Home/Toolchest

AD stale computer cleanup report

A read-only Active Directory stale computer report for last logon, OU, operating system, enabled state, and cleanup planning.

Good For

  • AD hygiene
  • stale computer cleanup
  • inventory drift
  • migration prep
  • identity security review

How to Use It

  1. Agree on a stale threshold such as 60, 90, or 180 days before collecting results.
  2. Capture computer name, enabled state, last logon date, operating system, and distinguished name.
  3. Separate never-seen, stale-enabled, stale-disabled, server, workstation, and excluded OU results.
  4. Compare findings against endpoint management, DNS, DHCP, virtualization, and owner records before cleanup.
  5. Mark each object as keep, disable candidate, delete candidate, exception, or unknown owner.
  6. Use the report to create a cleanup change, not to delete accounts during discovery.

Execution Modes

  • local
  • ad-filtered

Inputs and Outputs

Inputs

  • Active Directory computer scope
  • stale day threshold
  • excluded OU list
  • owner mapping

Outputs

  • verbose-console
  • csv

Command Starter

Safe to run: read-only

# ---------------------------------------------------------------------
# Operator inputs
# ---------------------------------------------------------------------
$DaysInactive = 90
$Cutoff = (Get-Date).AddDays(-$DaysInactive)
$OutputPath = '.\ad-stale-computer-review.csv'

# ---------------------------------------------------------------------
# Replicated stale-object screening evidence
# LastLogonDate is useful for hygiene review, not exact all-DC last use.
# ---------------------------------------------------------------------
$Results = Get-ADComputer -Filter * -Properties LastLogonDate, Enabled, OperatingSystem, DistinguishedName |
    Where-Object { -not $_.LastLogonDate -or $_.LastLogonDate -lt $Cutoff } |
    ForEach-Object {
        [pscustomobject]@{
            Name              = $_.Name
            Enabled           = $_.Enabled
            OperatingSystem   = $_.OperatingSystem
            LastLogonDate     = $_.LastLogonDate
            ReviewStatus      = if (-not $_.LastLogonDate) { 'NeedsReview-NoReplicatedLogon' } else { 'StaleByCutoff' }
            DistinguishedName = $_.DistinguishedName
        }
    }

$Results | Export-Csv -Path $OutputPath -NoTypeInformation -Encoding UTF8
$Results | Sort-Object ReviewStatus, LastLogonDate | Format-Table -AutoSize

Validation

  • Every stale candidate includes last logon evidence, OU, enabled state, and OS where available.
  • Server and exception OUs are separated from workstation cleanup candidates.
  • Any later disable/delete action has owner approval and a restore path.

Reporting

  • export stale computer candidates to CSV
  • group objects by OU, OS, enabled state, and cleanup recommendation
  • promote repeated use into AD hygiene evidence for audit or cleanup tickets

Safety Notes

  • This is a cleanup-readiness report only. Do not disable or delete computer objects during the evidence pass.
  • LastLogonDate is replicated hygiene evidence and can lag actual activity. Use it for screening, not exact all-domain-controller last-use proof.
  • Compare candidates with endpoint management, DNS, DHCP, virtualization, and owner records before recommending removal.