Finding Old Computer Accounts in Active Directory with Powershell
Date: 20 June 2011
Following up on a previous post discussing finding old user accounts in Active Directory, here’s how you find old computer accounts.
This works on basically the same premise as the user script. In short, we’re going to check the last time the computer logged into Active Directory. That happens on every reboot and from time to time while the machine is up. The same warning applies to computers as it does for user accounts. The last logon timestamp is only accurate to about a week. Since people are generally checking back six months or more, it isn’t much of an issue.
To get the list of stale machines:
get-adcomputer -properties lastLogonDate -filter * | where { $_.lastLogonDate -lt (get-date).addmonths(-12) } | FT Name,LastLogonDate
You can throw a sort in there if you’d like.
get-adcomputer -properties lastLogonDate -filter * | where { $_.lastLogonDate -lt (get-date).addmonths(-12) } | sort Name | FT Name,LastLogonDate
It’s just as easy to delete all of those accounts. I’ve added a -whatif
to
make it harder to do something stupid with cut-and-paste. Take it off to
actually delete the computer accounts.
get-adcomputer -properties lastLogonDate -filter * | where { $_.lastLogonDate -lt (get-date).addmonths(-12) } | Remove-ADComputer -whatif
Updated 2011-06-20 14:15: Added a missing =}= to every example. Don’t you hate it when you have a bug in your code and you copy and paste that same line over and over again? Me, too.