{"id":751,"date":"2017-12-20T22:40:53","date_gmt":"2017-12-20T22:40:53","guid":{"rendered":"http:\/\/activedirectorypro.com\/?p=751"},"modified":"2023-11-23T16:39:33","modified_gmt":"2023-11-23T16:39:33","slug":"find-remove-old-computer-accounts-active-directory","status":"publish","type":"post","link":"https:\/\/activedirectorypro.com\/find-remove-old-computer-accounts-active-directory\/","title":{"rendered":"How to Find and Remove Old Computer Accounts in Active Directory"},"content":{"rendered":"
\n\n

In this guide, I’ll show you how to find inactive computers in Active Directory using PowerShell. I’ll also show you how to remove old computers from Active Directory. <\/p>\n\n\n\n

Inactive computers can lead to big problems such as inaccurate reporting, group policy slowness, software distribution issues, and security issues.<\/p>\n\n<\/div><\/div>\n\n

\n
\n
\n\n

Find Inactive Computers in Active Directory using PowerShell<\/h2>\n\n\n\n

In this example, I’ll use the get-adcomputer PowerShell command to find computers that have been inactive for 60 days. <\/p>\n\n\n\n

Step 1<\/strong>. Open PowerShell as Administrator.<\/p>\n\n\n\n

Step 2<\/strong>. Copy and paste the command below. <\/p>\n\n\n\n

$DaysInactive = 60\n$time = (Get-Date).Adddays(-($DaysInactive))\nGet-ADComputer -Filter {LastLogonDate -lt $time} -Properties Name, LastLogonDate | select name, LastLogonDate<\/code><\/pre>\n\n\n\n
Below is a screenshot from my domain. <\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Step 3<\/strong>. To export the list of inactive computers use this command. <\/p>\n\n\n\n
$DaysInactive = 60\n$time = (Get-Date).Adddays(-($DaysInactive))\nGet-ADComputer -Filter {LastLogonDate -lt $time} -Properties Name, LastLogonDate | select name, LastLogonDate | export-csv -path c:\\temp\\inactivecomputers.csv<\/code><\/pre>\n\n<\/div><\/div><\/div>\n\n
\n\n
Option #2 Find Stale Computers using the AD Cleanup Tool<\/h2>\n\n\n\n
In this example, I\u2019ll use the AD Cleanup Tool<\/a> from the AD Pro Toolkit. This tool makes it easy to find inactive computers in Active Directory. <\/p>\n\n\n\n
Step 1<\/strong>. Select “Inactive Computers” and the time range. Then click “Run” I chose inactive computers for the last 90 days.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
Step 2.<\/strong> Export, Disable, or Move the list of inactive computers. <\/p>\n\n\n\n
Select the computers you want to take action on and choose one of the action buttons. <\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
With the cleanup tool you can also find disable and accounts with no logon history.  <\/p>\n\n<\/div><\/div><\/div>\n<\/div>\n<\/div><\/div>\n\n\n
How to Remove Old Computers from Active Directory<\/h2>\n\n\n\n
Now that you know how to find Inactive Computers let’s walk through how to remove them. <\/p>\n\n\n\n
I recommend that you first move the inactive computers to an OU and disable them. After 60 days (or whatever time frame you choose) with no issue then it is saved to delete the computer accounts.  <\/p>\n\n\n\n
With the AD Cleanup Tool, you can easily bulk move and disable computer accounts. <\/p>\n\n\n\n
In this example, I’ll bulk move computers to an OU called disabled. <\/p>\n\n\n\n
Step 1<\/p>\n\n\n\n
Select the computers and click “Move”.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
You will be prompted to select an OU. <\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Click OK and the selected computers will be moved to the OU. <\/p>\n\n\n\n
Now if I check the OU in Active Directory I’ll see that the accounts have been moved. <\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Step 2<\/p>\n\n\n\n
To bulk disable the computer accounts select them and click “Disable”.<\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
Step 3 <\/p>\n\n\n\n
To Remove the accounts open the “Disabled” OU in Active Directory, select the computers, right click, and select delete. <\/p>\n\n\n\n
\"\"<\/figure>\n\n\n\n
 <\/p>\n\n\n\n
Find Old Computer Accounts with PowerShell<\/h2>\n\n\n\n
Here are some more examples of using PowerShell to find inactive computers in Active Directory. These examples use the passwordlastset attribute rather than lastlogondate. <\/p>\n\n\n\n
Step 1: Use the Get-ADComputer cmdlet<\/h3>\n\n\n\n
The command below will display all the computers by name and password last set date.<\/p>\n\n\n\n
get-adcomputer -filter * -properties passwordlastset | select name, passwordlastset | sort passwordlastset<\/pre>\n\n\n\n
I can see below there are several computers that haven’t been reset in a long time.<\/p>\n\n\n\n
\"\"<\/a><\/figure>\n\n\n\n
The only problem with this command is that it will display all computers in the domain.<\/p>\n\n\n\n
I only care about computers that haven’t been reset in the last 90 days, there are a couple of ways to deal with this.<\/p>\n\n\n\n
Step 2. Export the results to a CSV <\/h3>\n\n\n\n
To export the report to a CSV file, add export-csv and the path to the end of the command.<\/p>\n\n\n\n
get-adcomputer -filter * -properties passwordlastset | select name, passwordlastset | sort passwordlastset | export-csv c:\\it\\oldcmp\\oldexport.csv<\/pre>\n\n\n\n
Now I can open the results in excel and easily remove what I don’t want.<\/p>\n\n\n\n
Step 3. Add a date variable to filter out computers<\/h3>\n\n\n\n
Another option is to create a variable that will help filter the results. To do this I will use the get-date cmdlet to create a variable that sets the date to 90 days ago.<\/p>\n\n\n\n
Here is the command to create a variable, the -90 sets it to 90 days ago. You can change that to whatever days you like.<\/p>\n\n\n\n
$date = (get-date).adddays(-90)<\/pre>\n\n\n\n
Next, I include the date variable plus the less than (-lt) argument in the original command.<\/p>\n\n\n\n
get-adcomputer -filter {passwordlastset -lt $date} -properties passwordlastset | select name, passwordlastset | sort passwordlastset<\/pre>\n\n\n\n
Now it will display only the computer accounts that are older than 90 days.<\/p>\n\n\n\n
Hopefully, you found this tutorial helpful. If you have questions or run into any problems, post a comment below.<\/p>\n\n\n\n
Related Article:<\/strong> How to find inactive users in Active Directory<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"
In this guide, I’ll show you how to find inactive computers in Active Directory using PowerShell. I’ll also show you how to remove old computers from Active Directory. Inactive computers can lead to big problems such as inaccurate reporting, group policy slowness, software distribution issues, and security issues. How to Remove Old Computers from Active … Read more<\/a><\/p>\n","protected":false},"author":1,"featured_media":770,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1835],"tags":[],"_links":{"self":[{"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/posts\/751"}],"collection":[{"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/comments?post=751"}],"version-history":[{"count":3,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/posts\/751\/revisions"}],"predecessor-version":[{"id":45158,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/posts\/751\/revisions\/45158"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/media\/770"}],"wp:attachment":[{"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/media?parent=751"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/categories?post=751"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/activedirectorypro.com\/wp-json\/wp\/v2\/tags?post=751"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}