How to find and remove old computer accounts in Active Directory

If Active Directory is not routinely cleaned up it can get cluttered with old computer accounts.

This can lead to big problems such as inaccurate reporting, group policy slowness, software distribution, issues with software updates, and security issues.

In medium to large businesses, you may be surprised at how many unused computers are left in Active Directory.

That is why it’s important to clean up Active Directory from time to time.

In this tutorial, I will show you 3 different Active Directory Tools for finding and removing old computer accounts.

First, you need to understand how these methods (tools) work. There are two attributes that can be used to find old computer accounts, they are:

  1. Last logon time: Active Directory computers have an attribute called lastLogonTimestamp, this stores the last time the computer was logged into.
  2. Computer password age: Just like user accounts, computers have a password. These get changed automatically every 30 days.

The tools used in this tutorial will query either the last logon time or the computer password age to determine if a computer is inactive.

Warning: Some of these methods can be very dangerous.

I would not immediately delete computer accounts reported by these tools.  My advice is to use these tools to find stale computers, disable them for x amount of days then delete them.  You may have mobile users, VPN users, users that work from home, and those computers will sometimes show up on these tools.  It’s safer to disable accounts, if they are still active then you can simply re-enable them.

Method 1: AD Cleanup Tool

I created the AD Cleanup Tool to simplify the process of finding and removing old computer accounts in Active Directory. In addition to cleaning up old computer accounts, it can also find inactive users, disabled accounts, expired accounts users with no logon history, and empty groups.

This tool uses the last logon timestamp to find old computers, you can change the inactivity to any number of days. Let’s look at an example.

Step 1. Download AD Cleanup Tool

You can download a free trial of this tool and test it out in your network

Click here to download a free trial

Step 2. Select inactivity time

Open the tool and enter in days of inactivity (No logons within).

Enter in days of inactivity

Step 3. Select a search scope

You can search the entire domain or pick an OU or group (or multiple OUs and groups)

Select the entire domain or pick an OU or group

Step 4. Click Run

Now click the run button and the results will be displayed.

All done. You should now have a list of old computer and user accounts that have no logons within the time range you specified.

The results table displays the user displayname, lastlogon, status, distinguishedName, and the objectType.

Key Features

  • You can sort and filter each column
  • Use the search icon to search the results
  • Use the filter dropdown to limit the search to users, computers or both
  • You can bulk move accounts and disable accounts
  • Find disable accounts, expired, unused, and empty groups
  • Results can be exported by using the export button.

That’s it for method 1.

The AD Cleanup Tool includes a free trial so you can try it out in your AD environment.

Method 2: Oldcmp command line tool

Oldcmp is a command line tool that was built specifically for cleaning up old computer accounts. Instead of checking for the last logon time, this tool checks the computer’s password age. By default, it checks for 90 days but this can be changed.

This tool has many safeguards in place to prevent you from blowing up Active Directory. It is a very powerful tool with lots of options making it a great choice to automate the whole cleanup process. It’s an old tool but still works on new domain controllers, I’ve tested it on a 2016 DC.

Some built-in safeguards:

  • You can only delete machine accounts that are disabled
  • By default it will only modify 10 accounts at a time, if you want more you have to specify the number.
  • You must include the FORREAL option to really make changes
  • It will not modify domain controller accounts

Like I said many safeguards built in place, which is a good thing….trust me.

Let’s look at how to use this tool with a few examples.

Download and setup

You can download oldcmp from here

http://www.joeware.net/freetools/tools/oldcmp/index.htm

Extract the zip file and put the oldcmp.exe somewhere that’s easy to access from the command line.

I put mine at c:\it\oldcmp\oldcmp.exe

To run these commands open command prompt and change to the directory where the exe is located.

Example 1

oldcmp -report

This will generate an HTML report of computers 90 days or older

Example 2

oldcmp -forreal -unsafe

This example will find accounts and disable them

Example 3

oldcmp -delete -onlydisabled -unsafe -forreal

This command will find and remove accounts older than 90 days

There are more examples and documentation of all the command line options here

http://www.joeware.net/freetools/tools/oldcmp/usage.htm

That’s it for method 2.

Method 3: Find old computer accounts with PowerShell

This last method uses Powershell to search the password last set attribute, you will need the PowerShell Active Directory module loaded for this to work.

The command below will display all the computers by name and password last set date.

get-adcomputer -filter * -properties passwordlastset | select name, passwordlastset | sort passwordlastset

I can see below there are several computers that haven’t been reset in a long time.

The only problem with this command is that it will display all computers in the domain.

I only care about computers that haven’t been reset in the last 90 days, there are a couple of ways to deal with this.

1. Export the results to a CSV 

To export to a csv I just add export-csv and the path to the end of the command

get-adcomputer -filter * -properties passwordlastset | select name, passwordlastset | sort passwordlastset | export-csv c:\it\oldcmp\oldexport.csv

Now I can open the results in excel and easily remove what I don’t want.

2. Add a date variable to filter out computers

Another option is to create a variable that will help filter the results. To do this I will use the get-date cmdlet to create a variable that sets the date to 90 days ago.

Here is the command to create a variable, the -90 sets it to 90 days ago. You can change that to whatever days you like.

$date = (get-date).adddays(-90)

Now, I include the date variable plus the less than (-lt) argument to the original command.

get-adcomputer -filter {passwordlastset -lt $date} -properties passwordlastset | select name, passwordlastset | sort passwordlastset

Now it will display only the computer accounts that are older than 90 days.

This last step is optional but I will add a command to automatically remove the accounts.

To accomplish that I add in the remove-adobject cmdlet.

get-adcomputer -filter {passwordlastset -lt $date} -properties passwordlastset | remove-adobject -recursive -verbose -confirm:$false

That’s it for method 3.

Hopefully, you found this tutorial helpful.

If you have questions or run into any problems, post a comment below.

Recommended Tool: Permissions Analyzer for Active Directory

This FREE tool lets you get instant visibility into user and group permissions and allows you to quickly check user or group permissions for files, network, and folder shares.

You can analyze user permissions based on an individual user or group membership.

This is a Free tool, download your copy here.

5 thoughts on “How to find and remove old computer accounts in Active Directory”

    • Peter,

      You are absolutely right, if inactive accounts are not removed they can be used to gain access to resources. This is why I run a monthly task to check and remove inactive computer and user accounts.

      Reply
  1. The last three powershell commands worked great.

    You should add that they need to be run sequentially.

    Reply
  2. will you please tell me the way to allow non administrators (IT support team)
    to join workstation to domain and perform some troubleshooting tasks, such as running network diagnostics task,installing softwares etc.

    Reply
    • You can use the delegation control wizard to allow non administrators access to perform certain tasks.

      Here is a video I made for delegating reset permissions to a security group for the helpdesk.

      https://www.youtube.com/watch?v=VXDVwRGW-Qs

      Reply

Leave a Reply to mug Cancel reply