PowerShell: Finding Orphaned Computer Accounts in AD

The other day we decided it was time and more to do some cleanup of orphaned computer accounts in our AD. We are about to do some AD restructuring, and figured it was a good opportunity to clean up and remove old computer accounts for machines that no longer existed. Now there are probably lots of ways to do this, but the way I chose was to look at the AD properties of the computer to see when it was last logged on to. Then arbitrarily deciding that any computer that hadn’t been logged on to in the last year was a good candidate. At first glance, that’s not part of the properties that are returned with Get-ADComputer:

Get-ADComputer -Identity srv2

DistinguishedName : CN=SRV2,OU=Servers,DC=contoso,DC=com
DNSHostName       : srv2.contoso.com
Enabled           : True
Name              : SRV2
ObjectClass       : computer
ObjectGUID        : 0ce3c9fa-4b07-4dde-8323-ff94153d2bf9
SamAccountName    : SRV2$
SID               : S-1-5-21-2576220272-3971274590-1167723607-15115
UserPrincipalName :

But wait, I know there have to be more than that — let’s try making sure that we get all the properties, not just the most common:

Get-ADComputer -Identity srv2 -Properties *

AccountExpirationDate                :
accountExpires                       : 9223372036854775807
AccountLockoutTime                   :
AccountNotDelegated                  : False


DistinguishedName                    : CN=SRV2,OU=Servers,DC=contoso,DC=com
DNSHostName                          : srv2.contoso.com


KerberosEncryptionType               : {RC4, AES128, AES256}
LastBadPasswordAttempt               : 4/25/2016 6:28:41 PM
LastKnownParent                      :
lastLogoff                           : 0
lastLogon                            : 131689942478668713
LastLogonDate                        : 4/18/2018 10:18:47 PM
lastLogonTimestamp                   : 131685887279055446


whenCreated                          : 4/23/2015 6:28:41 PM

Ah, that’s more like it. Now I can see that there’s a LastLogonDate property. That should do it. Now, it’s just a case of simple math. And because we’re looking for more than a single computer, we need to switch to using the -Filter parameter of Get-ADComputer. Plus I’ll specify which server to query, and the account credentials to use to run the query:

Get-ADComputer `
        -Server dc01 `
        -Credential $cred `
        -Filter * `
        -Properties LastLogonDate `
              | Where-Object LastLogonDate -lt (Get-Date).AddDays(-365) `
              | Select-Object Name,LastLogonDate

Now that’s fine for moderately sized Active Directories, but could be a bit of a problem for large ones. So, instead of grabbing every computer in the domain and then filtering them, let’s only get the one’s that fit our one year criteria.

$oneyear = (Get-Date).AddDays(-365)
Get-ADComputer `
        -Server dc01 `
        -Credential $cred `
        -Filter {LastLogonDate -lt $oneyear } `
        -Properties LastLogonDate `
             | Select-Object Name,LastLogonDate `
             | ConvertTo-CSV -NoTypeInformation > C:\Temp\Defunct.csv

And now we have the list usefully exported to a CSV where we can manipulate it and verify the names really are those of orphaned computers. From there, I could feed the list of computers into Remove-ADComputer, or I can do it directly by piping this result to Remove-ADComputer, complete with a -Force parameter. Yeah. Right. And maybe a good idea to just verify the list first.


ETA: Well, it might be a good idea to check the available parameters for Remove-ADComputer before I post something. Sigh. There is no -Force parameter. Instead, you need to use -Confirm:$False if you want Remove-ADComputer to just do its work without prompting. And if the computer has any objects associated with it, you’ll have to use Remove-ADObject. But more on that in another post.

Author: Charlie Russel

A chemist by education, an electrician by trade, a UNIX sysadmin and Oracle DBA because he raised his hand when he should have known better, an IT Director and consultant by default, and a writer by choice, Charlie is the author of more than 2 dozen computer books on operating systems and enterprise environments, including Microsoft Windows Server 2008 Administrator's Companion(MS Press), Microsoft Windows Server 2003 Administrator's Companion(MS Press), Windows Small Business Server 2011 Administrator's Companion(MS Press), Windows Essential Business Server 2008(MS Press), Introducing Windows Server 2008 R2(MS Press), Microsoft Windows XP Resource Kit, 3rd Edition(MS Press), and Oracle DBA Scripting Quick Reference(Prentice-Hall PTR). He has also written numerous white papers and case studies on Microsoft.com, most recently around Windows HPC Server, and RDS Licensing.

Leave a Reply

Your email address will not be published. Required fields are marked *