Finding stale computer accounts

Stale computer accounts are accounts for computers that are stored within Active Directory where the computer hasn’t actually connected to Active Directory for a lengthy amount of time. This will almost always be because the computer has been retired, but the account associated with the computer has not been cleaned up. When planning a migration from Server 2003, one of the tasks you should perform is to clean up your organization’s Active Directory environment by removing these state computer accounts.

What constitutes a lengthy amount of time when determining if an account is stale will vary from organization to organization. Early on in my career the IT department I worked for ran into the problem where some members of staff would go on sabbatical for a number of months, and when they returned found that their computer was no longer joined to the domain.

The following PowerShell script allows you to find computers that haven’t connected to the domain for 180 days. You can change this by altering the 180 figure to whatever works for your organization:

$cutoff = (Get-Date).AddDays(-180)Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $cutoff} | FT Name,lastLogonDate