How to find and remove old computer accounts in Active Directory

How to find inactive computer accounts in active directoryIf Active Directory is not routinely cleaned up it can get cluttered with old computer accounts.

This can lead to big problems such as inaccurate reporting, group policy slowness, software distribution and patching issues, syncing and so on.

In medium to large business, you may be surprised at how many unused computers are left in Active Directory.

That is why it’s important to clean up Active Directory from time to time.

In this tutorial, I will show you 3 different methods for finding and removing old computer accounts.

First, you need to understand how these methods (tools) work. There are two attributes that can be used to find old computer accounts, they are:

  1. Last logon time: Active Directory computers have an attribute called lastLogonTimestamp, this stores the last time the computer was logged into.
  2. Computer password age: Just like user accounts, computers have a password. These get changed automatically every 30 days.

The tools used in this tutorial will query either the last logon time or the computer password age to determine if a computer is inactive.

Warning: Some of these methods can be very dangerous.

I would not immediately delete computer accounts reported by these tools.  My advice is to use these tools to find stale computers, disable them for x amount of days then delete them.  You may have mobile users, VPN users, users that work from home and those computers will sometimes show up on these tools.  It’s safer to disable accounts, if they are still active then you can simply re-enable it.

Method 1: SolarWinds Inactive Computer Removal Tool

This is a free tool from SolarWinds that you can download here, it also includes a tool for cleaning up unused user accounts.

This tool uses the last logon time stamp to find old computers, by default it searches for last logon time older than 30 days.

Let’s walk through how to use this tool.

1. Download and install the tool

You can download it here

2. Configure connection information 

Open the tool and configure the connection information.

Enter in the IP or hostname of your domain controller, username and password info. If you have multiple domain controllers it will query them all.

Click the test credentials button to verify the connection.

3.  Adjust the settings

Click settings on the left hand side

By default, the tool will search for accounts that have not been logged into for 30 days.  I will change this to 90 days.

4. Run it to find old accounts

Now go back to the dashboard and click next.

The removal tool will now query Active Directory computers and analyze the last logon time.

You can see in my results below it has found 73 computers that have not been logged into for at least 90 days. From here I can select specific computers or all of them and click remove.  I can also export the results to to csv.

That’s it for methods 1.

The SolarWinds tool is a very simple and easy method for finding old computer accounts based on the last logon timestamp.

Method 2: Oldcmp command line tool

Oldcmp is a command line tool that was built specifically for cleaning up old computer accounts. Instead of checking for last logon time this tool checks the computers password age. By default it checks for 90 days but this can be changed.

This tool has many safeguards in place to prevent you from blowing up Active Directory. It is a very powerful tool with lots of options making it a great choice to automate the whole cleanup process. It’s an old tool but still works on new domain controllers, I’ve tested it on a 2016 DC.

Some built in safeguards:

  • You can only delete machine accounts that are disabled
  • By default it will only modify 10 accounts at a time, if you want more you have to specify the number.
  • You must include the FORREAL option to really make changes
  • It will not modify domain controller accounts

Like I said many safeguards built in place, that is a good thing….trust me.

Let’s look at how to use this tool with a few examples.

Download and setup

You can download oldcmp from here

http://www.joeware.net/freetools/tools/oldcmp/index.htm

Extract the zip file and put the oldcmp.exe somewhere that’s easy to access from the command line.

I put mine at c:\it\oldcmp\oldcmp.exe

To run these commands open command prompt and change to the directory where the exe is located.

Example 1

oldcmp -report

This will generate an HTML report of computers 90 days or older

Example 2

oldcmp -forreal -unsafe

This example will find accounts and disable them

Example 3

oldcmp -delete -onlydisabled -unsafe -forreal

This command will find and remove accounts older than 90 days

There are more examples and documentation of all the command line options here

http://www.joeware.net/freetools/tools/oldcmp/usage.htm

That’s it for method 2.

Related: 2 Simple Ways to Find All Locked User Accounts in Active Directory

Method 3: Find old computer accounts with PowerShell

This last method uses Powershell to search the password last set attribute, you will need the PowerShell Active Directory module loaded for this to work.

The command below will display all the computers by name and password last set date.

get-adcomputer -filter * -properties passwordlastset | select name, passwordlastset | sort passwordlastset

I can see below there are several computers that haven’t been reset in a long time.

The only problem with this command is that it will display all computers in the domain.

I only care about computers that haven’t been reset in the last 90 days, there are a couple of ways to deal with this.

1. Export the results to a CSV 

To export to a csv I just add export-csv and the path to the end of the command

get-adcomputer -filter * -properties passwordlastset | select name, passwordlastset | sort passwordlastset | export-csv c:\it\oldcmp\oldexport.csv

Now I can open the results in excel and easy remove what I don’t want.

2. Add a date variable to filter out computers

Another option is to create a variable that will help filter the results. To do this I will use the get-date cmdlet to create a variable that sets the date to 90 days ago.

Here is the command to create a variable, the -90 sets it to 90 days ago. You can change that to whatever days you like.

$date = (get-date).adddays(-90)

Now, I include the date variable plus the less than (-lt) argument to the original command.

get-adcomputer -filter {passwordlastset -lt $date} -properties passwordlastset | select name, passwordlastset | sort passwordlastset

Now it will display only the computer accounts that are older than 90 days.

This last step is optional but I will add in a command to automatically remove the accounts.

To accomplish that I add in the remove-adobject cmdlet.

get-adcomputer -filter {passwordlastset -lt $date} -properties passwordlastset | remove-adobject -recursive -verbose -confirm:$false

That’s it for method 3.

Hopefully, you found this tutorial helpful.

You can try out each method and determine which one is best for you. The SolarWinds tool is a good place to start, it is quick and easy to implement. If your looking for something more advanced with more options than either oldcmp or PowerShell should do the trick.

If you have questions or run into any problems, post a comment below.

I’ll be happy to help.

Related: How to find a Users last logon time

Recommended Tool: SolarWinds Server & Application Monitor (SAM)

This utility was designed to Monitor Active Directory and other critical applications. It will quickly spot domain controller issues, prevent replication failures, track failed logon attempts and much more.

What I like best about SAM is it’s easy to use dashboard and alerting features. It also has the ability to monitor virtual machines and storage.

Download Your Free Trial of SolarWinds Server & Application Monitor. 

3 Comments

  1. Peter on December 27, 2017 at 1:15 pm

    Inactive accounts and their access permissions can be used to access network resources. So it is necessary to manage and remove inactive Active Directory accounts using PowerShell and Solution:

    https://www.lepide.com/how-to/manage-inactive-ad-accounts-with-lepideauditor.html

    http://expert-advice.org/active-directory/powershell-to-find-inactive-ad-users-and-computers-accounts/

    • mug on December 30, 2017 at 6:31 pm

      Peter,

      You are absolutely right, if inactive accounts are not removed they can be used to gain access to resources. This is why I run a monthly task to check and remove inactive computer and user accounts.

  2. Samer Sultan on June 20, 2018 at 8:23 pm

    The last three powershell commands worked great.

    You should add that they need to be run sequentially.

Leave a Comment