When starting a migration, it is best practice to clean up your active directory.
But how do you know, especially in large environments, which computer accounts are from computers that are no longer part of your domain? Most of the times, this will take some serious manual labor, which I dislike doing.
So, how can this be automated?
To find old computer accounts:
get-adcomputer -properties lastLogonDate -filter * | where { $_.lastLogonDate -lt (get-date).addmonths(-12) } | sort Name | FT Name,LastLogonDate
And to delete the old computer accounts:
get-adcomputer -properties lastLogonDate -filter * | where { $_.lastLogonDate -lt (get-date).addmonths(-12) } | Remove-ADComputer
Next up is finding and removing old user accounts which I will be posting later today 
I receive this message when trying the above command in a Powershell prompt:
“The term ‘get-adcomputer’ is not recognized as the name of a cmdlet, function,…”
Did you try the command on a domain controller? It only works if the ActiveDirectory PowerShell module is loaded… to load the PowerShell module on a domain controller use the following command:
Import-Module ActiveDirectory
What is the advantage of lastLogonDate to lastLogonTimestamp ?
Hello Stephen,
The lastLogonTimestamp attribute is intended to help identify inactive computer and user accounts, the same as with lastLogonDate. The big difference is that the lastLogon attribute is not designed to provide real time logon information, where lastLogontimeStamp is. Also, the lastLogontimeStamp attribute is replicated to all domain controllers so that they have the same value for that attribute as soon as the replication is done.
But in this case you would not need real time information since you´re looking for old objects, which are mostly a lot older than a few weeks 😉
Does this answer your question?
Jeff.
P.S. Additional info: http://blogs.technet.com/b/askds/archive/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works.aspx
Copy/Paste from here: http://www.vspbreda.nl/site/index.php?option=com_content&view=article&id=106
Dear Shadowman,
The post you’ve linked to is from 8 April 2012 as where my post is from 14 Oktober 2011.
Next to that, the code is the same but the post itself not, so no copy-past…
So if you make such an allegation of me ripping off some one’s hard work, please be damn sure you get your facts straight ! ! !
Jeff.
How would I modify this to search only a specific OU? Thanks.
Hi Derek,
You can use the -SearchBase parameter for that:
get-adcomputer -SearchBase “CN=Computers,DC=Fabrikam,DC=com” -properties lastLogonDate -filter * | where { $_.lastLogonDate -lt (get-date).addmonths(-12) } | Remove-ADComputer
Thanks.
Great! Thank you! And now for the users…
Hi Paul,
Did a post about that one too: http://jeffwouters.nl/index.php/2011/10/powershell-removing-old-user-accounts-from-your-active-directory
Jeff.
Great post! very helpful. My network admin steers away from deleting anything in AD. Is there a way we can move computers like this to an “Inactive Computers” OU? Would this be proper? I don’t think the admin would like me testing scripts on a DC lol.
get-adcomputer -properties
lastLogonDate -filter * | where { $_.lastLogonDate -lt
(get-date).addmonths(-12) } | Move-ADComputer -TargetPath ‘ou=Inactive Computers,dc=domainname,dc=org’
Hi GreyHatBrat, You can use the -SearchBase parameter which is attached to the Get-ADComputer: get-adcomputer -properties lastLogonDate -filter * -SearchBase “OU=TestOU,DC=jeffwouters,DC=lan” | where { $_.lastLogonDate -lt (get-date).addmonths(-12) } | Remove-ADComputer
“Remove-ADComputer” fails if the computer account has children nodes such as “Router identity” or “Windows Virtual Machine”. The error message is: “Remove-ADComputer : The directory service can perform the requested operation only on a leaf object”.
To delete objects with children nodes “Remove-ADComputer” has to be replaced with “Remove-ADObject -Recursive”. So your great one-liner will look this way:
get-adcomputer -properties lastLogonDate -filter * | where { $_.lastLogonDate -lt (get-date).addmonths(-12) } | Remove-ADObject -Recursive
Anyway, nice job!
Thanks for sharing helpful powershell to to clean up active directory. I found good utility from http://www.lepide.com/active-directory-cleaner/ which helps to manage inactive and disable accounts in active directory environment. It generates comprehensive reports on inactive account, real last logon details of accounts.