Keeping Active Directory clean and organized is important. It doesn’t take long for hundreds of unused objects or accounts to accumulate which leads to security problems and management nightmares. Auditors seem to have a special hatred for stale objects in Active Directory so keeping everything neat and tidy is a necessity.
Computer Accounts
When you join a computer to the domain, a computer account is created in AD. When you retire the computer it is best to remove it from AD. Many times IT departments forget to do this. Over time AD can easily contain hundreds of unused computer objects.
Getting rid of unused computer objects
Computer objects are easy to clean up. Every Windows computer has a domain account and password. Nobody ever sees the password but the computer knows it. Windows computers change their password every 30 days.
Unused computer account are those that have passwords that have not changed in more than 30 days.
If you want to know more about computer accounts and passwords read Microsoft’s Machine Account Password Process blog post.
Using a PowerShell script we can easily find unused computer accounts.
$lastSetdate = [DateTime]::Now - [TimeSpan]::Parse("200")
Get-ADComputer -Filter {PasswordLastSet -le $lastSetdate} -Properties passwordLastSet -ResultSetSize $null | FL
This script finds any computer that has not changed it’s password in the last 200 days. That means the password should have been reset 170 days ago. Change the 200 to whatever value you think is appropriate but I can’t think of a reason to use a value less than 60.

Notice the PasswordLastSet field. This computer has not been used in over six months.
Remember that some computers don’t get used very often. Perhaps there is a computer in the conference room, a test server that is off most of the time, or some other rarely used computer. Those devices could easily go a long time without being used and thus have very old passwords. You probably don’t want to delete those.
What happens if you delete a computer account and need it?
If you delete a computer account and then find the computer in a store room, you will have to rejoin it to the domain. That is a simple process as long as you know the local administrator’s password.
Deleting computer accounts … the slow way.
Before you delete computer accounts you should verify that everything the script finds is unused. It might be best to simply open Active Directory Users and Computers, find the offending accounts, and delete them one at a time as you validate they are no longer in use. This is the cautions approach.
Deleting computer accounts … the fast way.
Once you are positive the script is returning computer accounts that you no longer need, you can modify the script to automatically delete them.
Be careful! Being careless could bring your network down. Verify the script is only returning items you want to delete. If in doubt STOP HERE.
$lastSetdate = [DateTime]::Now - [TimeSpan]::Parse("200")
Get-ADComputer -Filter {PasswordLastSet -le $lastSetdate} -Properties passwordLastSet -ResultSetSize $null | Remove-ADComputer
If you still have the same PowerShell window open you do not need to execute the first line again.
Notice the second line now ends with “Remove-ADComputer.” Hit enter and a few seconds later, all your old unused computer accounts are gone.
Cleaning up AD Computer Objects is simple and should be done regularly. Hopefully this makes the process simple for you.
Next: Clean up AD: Step 2!