How to find and remove old computer accounts in Active Directory

In this guide, I’ll show you how to find old and inactive computers in Active Directory.

Inactive computers can lead to big problems such as inaccurate reporting, group policy slowness, software distribution, issues with software updates, and security issues.

In medium to large businesses, you may be surprised at how many inactive computers are just sitting around in Active Directory.

In the examples below, I’ll demonstrate 3 different Active Directory Tools that you can use to find and remove old computer accounts.

First, you need to understand how these methods (tools) work. There are two attributes that can be used to find old computer accounts, they are:

1. lastLogonTimestamp: Active Directory computers have an attribute called lastLogonTimestamp. Microsoft created this attribute to help identify inactive computer and user accounts. It is used to determine if a user or computer has recently logged onto the domain.
2. Computer password age: Just like user accounts, computers have a password. These get changed automatically every 30 days. If a computer is no longer active the password will not be updated, which can be used to find old and inactive computers.

The tools used in this tutorial will query either the last logon time or the computer password age to determine if a computer is inactive.

Warning: Some of these methods can be very dangerous.

I would not immediately delete computer accounts reported by these tools.  My advice is to use these tools to find stale computers, disable them for x amount of days then delete them.  You may have mobile users, VPN users, and users that work from home. These computer accounts may not update the lastLogonTimestamp because they are off the network. It’s safer to disable accounts, if they are still active then you can simply re-enable them.

Find Inactive Computers in Active Directory with the AD Cleanup Tool

I created the AD Cleanup Tool to simplify the process of finding and removing old computer accounts in Active Directory. In addition to cleaning up old computer accounts, it can also find inactive users, disabled accounts, expired accounts users with no logon history, and empty groups.

This tool uses the lastlogontimestamp attribute to find old computers, you can change the inactivity to any number of days.

In this example, I’ll find computers that have been inactive for 30 days.

Step 1. Download the AD Cleanup Tool

You can download a free trial of this tool and test it out on your network.

Click here to download a free trial

Step 2. Enter Computer Inactivity Time

Open the tool and enter in days of inactivity (No logons within). In this example, I’ll enter in 30 days. Next, click the run button.

You can choose to search the entire domain or a specific OU or group.

By default, the tool will find both inactive users and computers. You can see above I have only one computer account that was inactive for 30 days but there are many inactive users.

If you want to search computers only select the filters button and uncheck Users.

Step 3. Move Inactive Computers to another OU

This step is optional but I like to move the inactive accounts to another OU and then disable them. You can bulk move the accounts by selecting the account(s) and clicking the move button.

You will be prompted to select the OU to move the accounts into.

When you click the “Move” button you will be prompted to confirm the action.

In addition, you can click the “Disable” button to disable the selected accounts. The results can also be filtered, searched sorted, and exported to CSV or PDF.

If you want to find inactive computers or users by the password last set attribute, click the columns button and add the “pwdLastSet” attribute.

In addition to the lastLogonTimestamp this will also display when the account last changed its password. This is optional, it just gives you more ways to identify inactive computer and user accounts.

Additional AD Cleanup Tool features:

• Find all computers with no logon history
• Find all disabled computers
• Find all disabled user accounts
• Find all expired user accounts
• Find all empty groups
• Add or remove additional user/computer fields to the results

That’s it for method 1.

The AD Cleanup Tool includes a free trial so you can try it out in your AD environment.

Find Inactive Computers with the Oldcmp command line tool

Oldcmp is a command line tool that was built specifically for cleaning up old computer accounts. Instead of checking for the last logon time, this tool checks the computer’s password age. By default, it checks for 90 days but this can be changed.

This tool has many safeguards in place to prevent you from blowing up Active Directory. It is a very powerful tool with lots of options making it a great choice to automate the whole cleanup process. It’s an old tool but still works on new domain controllers, I’ve tested it on a 2016 DC.

Some built-in safeguards:

• You can only delete machine accounts that are disabled
• By default, it will only modify 10 accounts at a time, if you want more you have to specify the number.
• You must include the FORREAL option to really make changes
• It will not modify domain controller accounts

Like I said many safeguards are built in place, which is a good thing….trust me.

Let’s look at how to use this tool with a few examples.

Download and setup

You can download oldcmp from the link below.

http://www.joeware.net/freetools/tools/oldcmp/index.htm

Extract the zip file and put the oldcmp.exe somewhere that’s easy to access from the command line.

I put mine at c:\it\oldcmp\oldcmp.exe.

To run these commands open the command prompt and change to the directory where the exe is located.

Example 1

oldcmp -report

This will generate an HTML report of computers 90 days or older.

Example 2

oldcmp -forreal -unsafe

This example will find accounts and disable them.

Example 3

oldcmp -delete -onlydisabled -unsafe -forreal

This command will find and remove accounts older than 90 days.

There are more examples and documentation of all the command line options here.

http://www.joeware.net/freetools/tools/oldcmp/usage.htm

That’s it for method 2.

Find Old Computer Accounts with PowerShell

This last method uses Powershell to search the password last set attribute, you will need the PowerShell Active Directory module loaded for this to work.

Step 1: Use the Get-ADComputer cmdlet

The command below will display all the computers by name and password last set date.

get-adcomputer -filter * -properties passwordlastset | select name, passwordlastset | sort passwordlastset

I can see below there are several computers that haven’t been reset in a long time.

The only problem with this command is that it will display all computers in the domain.

I only care about computers that haven’t been reset in the last 90 days, there are a couple of ways to deal with this.

Step 2. Export the results to a CSV 

To export the report to a CSV file, add export-csv and the path to the end of the command.

get-adcomputer -filter * -properties passwordlastset | select name, passwordlastset | sort passwordlastset | export-csv c:\it\oldcmp\oldexport.csv

Now I can open the results in excel and easily remove what I don’t want.

Step 3. Add a date variable to filter out computers

Another option is to create a variable that will help filter the results. To do this I will use the get-date cmdlet to create a variable that sets the date to 90 days ago.

Here is the command to create a variable, the -90 sets it to 90 days ago. You can change that to whatever days you like.

$date = (get-date).adddays(-90)

Next, I include the date variable plus the less than (-lt) argument in the original command.

get-adcomputer -filter {passwordlastset -lt $date} -properties passwordlastset | select name, passwordlastset | sort passwordlastset

Now it will display only the computer accounts that are older than 90 days.

That’s it for method 3.

Hopefully, you found this tutorial helpful.

If you have questions or run into any problems, post a comment below.