Removing Obsolete Computer Records from Active Directory Using PowerShell (Only Windows Client Versions)

 

Removing Obsolete Computer Records from Active Directory Using PowerShell

Active Directory (AD) environments can accumulate obsolete computer objects over time. These stale records not only clutter the directory but can also pose security risks. This article provides a PowerShell-based approach to identifying and removing outdated computer records from Active Directory.

Identifying Obsolete Computer Accounts

The first step in cleaning up AD is to identify inactive computers based on their last logon timestamp and password last set date. Below is a PowerShell script to find obsolete devices that have not logged in for more than 60 days:

Import-Module ActiveDirectory
$DaysInactive = 60
$time = (Get-Date).AddDays(-$DaysInactive)

# Identify obsolete devices
$obsoleteDevices = Get-ADComputer -Filter {
    (LastLogonTimeStamp -lt $time -and PasswordLastSet -lt $time) -and
    (OperatingSystem -like '*Windows 10*' -or OperatingSystem -like '*Windows 11*' -or OperatingSystem -like '*Windows 7*' -or OperatingSystem -like '*Windows 8.1*')
} -Properties Name, OperatingSystem, SamAccountName, DistinguishedName, LastLogonTimeStamp, PasswordLastSet

# Export the results to CSV
$obsoleteDevices | Select-Object Name, OperatingSystem, SamAccountName, DistinguishedName, @{Name='LastLogonTimeStamp'; Expression={if ($_.LastLogonTimeStamp -ne 0) {[DateTime]::FromFileTime($_.LastLogonTimeStamp)} else {'Never'}}}, PasswordLastSet | Export-Csv -Path "C:\Reports\ObsoleteDevices.csv" -NoTypeInformation

Explanation of the Script

  • This script filters computer accounts based on their LastLogonTimeStamp and PasswordLastSet attributes.

  • It includes only Windows operating systems to ensure relevant records are identified.

  • The results are exported to a CSV file for further analysis.

Moving Obsolete Computers to a Disabled OU

Once identified, obsolete computers should be moved to a designated "Disabled OU" for further review before deletion. The following script moves these records:


Import-Module ActiveDirectory
$csvPath = "C:\Reports\ObsoleteDevices.csv"
$disabledOU = "OU=Disabled OU,DC=yourdomain,DC=com"  # Replace with your actual OU DN

# Import devices from CSV
$devicesToMove = Import-Csv -Path $csvPath

foreach ($device in $devicesToMove) {
    try {
        Move-ADObject -Identity $device.DistinguishedName -TargetPath $disabledOU
        Write-Host "Moved $($device.Name) to $disabledOU" -ForegroundColor Green
    } catch {
        Write-Host "Failed to move $($device.Name): $_" -ForegroundColor Red
    }
}

Write-Host "Device move process completed." -ForegroundColor Cyan

Key Features of the Script

  • Reads computer objects from the CSV file generated earlier.

  • Moves each computer account to a predefined "Disabled OU."

  • Logs successful and failed operations in the console.

Final Cleanup: Deleting Stale Computers

You need to disable devices in the Disabled OU and keep them for a few weeks. Any devices that become active should be moved back to their previous OU. (Users may experience login issues on these computers that have been active again since they have been disabled.) After confirming that all remaining devices are no longer in use, you can delete the entire OU

Popular Posts

Deploying a Script through Intune to a Linux PC

Image
Can Intune Deploy Shell Scripts to Linux Devices? Yes! Just like deploying PowerShell scripts to Windows, Intune can also deploy shell scripts to Linux devices. In this blog, I'll walk you through the process of deploying shell scripts to Linux using Intune, making it easier to automate tasks and manage Linux endpoints efficiently. Prerequisites Before deploying a shell script via Intune, ensure the following requirements are met: 1. Intune and Microsoft Entra ID Your environment must have Microsoft Intune configured for device management. This setup enables secure enrollment and policy enforcement on Linux devices. 2. Linux Device Enrollment The Linux PC must be properly enrolled in Intune to receive policies and scripts. If the device is not enrolled, follow Microsoft's documentation on Linux enrollment in Intune. Deploying the Shell Script Once the prerequisites are met, follow these steps to deploy your shell script through Intune: Access Microsoft Intune Sign in to the ht...
Read more

Windows 11 24H2 Upgrade using Intune Feature Updates Policy

Image
How to Deploy Feature Updates Using Intune: A Step-by-Step Guide Microsoft Intune provides a streamlined method for managing Windows feature updates across your organization. In this guide, I'll walk through the essential prerequisites, policy creation steps, deployment, and monitoring process to ensure a smooth rollout of feature updates using Intune. 1. Verify Prerequisites Before you create a feature update policy, ensure the following prerequisites are met on the target devices: Device Enrollment : Devices must be enrolled in Intune, either as Microsoft Entra hybrid joined or Microsoft Entra joined . Supported OS : Devices must be running a supported version of Windows 10 or Windows 11 . Telemetry Settings : Devices must have the telemetry level set to Required . You can configure this via Devices > Windows> Configuration > Create Policy > Templates>  Device Restrictions > Reporting and Telemetry > Share Usage Data >Set as Required...
Read more

Deploying Software Update Scan Cycle via SCCM using a Batch File

Image
Deploying Software Update Scan Cycle via SCCM using a Batch File If you need to trigger a Software Update Scan Cycle through a batch file in SCCM, follow these steps. Step 1: Create a Batch File Create a new .bat file and add the following lines: @echo off echo Initiating Software Update Scan Cycle... wmic /namespace:\\root\ccm path sms_client CALL TriggerSchedule "{00000000-0000-0000-0000-000000000113}" echo Software Update Scan Cycle initiated. timeout /t 10 > nul Save this file with a .bat extension. Copy the batch file to a shared network location that SCCM clients can access. Now we'll create the pacakge SCCM console > Software library > Pacakages > Create Package     Choose a name   Select a souce path Select standard program Browse the command line and select the bat file   Choose other options Hidden or visible to users User login or no   Now distribute the content   After it...
Read more