Remove Computer (Inactive or Not) from Domain

Keeping Active Directory clean and performing cleanup tasks regularly is an important task of any System Administrator.

In a large organization, you can find a lot of computers that are inactive or haven’t been used for a long time.

Knowing how to remove the inactive/unused computers from the Active Directory is important and in this tutorial, we will show you how to find and remove these computers using the different methods.

Note : Make sure you first have a solid backup before attempting any of the methods below.

Remove Unused Computer Accounts with PowerShell Script

You can easily remove unused computer accounts using the PowerShell script from below easily.

This script first checks the Active Directory for unused computer accounts that have not been logged into for a certain period of time then deletes them immediately.

You can create and run this script by following the below steps:

1. Open your notepad and add the following codes:

# This script will find the unused computer accounts using the last logon attributes.
$1year = (Get-Date).AddDays(-365) # The 365 is the number of days from today since the last logon.
$1y1m = (Get-Date).AddDays(-395)
# Disable computer objects and move to disabled OU (Older than 1 year):
Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $1year} | Set-ADComputer -Enabled $false
Get-ADComputer -Property Name,Enabled -Filter {Enabled -eq $False} | Move-ADObject -TargetPath "CN=Computers,DC=webserveradc,DC=com"
# Delete Older Disabled computer objects:
Get-ADComputer -Property Name,lastLogonDate -Filter {lastLogonDate -lt $1y1m} | Remove-ADComputer

2 . Click on the Save As option to save the file.

3 . Type a name for the script as old_pcs.ps1.

4 . Click on the Save button to save the file.

5 . Right click on the old_pcs.ps1 PowerShell script and click on the Edit button as shown below:

6. Now, click on the Green button to run the script.

You should see the following screen if it ran successfully:

Note : You can change the domain name, OS and date variable as per your need in the above script.

Remove Unused Computer Accounts with Free Tools

You can also remove the unused computer accounts using the some free tools we’ve found, including this SolarWinds Inactive Computer Removal tool, which is 100% Free for Life.

This tool works by finding the last logon time using the logon timestamp attribute.

By default, this tool finds computer accounts for last logon time older than 30 days and removes them.

You can follow the below steps to remove the unused computer accounts:

1. Click here to download the SolarWinds Inactive Computer Removal Tool and install it on your system.

2. After installing, open the tool, provide your administrative credentials and click on the Test Connection as shown below:

3. Next, click on the Settings and define the last logon time duration as shown below:

4. Now, go to the Dashboard and click on the Next button. This will search Active Directory computers, analyze the last logon attribute and list all the computer accounts in the following screen:

5. Now, select the computer accounts that you want to remove and click on the Remove button to remove all the computer accounts listed in the above screen.

 

Remove Unused Computer Accounts with Oldcmp Tool

Oldcmp is a simple and powerful tool for cleaning up unused computer accounts from the Active Directory.

This tool works using the computer’s password age to find the unused computer accounts.

This tool comes with a lot of options that make it easier for you to automate the cleanup process.

Compare to other tools, this tool is very safe as it prevents you from blowing up Active Directory. It will delete only disabled computer accounts.

Use the following steps the below to remove accts:

1. Click here to download the Oldcmp tool.

2. Extract the zip file in Download folder.

3. Next, open the PowerShell and change the directory to the Oldcmp.

4. Run the following command to generate a report of computer accounts 90 days or older.

.\oldcmp -report

You should see the following output:

OldCmp V01.05.00cpp Joe Richards (joe@joe@joeware.net) December 2004
Processed at Windows.webserveradc.com
Default Naming Context: DC=webserveradc,DC=com


Search completed...
Creating Report File: oldcmp.20200117-234315.htm


Command completed successfully

Example:

5. You can now open the generated HTML file with your web browser as shown below:

You can find and remove the computer accounts older than 90 days with the following command:

.\oldcmp -delete -onlydisabled

You should see the following screen:

Find and Remove Unused Computer Accounts with PowerShell

You can also find the old computer accounts with the password last set attribute in PowerShell.

To find all the computer accounts by name and password last set date, run the following command:

get-adcomputer -filter * -properties passwordlastset | select name, passwordlastset | sort passwordlastset

You should see the following Output:

name passwordlastset
---- ---------------
Windows 1/8/2020 1:51:18 PM
pc1 1/17/2020 11:11:31 PM
pc2 1/17/2020 11:11:42 PM
pc3 1/17/2020 11:12:22 PM
pc4 1/17/2020 11:12:31 PM
pc5 1/17/2020 11:35:06 PM
pc6 1/17/2020 11:35:22 PM

Example:

The above command will display all the computer accounts in the domain.

You can use date variable with the above command to find all the computer accounts that are older than 90 days.

You can also list all the computer accounts older than 90 days by running the following command in the PowerShell:

$date = (get-date).adddays(-90)
get-adcomputer -filter {passwordlastset -lt $date} -properties passwordlastset | select name, passwordlastset | sort passwordlastset

To export all the computer accounts of your domain to the CSV file run the following command:

get-adcomputer -filter {passwordlastset -lt $date} -properties passwordlastset | select name, passwordlastset | sort passwordlastset | export-csv c:\oldpc.csv

 

After generating the CSV file, open it in Excel and remove the computer accounts that you want.

If you want to remove all the computer accounts listed from the above command, run the following command with the remove-adobject:

get-adcomputer -filter {passwordlastset -lt $date} -properties passwordlastset | remove-adobject -recursive -verbose -confirm:$false

Note : You can set the date variable as per your need.

Conclusion

We hope you now have enough knowledge to cleanup your Inactive Active Directory computer accounts using several methods we’ve highlighted above.

You can now use any of the methods above but as always, ensure you first have a solid backup downloaded locally in case you need to go back and undo anything.

Questions? Comments?

Leave them in the comments below!