Use Active Directory Computer LastLogonDate to check for offline or decommissioned computers

Overtime its understandable how you could end up with many Active Directory computers accounts that are no longer valid. Normally these are for computers or servers that have been decommissioned or replaced due to failure. Its good practice to remove these accounts as you go but us sysadmins are busy or sometimes a little lazy!

Overtime this can lead to your Active Directory database growing which can degrade Active Directory performance over time. Therefore its a good idea to periodically review your Active Directory for computer accounts that are no longer used. The example PowerShell script below reports computer accounts that have not authenticated in the last 30 days i.e. not connected and authenticated with Active Directory. You can then go an investigate and delete computer accounts as appropriate.

$inactiveDays = 30
$disableDaysInactive=(Get-Date).AddDays(-($inactiveDays))

get-adComputer -Filter 'operatingsystem -like "*server*" -and enabled -eq "true"' -Properties Name,Operatingsystem,OperatingSystemVersion,IPv4Address,LastLogonDate, whenCreated, distinguishedName | Where-Object {$_.LastLogonDate -gt $disableDaysInactive } | Sort Operatingsystem | FT Name,Operatingsystem,OperatingSystemVersion,IPv4Address,LastLogonDate -AutoSize

Use Active Directory Computer LastLogonDate to check for offline or decommissioned computers

Leave a ReplyCancel Reply

Help! My Google Search Console Is Not Updating

Windows update taking forever :-(

getting the best deals

MSSQL analysis of number of connections by LoginName and hostname

Everyday task Kubernetes cheat sheet

Managing IIS logs using programmatically using PowerShell script