How to Find and Remove Old Computer Accounts in Active Directory

In this guide, I’ll show you two options on how to find inactive computers in Active Directory. Inactive computers can lead to big problems such as inaccurate reporting, group policy slowness, software distribution issues, and security issues.

In this article:

• Option 1. Find Inactive Computers in Active Directory with PowerShell
• Option 2. Find and cleanup old computers with the AD Cleanup Tool
• Best Practices for dealing with Stale Computer Accounts

Option 1. Find Inactive Computers in Active Directory with PowerShell

In this example, I’ll use the Get-ADComputer PowerShell command to find computers were the LastLogonDate has not been updated in at last 60 days. This means no one has logged into the computer for 60 days or more.

Step 1. Open PowerShell as Administrator.

Step 2. Copy and run the command below.

$DaysInactive = 60
$time = (Get-Date).Adddays(-($DaysInactive))
Get-ADComputer -Filter {LastLogonDate -lt $time} -Properties Name, LastLogonDate | select name, LastLogonDate

Below is a screenshot from my domain.

Step 3. To export the list of inactive computers use this command.

$DaysInactive = 60
$time = (Get-Date).Adddays(-($DaysInactive))
Get-ADComputer -Filter {LastLogonDate -lt $time} -Properties Name, LastLogonDate | select name, LastLogonDate | export-csv -path c:\temp\inactivecomputers.csv

You can change the inactivity time to anything you want. For example, to change it to 90 days change this line.

$DaysInactive = 90

Option 2. Find and Cleanup Old Computers with the AD Cleanup Tool

The AD Cleanup Tool makes it easy to find and cleanup old computers in Active Directory.

1. Select “Inactive Computers” and the time range. Then click “Run”. It defaults to last 90 days.
2. Select to delete, disable, move or export the inactive computers. You can select all computers from the list of individual ones.
3. The AD Cleanup Tool also includes filters to find disabled computers, and computers with no logons.

List inactive computers.

Cleanup the list of old computers with the following actions:

• Delete
• Disable
• Move
• Export

Additional filters to find inactive and stale computer accounts.

Move Inactive Computers to another OU

To move computers, select one or more from the list and click the move button.

You will be prompted to select an OU. I recommend creating an OU called disabled or inactive.

Now if I check the OU in Active Directory, I’ll see that the accounts have been moved.

Best Practices for dealing with Stale Computer Accounts

Here are my recommendations for dealing with inactive and stale computer Accounts.

• Disable the computer account for x period of time (such as 90 days) before deleting them.
• Search for inactive computers were the lastLogonTimestap has not been updated in at least 90 days.
• Export the list of inactive computers and share it other staff members.
• When you disable the computer object add a description with the date and your initials. This is very helpful for other admins in case someone asks why a computer was disabled.
• Run a cleanup process on Active Directory once a month.

Hopefully, you found this tutorial helpful. If you have questions or run into any problems, post a comment below.

Related Article: How to find inactive users in Active Directory