How to Find Inactive Computers in Active Directory with or without PowerShell

{{ firstError }}
We care about security of your data. Privacy Policy
Native Auditing Netwrix Auditor for Active Directory
Native Auditing
Netwrix Auditor for Active Directory
Steps

If you want to run the Get-ADComputer Powershell cmdlet on a domain workstation, you have to download and install Active Directory Administrative Center (ADAC) or the ActiveDirectory PowerShell module on that machine.

  1. Open the PowerShell ISE → Run the following PowerShell commands, adjusting the value of the $DaysInactive variable to suit your needs (the sample script below will search for and collect all computers that have not logged in for the last 90 days):

# Specify inactivity range value below
$DaysInactive = 90
# $time variable converts $DaysInactive to LastLogonTimeStamp property format for the -Filter switch to work

$time = (Get-Date).Adddays(-($DaysInactive))

# Identify inactive computer accounts

Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -ResultPageSize 2000 -resultSetSize $null -Properties Name, OperatingSystem, SamAccountName, DistinguishedName, LastLogonDate

  1. To export the list of stale computer accounts to a CSV file, add the Export-CSV PowerShell cmdlet, as shown in this updatedPowerShell script:

# Specify inactivity range value below

$DaysInactive = 90

# $time variable converts $DaysInactive to LastLogonTimeStamp property format for the -Filter switch to work

$time = (Get-Date).Adddays(-($DaysInactive))

# Identify and collect inactive computer accounts:

Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -ResultPageSize 2000 -resultSetSize $null -Properties Name, OperatingSystem, SamAccountName, DistinguishedName, LastLogonDate| Export-CSV “C:\Temp\StaleComps.CSV” –NoTypeInformation

  1. Open the file created by the script in Microsoft Excel:
Find inactive computers in active directory: file produced by powershell script in MS Excel
  1. Run Netwrix Auditor → Navigate to “Reports” → Expand the “Active Directory” section → Go to “Active Directory ­– State-in-Time” → Select “Computer Accounts – Last Logon Time” → Click “View”.
  2. If you want to limit the list by period of inactivity (for instance, to list only computers with a last logon 30 days ago or longer), adjust the “Inactive Days” parameter and switch “Status” to “Enabled”  → Click “View Report”.
Find inactive computers in active directory: Computer Account - Last Logon Time report in Netwrix Auditor
  1. To save the report, click the "Export" button → Choose a format from the dropdown menu → Click “Save”.

Don’t Waste Your Time on PowerShell Scripting Whenever You Need to Get Inactive Computers

InactiveActive Directory users and computers pose a serious security and compliance risk. Inactive computers in a Microsoft AD domain often store sensitive data that can be stolen by hackers, and any inactive account can serve as an entry point to your IT environment, enabling attackers to quietly gain access to critical IT systems like Microsoft Active Directory, Windows Server or Exchange. 

Accordingly, security best practices recommend disabling inactive Active Directory accounts. But the reality is, IT administrators are often too overwhelmed by other management tasks to make identifying and disabling stale computer accounts a priority. Therefore, it’s critical to have an easy way to list all inactive computers and disable them to reduce your attack surface area and strengthen the security of your IT environment.

PowerShell is one of many tools that can help you find inactive computers in your Active Directory. Using PowerShell, you can get inactive computers and export them to a CSV file; you can even schedule a script to run regularly to report on stale computer objects. However, creating and maintaining the scripts takes both time and expertise with PowerShell commands. Moreover, while the scripts can collect inactive computer accounts, they do not help with the critical step of disabling them.

Netwrix Auditor for Active Directory dramatically simplifies the entire job. It includes a ready-to-use report that lists all inactive computers along with the last logon time for each. Plus, its has a built-in Inactive User Tracking tool that can automatically disable all computer and user accounts that have been inactive for more than a specified number of days — helping you keep your IT environment secure with far less effort.

Related How-tos