How to Find Inactive Computers in Active Directory Using PowerShell

Keeping your Active Directory clean and free of unused computer accounts is essential for security, reporting accuracy, and overall domain hygiene. One of the most effective ways to identify stale computer objects is by using PowerShell to check when each device last authenticated with the domain.

This guide walks you through how to locate inactive computers based on their LastLogonTimeStamp value and export the results for further analysis.

Why Identify Inactive Computer Accounts?

Inactive computer objects can accumulate over time due to device replacements, decommissioned hardware, or machines that simply never reconnected to the domain. Removing or disabling these accounts helps:

• Improve security by reducing the attack surface
• Clean up AD structure and reporting
• Ensure Group Policy and inventory data remain accurate
• Support compliance and auditing requirements

Using PowerShell to Find Inactive Computers

The most reliable way to detect stale computer accounts is by checking the LastLogonTimeStamp attribute. This value is replicated across domain controllers and provides a consistent reference point for identifying inactivity.

Step 1: Define the Inactivity Threshold

Start by specifying how many days of inactivity you want to search for. The example below uses 90 days, but you can adjust this to suit your environment.

$DaysInactive = 90
$time = (Get-Date).AddDays(-($DaysInactive))

Step 2: Query Active Directory for Inactive Computers

Next, run the following command to retrieve all computer accounts whose LastLogonTimeStamp is older than the threshold you defined:

Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} `
-ResultPageSize 2000 `
-ResultSetSize $null `
-Properties Name, OperatingSystem, SamAccountName, DistinguishedName

This command returns useful details such as:

• Name
• OperatingSystem
• SamAccountName
• DistinguishedName

Step 3: Export Results to CSV

If you want to analyse the results or share them with colleagues, export the output to a CSV file:

Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} `
-ResultPageSize 2000 `
-ResultSetSize $null `
-Properties Name, OperatingSystem, SamAccountName, DistinguishedName |
Export-CSV "C:\Temp\StaleComputers.csv" -NoTypeInformation

You can then open the CSV in Excel or import it into reporting tools.

Customising the Inactivity Period

To change the number of days used to determine inactivity, simply modify the value of $DaysInactive. For example:

$DaysInactive = 120

This flexibility allows you to tailor the script to your organisation’s cleanup policy.

Best Practices for AD Cleanup

• Disable stale accounts before deleting them
• Move inactive objects to a quarantine OU
• Document your cleanup process for auditing
• Schedule regular reviews using Task Scheduler or a monitoring system

FAQ

Does LastLogonTimeStamp update in real time?

No. It updates infrequently (every 9–14 days by default) to reduce replication traffic. For most cleanup tasks, it is accurate enough.

Can I use LastLogon instead?

You can, but LastLogon is not replicated between domain controllers. You would need to query every DC individually, which is less efficient.

Should I delete inactive computers immediately?

It’s safer to disable them first and monitor for any issues before permanent removal.

Can I automate this script?

Yes. You can schedule it using Windows Task Scheduler or integrate it into a larger AD maintenance workflow.

Glossary

• Active Directory (AD): Microsoft’s directory service for managing users, computers, and resources.
• LastLogonTimeStamp: A replicated AD attribute showing the last time a computer authenticated.
• DistinguishedName (DN): The full AD path of an object.
• Stale Computer: A device account that has not authenticated for an extended period.
• CSV: Comma-separated values file used for exporting structured data.

Conclusion

Using PowerShell to identify inactive computer accounts is a fast and reliable way to keep your Active Directory environment clean and secure. By adjusting the inactivity threshold and exporting results for review, you can build a consistent and repeatable cleanup process.