There are many ways to find inactive accounts in Active Directory (i.e. computer or user accounts that have not logged to the domain for an extended period of time).”
There are many ways to accomplish the task.TechNet script center has a fair amount of scripts that deal with the problem:
However, in this post I’d like to shed some light on a different method using the GUI instead of the command line.
You can use “Active Directory administrative center” (available in Windows 2008 R2 and above) to list inactive accounts.
From “global search”, select “add criteria” then “users with enabled accounts who have not logged on for more than this number of days”. You can modify the number of days by clicking on the number. For example, you can use the below filter to find users who have not logged on for 90 days (3 months)
You can see the equivalent LDAP query for the filter using the “convert to LDAP” radio button. Here you can also edit the LDAP query as you see fit. Note that the query makes use of the lastlogontimestamp attribute to find inactive accounts.
For a very good explanation of how lastlogontimestamp works, you can check the following article:
You can also edit the LDAP query to include both user and compute accounts by changing the objectClass in the LDAP query as follows:
Afterwards, you can easily select the search results and move them all to a separate OU to delete them later.