====== Find Stale Active Directory Computer Accounts ======


===== Not Logged in Recently =====

This command will show computer accounts that have not logged in recently.

<file>
dsquery computer -inactive 24 -limit 0
</file>

24 is the number of weeks of inactivity.

===== Find Old Unused AD Computer Accounts =====

^Last logon time       |Active Directory computers have an attribute called ''lastLogonTimestamp'' which stores the last time the computer was logged into. |
^Computer password age |Active Directory computers have an attribute called ''passwordlastset'' which gets changed automatically every 30 days. |

These two commands are mostly complementary and can help identify old or inactive computer accounts for computers that no longer exist.

<file>
get-adcomputer -filter * -properties passwordlastset | select name, passwordlastset | sort passwordlastset
</file>

<file>
get-adcomputer -filter * -properties lastLogonTimestamp | select name, lastLogonTimestamp | sort lastLogonTimestamp
</file>