Home/Toolchest

AD stale computer cleanup report

A read-only Active Directory stale computer report for last logon, OU, operating system, enabled state, and cleanup planning.

Good For

  • AD hygiene
  • stale computer cleanup
  • inventory drift
  • migration prep
  • identity security review

How to Use It

  1. Agree on a stale threshold such as 60, 90, or 180 days before collecting results.
  2. Capture computer name, enabled state, last logon date, operating system, and distinguished name.
  3. Separate never-seen, stale-enabled, stale-disabled, server, workstation, and excluded OU results.
  4. Compare findings against endpoint management, DNS, DHCP, virtualization, and owner records before cleanup.
  5. Mark each object as keep, disable candidate, delete candidate, exception, or unknown owner.
  6. Use the report to create a cleanup change, not to delete accounts during discovery.

Execution Modes

  • local
  • ad-filtered

Inputs and Outputs

Inputs

  • Active Directory computer scope
  • stale day threshold
  • excluded OU list
  • owner mapping

Outputs

  • verbose-console
  • csv
  • future-html-report

Command Starter

Safe to run: read-only

$Cutoff = (Get-Date).AddDays(-90)
Get-ADComputer -Filter * -Properties LastLogonDate, OperatingSystem, Enabled, DistinguishedName | Where-Object { -not $_.LastLogonDate -or $_.LastLogonDate -lt $Cutoff } | Select-Object Name, Enabled, LastLogonDate, OperatingSystem, DistinguishedName
Get-ADComputer -LDAPFilter '(userAccountControl:1.2.840.113556.1.4.803:=2)' -Properties LastLogonDate, OperatingSystem | Select-Object Name, Enabled, LastLogonDate, OperatingSystem

Validation

  • Every stale candidate includes last logon evidence, OU, enabled state, and OS where available.
  • Server and exception OUs are separated from workstation cleanup candidates.
  • Any later disable/delete action has owner approval and a restore path.

Reporting

  • export stale computer candidates to CSV
  • group objects by OU, OS, enabled state, and cleanup recommendation
  • promote repeated use into AD hygiene evidence for audit or cleanup tickets

Safety Notes

  • This report is read-only and should not disable, move, or delete computer objects.
  • Do not clean up AD objects until DNS, DHCP, endpoint management, and owner records are compared.
  • Keep a rollback plan for any later disable or delete work.