How to Find Inactive Computers in Active Directory

In this video, I'll show you how to find inactive computers in Active Directory with PowerShell and the AD Pro Toolkit.

As an Active Directory administrator, it is a good practice to find and disable inactive computer accounts. This will help cleanup unused computers and reduce attacks on old objects in Active Directory.

Microsoft added the lastLogonTimestamp attribute for the intended purpose to help identify inactive computer and user accounts. This attribute is updated with interactive, network and service logons. This attribute is replicated to all domain controllers, the lastlogon attribute is not replicated.

To find inactive computer accounts with the AD Pro Toolkit follow these steps. See the link below to download a free trial of this tool.

1. Click on AD Cleanup
2. Enter number of days with no logons
3. Click run

Its that easy.

Next, you can choose to disable or move the computer accounts to another OU. I recommend disabling inactive computer accounts and moving them to another OU (such as an inactive computers OU). With the AD Pro Toolkit you can also easily find all computers with no logon history or all disabled computers.

To find inactive computers with PowerShell use the following command.

$Date= (Get-Date).AddDays(-90)
Get-ADComputer -Properties LastLogonTimeStamp -Filter {LastLogonTimeStamp -le $Date } | select Name, @{N='lastlogontimestamp'; E={[DateTime]::FromFileTime($_.lastlogontimestamp)}}

You can change the $Date variable to any date you need such as 30 days or 180 days.

Download Free Trial of the AD Pro Toolkit:

More Active Directory Tutorials: