How to Find Inactive Computers in Active Directory Using PowerShell

If you wish to collect stale computer accounts from Active Directory, you can always use the Get-ADComputer PowerShell cmdlet. As the name suggests, Get-ADComputer targets only computer accounts. Get-ADComputer does not provide any parameter that allows you to specifically collect stale computer accounts; however, it does feature a “-Filter” switch, which lets you specify a criterion.

To identify inactive computer accounts, you will always target those that have not logged on to Active Directory in the last last 90 days. To accomplish this goal, you need to target the LastLogonTimeStamp property and then specify a condition with the time as shown in the following PowerShell commands:

$DaysInactive = 90

$time = (Get-Date).Adddays(-($DaysInactive))

Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -ResultPageSize 2000 -resultSetSize $null -Properties Name, OperatingSystem, SamAccountName, DistinguishedName

 

As you can see, the $Time variable holds a valid date, and the next PowerShell command is executed with a filter that is set to search only those computer accounts for which the LastLogonTimeStamp has not been updated in the last 90 days. If you wish to search computer accounts that have been inactive for more than 90 days, all you need to do is modify the $DaysInActive variable value. The current value is set at 90 days; however, you can specify your own value. To export output to a CSV file, add the Export-CSV PowerShell cmdlet as shown in the following command:

Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -ResultPageSize 2000 -resultSetSize $null -Properties Name, OperatingSystem, SamAccountName, DistinguishedName | Export-CSV “C:\Temp\StaleComps.CSV” –NoTypeInformation

Need more PowerShell scripts for Active Directory? Find all the top wanted PowerShell commands for Active Directory in one blog post.