PowerShell – Removing old computer accounts from your Active Directory

When starting a migration, it is best practice to clean up your active directory.
But how do you know, especially in large environments, which computer accounts are from computers that are no longer part of your domain? Most of the times, this will take some serious manual labor, which I dislike doing.

So, how can this be automated?

To find old computer accounts:
get-adcomputer -properties lastLogonDate -filter * | where { $_.lastLogonDate -lt (get-date).addmonths(-12) } | sort Name | FT Name,LastLogonDate

And to delete the old computer accounts:
get-adcomputer -properties lastLogonDate -filter * | where { $_.lastLogonDate -lt (get-date).addmonths(-12) } | Remove-ADComputer

Next up is finding and removing old user accounts which I will be posting later today Smile


  1. Aduser says:

    I receive this message when trying the above command in a Powershell prompt:
    “The term ‘get-adcomputer’ is not recognized as the name of a cmdlet, function,…”

  2. Jeff Wouters says:

    Did you try the command on a domain controller? It only works if the ActiveDirectory PowerShell module is loaded… to load the PowerShell module on a domain controller use the following command:
    Import-Module ActiveDirectory

  3. Stephen says:

    What is the advantage of lastLogonDate to lastLogonTimestamp ?

  4. Jeff Wouters says:

    Hello Stephen,
    The lastLogonTimestamp attribute is intended to help identify inactive computer and user accounts, the same as with lastLogonDate. The big difference is that the lastLogon attribute is not designed to provide real time logon information, where lastLogontimeStamp is. Also, the lastLogontimeStamp attribute is replicated to all domain controllers so that they have the same value for that attribute as soon as the replication is done.
    But in this case you would not need real time information since you´re looking for old objects, which are mostly a lot older than a few weeks 😉
    Does this answer your question?

    P.S. Additional info: http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx

  5. Jeff Wouters says:

    Dear Shadowman,

    The post you’ve linked to is from 8 April 2012 as where my post is from 14 Oktober 2011.
    Next to that, the code is the same but the post itself not, so no copy-past…

    So if you make such an allegation of me ripping off some one’s hard work, please be damn sure you get your facts straight ! ! !


  6. Derek says:

    How would I modify this to search only a specific OU? Thanks.

  7. Jeff Wouters says:

    Hi Derek,
    You can use the -SearchBase parameter for that:
    get-adcomputer -SearchBase “CN=Computers,DC=Fabrikam,DC=com” -properties lastLogonDate -filter * | where { $_.lastLogonDate -lt (get-date).addmonths(-12) } | Remove-ADComputer

  8. Derek says:


  9. PaulKemp says:

    Great! Thank you! And now for the users…

  10. greyhatbrat says:

    Great post! very helpful. My network admin steers away from deleting anything in AD. Is there a way we can move computers like this to an “Inactive Computers” OU? Would this be proper? I don’t think the admin would like me testing scripts on a DC lol.

    get-adcomputer -properties
    lastLogonDate -filter * | where { $_.lastLogonDate -lt
    (get-date).addmonths(-12) } | Move-ADComputer -TargetPath ‘ou=Inactive Computers,dc=domainname,dc=org’

  11. Jeff Wouters says:

    Hi GreyHatBrat, You can use the -SearchBase parameter which is attached to the Get-ADComputer: get-adcomputer -properties lastLogonDate -filter * -SearchBase “OU=TestOU,DC=jeffwouters,DC=lan” | where { $_.lastLogonDate -lt (get-date).addmonths(-12) } | Remove-ADComputer

  12. BLiTZ says:

    “Remove-ADComputer” fails if the computer account has children nodes such as “Router identity” or “Windows Virtual Machine”. The error message is: “Remove-ADComputer : The directory service can perform the requested operation only on a leaf object”.

    To delete objects with children nodes “Remove-ADComputer” has to be replaced with “Remove-ADObject -Recursive”. So your great one-liner will look this way:

    get-adcomputer -properties lastLogonDate -filter * | where { $_.lastLogonDate -lt (get-date).addmonths(-12) } | Remove-ADObject -Recursive

    Anyway, nice job!

  13. michel jon says:

    Thanks for sharing helpful powershell to to clean up active directory. I found good utility from http://www.lepide.com/active-directory-cleaner/ which helps to manage inactive and disable accounts in active directory environment. It generates comprehensive reports on inactive account, real last logon details of accounts.

Leave a Reply

Your email address will not be published. Required fields are marked *