In this guide, I’ll show you how to find inactive computers in Active Directory using PowerShell. I’ll also show you how to remove old computers from Active Directory.
Inactive computers can lead to big problems such as inaccurate reporting, group policy slowness, software distribution issues, and security issues.
Find Inactive Computers in Active Directory using PowerShell
In this example, I’ll use the get-adcomputer PowerShell command to find computers that have been inactive for 60 days.
Step 1. Open PowerShell as Administrator.
Step 2. Copy and paste the command below.
$DaysInactive = 60
$time = (Get-Date).Adddays(-($DaysInactive))
Get-ADComputer -Filter {LastLogonDate -lt $time} -Properties Name, LastLogonDate | select name, LastLogonDate
Below is a screenshot from my domain.
Step 3. To export the list of inactive computers use this command.
$DaysInactive = 60
$time = (Get-Date).Adddays(-($DaysInactive))
Get-ADComputer -Filter {LastLogonDate -lt $time} -Properties Name, LastLogonDate | select name, LastLogonDate | export-csv -path c:\temp\inactivecomputers.csv
Option #2 Find Stale Computers using the AD Cleanup Tool
In this example, I’ll use the AD Cleanup Tool from the AD Pro Toolkit. This tool makes it easy to find inactive computers in Active Directory.
Step 1. Select “Inactive Computers” and the time range. Then click “Run” I chose inactive computers for the last 90 days.
Step 2. Export, Disable, or Move the list of inactive computers.
Select the computers you want to take action on and choose one of the action buttons.
With the cleanup tool you can also find disable and accounts with no logon history.
How to Remove Old Computers from Active Directory
Now that you know how to find Inactive Computers let’s walk through how to remove them.
I recommend that you first move the inactive computers to an OU and disable them. After 60 days (or whatever time frame you choose) with no issue then it is saved to delete the computer accounts.
With the AD Cleanup Tool, you can easily bulk move and disable computer accounts.
In this example, I’ll bulk move computers to an OU called disabled.
Step 1
Select the computers and click “Move”.
You will be prompted to select an OU.
Click OK and the selected computers will be moved to the OU.
Now if I check the OU in Active Directory I’ll see that the accounts have been moved.
Step 2
To bulk disable the computer accounts select them and click “Disable”.
Step 3
To Remove the accounts open the “Disabled” OU in Active Directory, select the computers, right click, and select delete.
Find Old Computer Accounts with PowerShell
Here are some more examples of using PowerShell to find inactive computers in Active Directory. These examples use the passwordlastset attribute rather than lastlogondate.
Step 1: Use the Get-ADComputer cmdlet
The command below will display all the computers by name and password last set date.
get-adcomputer -filter * -properties passwordlastset | select name, passwordlastset | sort passwordlastset
I can see below there are several computers that haven’t been reset in a long time.
The only problem with this command is that it will display all computers in the domain.
I only care about computers that haven’t been reset in the last 90 days, there are a couple of ways to deal with this.
Step 2. Export the results to a CSV
To export the report to a CSV file, add export-csv and the path to the end of the command.
get-adcomputer -filter * -properties passwordlastset | select name, passwordlastset | sort passwordlastset | export-csv c:\it\oldcmp\oldexport.csv
Now I can open the results in excel and easily remove what I don’t want.
Step 3. Add a date variable to filter out computers
Another option is to create a variable that will help filter the results. To do this I will use the get-date cmdlet to create a variable that sets the date to 90 days ago.
Here is the command to create a variable, the -90 sets it to 90 days ago. You can change that to whatever days you like.
$date = (get-date).adddays(-90)
Next, I include the date variable plus the less than (-lt) argument in the original command.
get-adcomputer -filter {passwordlastset -lt $date} -properties passwordlastset | select name, passwordlastset | sort passwordlastset
Now it will display only the computer accounts that are older than 90 days.
Hopefully, you found this tutorial helpful. If you have questions or run into any problems, post a comment below.
Related Article: How to find inactive users in Active Directory
will you please tell me the way to allow non administrators (IT support team)
to join workstation to domain and perform some troubleshooting tasks, such as running network diagnostics task,installing softwares etc.
You can use the delegation control wizard to allow non administrators access to perform certain tasks.
Here is a video I made for delegating reset permissions to a security group for the helpdesk.
https://www.youtube.com/watch?v=VXDVwRGW-Qs
The last three powershell commands worked great.
You should add that they need to be run sequentially.
Inactive accounts and their access permissions can be used to access network resources. So it is necessary to manage and remove inactive Active Directory accounts using PowerShell and Solution:
https://www.lepide.com/how-to/manage-inactive-ad-accounts-with-lepideauditor.html
http://expert-advice.org/active-directory/powershell-to-find-inactive-ad-users-and-computers-accounts/
Peter,
You are absolutely right, if inactive accounts are not removed they can be used to gain access to resources. This is why I run a monthly task to check and remove inactive computer and user accounts.