Share:
Twitter
LinkedIn
Facebook
Reddit
Whatsapp
Follow by Email
Reading Time: 3 minutes

It is always good practice to keep you Active Directory clean. One easy way to keep your Active Directory clean is by removing stale computer accounts periodically. I have always found that when Windows machines are disjoined from a domain, rebuilt with a different computer name, etc, removing computer accounts are often overlooked, or sysadmins are not informed that a computer has been removed or changed.

A windows machine will reset its computer account password every 30 days by default. Knowing this means we can assume that when a computer has not reset its account password for a length of time, say 90 or 120 days, then it is stale. If you have remote workers that do not connect back into your domain via VPN or any other way, I would always look to use the highest number of days that the password has not been reset.

The following script will look for all computer accounts in an OU you can set and where the password has not been set for over 90 days. I have left the -whatif switch in, so I can see what computer accounts will be affected first. It also writes this information to a txt file called computers.txt located in C:\Pshell\. This path can be changed to whatever you like.

You can download the script here or just copy the bellow script.

You will need to modify this script to reflect your Domain and OU structure. All you need to do is modify the $SourceOU to the OU where you would like the search to begin and it will also search all OUs underneath it. You will also need to modify the $DestinationOU to where you would like the computers moved to. Make sure you have this setup in your Active Directory first.

You can also change the number of days for a computer to be considered stale. If you know your users will always connect within 90 days then I would leave it to the default 90. you can change this under $lldate. I have made a decision for the script not to delete the computer accounts as you might have some non-windows computers in the OU which may act differently. What I do is check the OU once it has ran and leave them there for 30 days (set an Outlook reminder) and then delete them. If you have the active directory recycle bin active in your domain, you can always recover them from there.

Share:
Twitter
LinkedIn
Facebook
Reddit
Whatsapp
Follow by Email

Pixel Robots.

I’m Richard Hooper aka Pixel Robots. I started this blog in 2016 for a couple reasons. The first reason was basically just a place for me to store my step by step guides, troubleshooting guides and just plain ideas about being a sysadmin. The second reason was to share what I have learned and found out with other people like me. Hopefully, you can find something useful on the site.

5 Comments

Jensen · November 18, 2020 at 1:57 pm

The Script Doesn’t work.

Dan · December 10, 2020 at 9:43 am

Love the script, wanted something i could quickly copy/paste to get the job done and this worked a treat first time! The only one issue i had to amend is the additional space in this command “$computers=Get-ADComputer -Filter
‘PasswordLastSet -le $lldate’ -Searchbase $SourceOU” after the -Filter

    Pixel Robots. · December 10, 2020 at 3:17 pm

    Thanks Dan. I have fixed that now.

shane · April 30, 2021 at 7:06 pm

I’m new to powershell and have used this script. My question is, how can I add more search OU’s? I have script to find all devices in specific OU’s with last logon over 90 and then another script I use to move those results to our stale ou.

Adi · February 20, 2024 at 3:29 pm

Cracking script and thanks for your time and effort!

Leave a Reply

Avatar placeholder

Your email address will not be published. Required fields are marked *