PowerShell – Removing old computer accounts from your Active Directory

 
 14 Oct 2011 @ 9:36 AM 

When starting a migration, it is best practice to clean up your active directory.
But how do you know, especially in large environments, which computer accounts are from computers that are no longer part of your domain? Most of the times, this will take some serious manual labor, which I dislike doing.

So, how can this be automated?

To find old computer accounts:
get-adcomputer -properties lastLogonDate -filter * | where { $_.lastLogonDate -lt (get-date).addmonths(-12) } | sort Name | FT Name,LastLogonDate

And to delete the old computer accounts:
get-adcomputer -properties lastLogonDate -filter * | where { $_.lastLogonDate -lt (get-date).addmonths(-12) } | Remove-ADComputer -whatif

Next up is finding and removing old user accounts which I will be posting later today Smile

Post to Twitter

Posted By: Jeff Wouters
Last Edit: 23 Apr 2012 @ 06:20 AM

EmailPermalink
Tags
Categories: Active Directory, Microsoft, PowerShell, Script
Previous Next


  • Aduser

    I receive this message when trying the above command in a Powershell prompt:
    “The term ‘get-adcomputer’ is not recognized as the name of a cmdlet, function,…”

  • http://www.jeffwouters.nl Jeff Wouters

    Did you try the command on a domain controller? It only works if the ActiveDirectory PowerShell module is loaded… to load the PowerShell module on a domain controller use the following command:
    Import-Module ActiveDirectory

  • Stephen

    What is the advantage of lastLogonDate to lastLogonTimestamp ?

  • http://www.jeffwouters.nl Jeff Wouters

    Hello Stephen,
    The lastLogonTimestamp attribute is intended to help identify inactive computer and user accounts, the same as with lastLogonDate. The big difference is that the lastLogon attribute is not designed to provide real time logon information, where lastLogontimeStamp is. Also, the lastLogontimeStamp attribute is replicated to all domain controllers so that they have the same value for that attribute as soon as the replication is done.
    But in this case you would not need real time information since you´re looking for old objects, which are mostly a lot older than a few weeks ;-)
    Does this answer your question?
    Jeff.

    P.S. Additional info: http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

Get Adobe Flash player
Last 50 Posts
Back
Register an account
Change Theme...
  • Users » 1
  • Posts/Pages » 164
  • Comments » 150
Change Theme...
  • VoidVoid « Default
  • LifeLife
  • EarthEarth
  • WindWind
  • WaterWater
  • FireFire
  • LightLight

About



    No Child Pages.

Contact



    No Child Pages.