Secure Inactive Active Directory Users
There is no formula that tells an Active Directory administrator when or how to perform certain actions. Some feel that manual actions are best, while others feel that automation is the only way, and the rest falling somewhere in between. I think the reality is that if a job is completed in a reasonable amount of time and the result is 100 percent correct, the approach was effective.
The point is, some methods provide helpful options that others fail to give. For example, let’s say that you need a list of user accounts that have not logged on for over 90 days so that you can disable them. The caveat is that you don’t want to have to sift through user accounts that are already disabled, or user accounts that have never logged on.
If you use Active Directory users and computers, you can use a saved query, which provides you with only one of these options at a time. It gives you an option for the time since the last log on and disabled user accounts, but not an option for user accounts that have never logged on, as you can see in Figure 1.
Read the entire article here, Secure inactive Active Directory users
via the fine folks at ManageEngine