find inactive computers in active directory

How to Find Inactive Computers in Active Directory

by

Inactive and stale computer accounts in Active Directory are a security risk and should be cleaned up regularly. In this guide, I’ll show you how to find and remove old computer accounts using PowerShell and the AD Cleanup Tool.

AD Cleanup Tool Method

The AD Cleanup Tool is the easiest way to find inactive computers in Active Directory. Set your inactivity threshold, run a scan, and take action — disable, move, or delete stale accounts in bulk.

  1. Select scan criteria and inactive time period then click “Scan”.


  2. Select computer and choose and action (disable, move, delete or export).



PowerShell Method

You can also use PowerShell to find inactive computer accounts. The Get-ADComputer cmdlet lets you search for computers that haven’t logged in within a specific timeframe. In this example, I’ll find computers were the LastLogonDate has not been updated in at last 60 days. This means no one has logged into the computer for 60 days or more.

Step 1. Open PowerShell as Administrator.

Step 2. Copy and run the command below. 

$DaysInactive = 60
$time = (Get-Date).Adddays(-($DaysInactive))
Get-ADComputer -Filter {LastLogonDate -lt $time} -Properties Name, LastLogonDate | select name, LastLogonDate

Below is a screenshot from my domain.

inactive computers using powershell

Step 3. To export the list of inactive computers, use this command.

$DaysInactive = 60
$time = (Get-Date).Adddays(-($DaysInactive))
Get-ADComputer -Filter {LastLogonDate -lt $time} -Properties Name, LastLogonDate | select name, LastLogonDate | export-csv -path c:\temp\inactivecomputers.csv

You can change the inactivity time to anything you want. For example, to change it to 90 days change this line. 

$DaysInactive = 90

Best Practices for Handling Inactive Computers in AD

Here are my recommendations for dealing with inactive and stale computer accounts.

  • Define inactivity time: Set a clear policy for how long a computer can remain inactive before being acted upon. I recommend at least 90 days of inactivity before taking action.
  • Disable first: Disable the computer account for x period of time (such as 90 days) before deleting them. There are many reasons why a computer account can report inactive so it’s a good idea to have a long grace period.
  • Move Accounts: Move inactive and disabled computer accounts to a dedicated OU, such as one labeled “Disabled” or “Inactive”. This helps keep things organized and makes it easy for everyone to see all the inactive computer accounts.
  • Share Inactive Report: Export the list of inactive computers and share it other staff members. It’s important to communicate with staff about objects in AD that have been disabled or deleted.
  • Add Description: When you disable the computer object add a description with the date and your initials. This is very helpful for other admins in case someone asks why a computer was disabled.
  • Enable AD Recycle Bin: Make sure you enable the AD Recycle Bin. This will come in useful if you delete an object that was still in use.
  • Delete inactive computers after x days: After the computer account has been disabled for at least 90 days then it is probably safe to delete the account.
  • Regular review: Run a cleanup process on Active Directory once a month. You can use automation to schedule the cleanup steps.

Hopefully, you found this tutorial helpful. If you have questions or run into any problems, post a comment below.

Related Article: How to find inactive users in Active Directory