Deleting inactive computer accounts in Active Directory with PowerShell scripts


After some years of AD life in your company  you will probably get a lot of computer accounts in AD that are not used anymore. How we clean AD from this kind of objects? Let’s start with how to identify them. Computer account have two attributes that can maybe help. LastLogon and LastLogonTimeStamp. Only one of these will give us right status of computer account. LastLogon represent time of last logon on domain controller we are connected with and checking this attribute. LastLogonTimeStamp will give us last computer account logon on all domain. We will use this value to determine old computer account.


LastLogonTimeStamp value represent number of 100-nanosecond intervals that have elapsed since the 0 hour on January 1, 1601 till the date/time that is being stored. If you want to convert this value to normal readable format you can use this Windows command

w32tm.exe /ntte 128271382742968750
148462 05:57:54.2968750 - 24.6.2007. 6:57:54

This command converts LastLogontimeStamp value to number of days + hours, and then it converts it to date and local computer time (+1 CET).

Lets  get all computer account from our AD that has LastLogonTimeStamp older than specified time (2 years) and export it to csv file with some attributes. Before doing anything you need to run “import-module ActiveDirectory” in powershell window  We will use this Powershell script:

$time = (Get-Date).AddYears(-2)  

Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -Properties * | select name, distinguishedname| export-csv computers.txt

you will get computers.txt csv file with all computer account with LastLogonTimeStamp older than 2 years. If you just don’t care you can simply pipe this output and remove computer accounts with command Remove-ADComputer. Script will look like:


Get-ADcomputer -Filter {LastLogonTimeStamp -lt $time}  -Properties name, lastlogondate | Remove-ADComputer 

You will probably want to have some control, so lets make script to delete computer account objects from import-csv values. It is little complication but with my knowledge of Powershell it is only way I know. First of all we will use csv file we get earlier from previous script.

$adcomputer= import-csv C:\users\username\computers.txt

foreach ($comp in $adcomputer)

$distinguishedname= $comp.distinguishedname

Remove-ADObject -Identity "$distinguishedname" -Recursive -Confirm:$true


Why I used Remove-ADobject instead of Remove-ADComputers? Because if you use Remove-ADComputers you will probably get this error: “The directory service can perform the requested operation only on a leaf object.” It means that computer account hide some more objects inside computer account. Not all but some are.  You can see it only with ADSIEdit tool. Remove-ADcomputers can not remove leaf objects, and that’s why we use Remove-ADObject with –Recursive switch to delete all objects down under. I put confirm true but you can set it false if you don’t want to confirm every deletion yourself