeInformation
Search-ADAccount -UsersOnly -AccountInactive -TimeSpan 90.00:00:00 | Get-ADUser -Properties LastLogonDate,PasswordLastSet,Description,Department,Manager,DistinguishedName | Select-Object SamAccountName,Name,Enabled,LastLogonDate,PasswordLastSet,Department,Manager,Description,DistinguishedName | Export-Csv .\inactive-user-candidates.csv -NoTypeInformation
Import-Csv .\inactive-user-candidates.csv | Sort-Object LastLogonDate | Export-Csv .\inactive-user-candidates-sorted.csv -NoTypeInformation
Get-ADUser -Identity <samAccountName> -Properties LastLogonDate,PasswordLastSet,LockedOut,MemberOf,Manager,Description,DistinguishedName,WhenChanged | Select-Object SamAccountName,Enabled,LockedOut,LastLogonDate,PasswordLastSet,Manager,Description,WhenChanged,DistinguishedName
Get-ADPrincipalGroupMembership -Identity <samAccountName> | Select-Object Name,GroupCategory,GroupScope | Export-Csv .\<samAccountName>-groups.csv -NoTypeInformation
Get-ADUser -Filter 'Enabled -eq $true -and PasswordNeverExpires -eq $true' -Properties PasswordNeverExpires,ServicePrincipalName,Description | Select-Object SamAccountName,PasswordNeverExpires,ServicePrincipalName,Description | Export-Csv .\review-exclusions-signals.csv -NoTypeInformation

Validation

• Candidate CSV contains only currently enabled user accounts and excludes disabled objects from the initial list.
• Each Disable recommended record has at least one AD inactivity signal and one corroborating source or documented owner confirmation.
• Each exclusion has a stated reason, named owner or system, and review timestamp.
• Rollback capture exists for every approved account, including current OU and group membership evidence.

Reporting

• Decision summary: total candidates reviewed, excluded, approved to disable, on hold, and unresolved.
• Evidence summary: baseline CSV, candidate CSV, high-risk group membership exports, and corroborating source references attached to the ticket.
• Approval summary: approver, approval date, planned disable date, rollback window, and escalation owner per account or batch.

Safety Notes

• Do not disable accounts directly from this workflow; this checklist is for evidence gathering and approval capture only.
• LastLogonDate is replicated but may lag; for disputed accounts, validate against additional sources before recommending disable.
• Treat accounts with SPNs, privileged memberships, or automation indicators as exclusions until ownership is confirmed.
• Preserve raw exports unchanged so reviewers can trace decisions back to original evidence.