Active directory can often be neglected and orphaned computer objects can get out of control. The below script will query your domain (remember to provide your FQDN in the variable at the top) for computers that have not spoken on the domain for 90 days.

By default, Active directory looks to change computer object passwords every 30 days. If you have a large mobile workforce that may not be connecting into the network for a long period of time, you may way to extend this. I find that 90 days works well for us.

NOTE: Be careful when using this on environments that have clusters. SQL Clusters for example, have a AD joined computer object for the name of the cluster. This does not update its lastlogonstamp and therefore gets caught by this script.

import-module activedirectory  
$domain = "domain.local"  
$DaysInactive = 90  
$time = (Get-Date).Adddays(-($DaysInactive)) 
  
# Get all AD computers with lastLogonTimestamp less than our time 
Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -Properties LastLogonTimeStamp | 
  
# Output hostname and lastLogonTimestamp into CSV 
select-object Name,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}} | export-csv c:\source\OLD_Computer.csv -notypeinformation

 

Leave a Reply

Your email address will not be published. Required fields are marked *