In this guide, I’ll show you two options on how to find inactive computers in Active Directory. Inactive computers can lead to big problems such as inaccurate reporting, group policy slowness, software distribution issues, and security issues.
In this article:
- Option 1. Find Inactive Computers in Active Directory with PowerShell
- Option 2. Find and cleanup old computers with the AD Cleanup Tool
- Best Practices for dealing with Stale Computer Accounts
Option 1. Find Inactive Computers in Active Directory with PowerShell
In this example, I’ll use the Get-ADComputer PowerShell command to find computers were the LastLogonDate has not been updated in at last 60 days. This means no one has logged into the computer for 60 days or more.
Step 1. Open PowerShell as Administrator.
Step 2. Copy and run the command below.
$DaysInactive = 60
$time = (Get-Date).Adddays(-($DaysInactive))
Get-ADComputer -Filter {LastLogonDate -lt $time} -Properties Name, LastLogonDate | select name, LastLogonDateBelow is a screenshot from my domain.
Step 3. To export the list of inactive computers use this command.
$DaysInactive = 60
$time = (Get-Date).Adddays(-($DaysInactive))
Get-ADComputer -Filter {LastLogonDate -lt $time} -Properties Name, LastLogonDate | select name, LastLogonDate | export-csv -path c:\temp\inactivecomputers.csvYou can change the inactivity time to anything you want. For example, to change it to 90 days change this line.
$DaysInactive = 90Option 2. Find and Cleanup Old Computers with the AD Cleanup Tool
The AD Cleanup Tool makes it easy to find and cleanup old computers in Active Directory.
- Select “Inactive Computers” and the time range. Then click “Run”. It defaults to last 90 days.
- Select to delete, disable, move or export the inactive computers. You can select all computers from the list of individual ones.
- The AD Cleanup Tool also includes filters to find disabled computers, and computers with no logons.
List inactive computers.
Cleanup the list of old computers with the following actions:
- Delete
- Disable
- Move
- Export
Additional filters to find inactive and stale computer accounts.
Move Inactive Computers to another OU
To move computers, select one or more from the list and click the move button.
You will be prompted to select an OU. I recommend creating an OU called disabled or inactive.
Now if I check the OU in Active Directory, I’ll see that the accounts have been moved.
Best Practices for dealing with Stale Computer Accounts
Here are my recommendations for dealing with inactive and stale computer Accounts.
- Disable the computer account for x period of time (such as 90 days) before deleting them.
- Search for inactive computers were the lastLogonTimestap has not been updated in at least 90 days.
- Export the list of inactive computers and share it other staff members.
- When you disable the computer object add a description with the date and your initials. This is very helpful for other admins in case someone asks why a computer was disabled.
- Run a cleanup process on Active Directory once a month.
Hopefully, you found this tutorial helpful. If you have questions or run into any problems, post a comment below.
Related Article: How to find inactive users in Active Directory
AD Cleanup Tool
Quickly find and cleanup stale user and computer accounts
Related AD Reports
will you please tell me the way to allow non administrators (IT support team)
to join workstation to domain and perform some troubleshooting tasks, such as running network diagnostics task,installing softwares etc.
You can use the delegation control wizard to allow non administrators access to perform certain tasks.
Here is a video I made for delegating reset permissions to a security group for the helpdesk.
https://www.youtube.com/watch?v=VXDVwRGW-Qs
The last three powershell commands worked great.
You should add that they need to be run sequentially.
Inactive accounts and their access permissions can be used to access network resources. So it is necessary to manage and remove inactive Active Directory accounts using PowerShell and Solution:
https://www.lepide.com/how-to/manage-inactive-ad-accounts-with-lepideauditor.html
http://expert-advice.org/active-directory/powershell-to-find-inactive-ad-users-and-computers-accounts/
Peter,
You are absolutely right, if inactive accounts are not removed they can be used to gain access to resources. This is why I run a monthly task to check and remove inactive computer and user accounts.