How to Find and Remove Old Computer Accounts in Active Directory

In this guide, I’ll show you how to find inactive computers in Active Directory using PowerShell. I’ll also show you how to remove old computers from Active Directory.

Inactive computers can lead to big problems such as inaccurate reporting, group policy slowness, software distribution issues, and security issues.

Find Inactive Computers in Active Directory using PowerShell

In this example, I’ll use the get-adcomputer PowerShell command to find computers that have been inactive for 60 days.

Step 1. Open PowerShell as Administrator.

Step 2. Copy and paste the command below.

$DaysInactive = 60
$time = (Get-Date).Adddays(-($DaysInactive))
Get-ADComputer -Filter {LastLogonDate -lt $time} -Properties Name, LastLogonDate | select name, LastLogonDate

Below is a screenshot from my domain.

Step 3. To export the list of inactive computers use this command.

$DaysInactive = 60
$time = (Get-Date).Adddays(-($DaysInactive))
Get-ADComputer -Filter {LastLogonDate -lt $time} -Properties Name, LastLogonDate | select name, LastLogonDate | export-csv -path c:\temp\inactivecomputers.csv

Option #2 Find Stale Computers using the AD Cleanup Tool

In this example, I’ll use the AD Cleanup Tool from the AD Pro Toolkit. This tool makes it easy to find inactive computers in Active Directory.

Step 1. Select “Inactive Computers” and the time range. Then click “Run” I chose inactive computers for the last 90 days.

Step 2. Export, Disable, or Move the list of inactive computers.

Select the computers you want to take action on and choose one of the action buttons.

With the cleanup tool you can also find disable and accounts with no logon history.

How to Remove Old Computers from Active Directory

Now that you know how to find Inactive Computers let’s walk through how to remove them.

I recommend that you first move the inactive computers to an OU and disable them. After 60 days (or whatever time frame you choose) with no issue then it is saved to delete the computer accounts.

With the AD Cleanup Tool, you can easily bulk move and disable computer accounts.

In this example, I’ll bulk move computers to an OU called disabled.

Step 1

Select the computers and click “Move”.

You will be prompted to select an OU.

Click OK and the selected computers will be moved to the OU.

Now if I check the OU in Active Directory I’ll see that the accounts have been moved.

Step 2

To bulk disable the computer accounts select them and click “Disable”.

Step 3

To Remove the accounts open the “Disabled” OU in Active Directory, select the computers, right click, and select delete.

Find Old Computer Accounts with PowerShell

Here are some more examples of using PowerShell to find inactive computers in Active Directory. These examples use the passwordlastset attribute rather than lastlogondate.

Step 1: Use the Get-ADComputer cmdlet

The command below will display all the computers by name and password last set date.

get-adcomputer -filter * -properties passwordlastset | select name, passwordlastset | sort passwordlastset

I can see below there are several computers that haven’t been reset in a long time.

The only problem with this command is that it will display all computers in the domain.

I only care about computers that haven’t been reset in the last 90 days, there are a couple of ways to deal with this.

Step 2. Export the results to a CSV 

To export the report to a CSV file, add export-csv and the path to the end of the command.

get-adcomputer -filter * -properties passwordlastset | select name, passwordlastset | sort passwordlastset | export-csv c:\it\oldcmp\oldexport.csv

Now I can open the results in excel and easily remove what I don’t want.

Step 3. Add a date variable to filter out computers

Another option is to create a variable that will help filter the results. To do this I will use the get-date cmdlet to create a variable that sets the date to 90 days ago.

Here is the command to create a variable, the -90 sets it to 90 days ago. You can change that to whatever days you like.

$date = (get-date).adddays(-90)

Next, I include the date variable plus the less than (-lt) argument in the original command.

get-adcomputer -filter {passwordlastset -lt $date} -properties passwordlastset | select name, passwordlastset | sort passwordlastset

Now it will display only the computer accounts that are older than 90 days.

Hopefully, you found this tutorial helpful. If you have questions or run into any problems, post a comment below.

Related Article: How to find inactive users in Active Directory

5 thoughts on “How to Find and Remove Old Computer Accounts in Active Directory”

  1. will you please tell me the way to allow non administrators (IT support team)
    to join workstation to domain and perform some troubleshooting tasks, such as running network diagnostics task,installing softwares etc.

    Reply
    • Peter,

      You are absolutely right, if inactive accounts are not removed they can be used to gain access to resources. This is why I run a monthly task to check and remove inactive computer and user accounts.

      Reply

Leave a Reply to suresh Cancel reply