Spring cleaning: Collect AD stale accounts and move them to an OU

By /

There are many PowerShell scripts and commands available to get stale computer accounts from an Active Directory domain. Some PowerShell scripts are bundled to move the stale accounts to an organizational unit and some PowerShell scripts provide a function to email the stale accounts report. In this article we will explain what it takes to collect stale accounts from Active Directory domains and how to move them to an organizational unit.

Which PowerShell commands can be used?

To get stale computer accounts, you can use Get-ADComputer PowerShell cmdlets. The Get-ADComputer PowerShell cmdlet is provided as part of the Active Directory PowerShell modules. Let’s take a look at some of the examples of using Get-ADComputer cmdlet.

PowerShell Get-ADComputer command examples

The Get-ADComputer PowerShell cmdlet supports specifying parameters to get stale accounts. Note that there is not a straightforward parameter that can be used to fetch stale accounts — you would be required to specify a combination of parameters such as LastLogonTimeStamp and inactive days as shown in the PowerShell script below:

$ThisDomain = “TechGenix.com”
$InactiveDaysNow = 90
$time = (Get-Date).Adddays(-($InactiveDaysNow))
$CompsInactiveCount=Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -ResultPageSize 2000 -resultSetSize $null -Server $ThisDomain -Properties Name,OperatingSystem,SamAccountName,DistinguishedName
$CompsInactiveCount

Executing the above PowerShell commands will give you a list of inactive computer accounts from the domain specified in the “$ThisDomain” variable. If you would like to limit your query to a particular organizational unit, you will be required to use “-SearchBase” parameter as it is reflecting in the PowerShell script below:

$ThisDomain = “TechGenix.com”
$InactiveDaysNow = 90
$time = (Get-Date).Adddays(-($InactiveDaysNow))
$CompsInactiveCount=Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -ResultPageSize 2000 -resultSetSize $null -Server $ThisDomain –SearchBase “OU=Test1, DC=TechGenix,DC=Com” -Properties Name,OperatingSystem,SamAccountName,DistinguishedName
$CompsInactiveCount

Note: The PowerShell commands above can only be used against a single Active Directory domain. If you would like to use for a multiple domain, you will be required to create a file that contains the Active Directory domain names and use ForEach loop to process all domains one by one. Here is the PowerShell script that checks all Active Directory domains specified in C:\Temp\ADDomains.CSV:

$DomFile = "C:\Temp\ADDomains.CSV"
ForEach ($ThisDomain in GC $DomFile)
{
$InactiveDaysNow = 90
$time = (Get-Date).Adddays(-($InactiveDaysNow))
$CompsInactiveCount=Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -ResultPageSize 2000 -resultSetSize $null -Server $ThisDomain -Properties Name,OperatingSystem,SamAccountName,DistinguishedName
$CompsInactiveCount
}

Moving stale accounts to an organizational unit

Moving stale accounts requires you to use the Move-ADObject PowerShell cmdlet. If you need to move a specific computer account from one organizational unit to another organizational unit, you will need the source Distinguished Name of the computer account and target Distinguished Name of the organizational unit. For example, to move a computer named Computer1 to another organizational unit in the same domain, using this PowerShell command will work:

Move-ADObject –Identity (Get-ADComputer Computer1).ObjectGUID –TargetPath “OU=TestOU, DC=TechGenix, DC=Com”

To use Move-ADObject with earlier PowerShell commands that we used to fetch the stale computer accounts, you can add Move-ADObject at the end of the PowerShell command as shown in the commands below:

$DomFile = "C:\Temp\ADDomains.CSV"
$DisabledCompsOU = “OU=DisabledComps, DC=TechGenix, DC=Com”
ForEach ($ThisDomain in GC $DomFile)
{
$InactiveDaysNow = 90
$time = (Get-Date).Adddays(-($InactiveDaysNow))
$CompsInactiveCount=Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -ResultPageSize 2000 -resultSetSize $null -Server $ThisDomain | Move-ADObject –TargetPath $DisabledCompsOU
$CompsInactiveCount
}

In the script, you will need to be changing the following items to make sure script is usable in your production environment:

  • Change the path of the organizational unit where the stale computer accounts will be moved to. You will be need to modify “$DisabledCompsOU” variable in above script.
  • Enter the Active Directory domain names in the C:\Temp\ADDomains.CSV so script can process all Active Directory domains in an Active Directory forest.

Ossisto 365 provides a similar tool for free which can be used to search for both stale user and computer accounts and then move to a specific organizational unit periodically.

A powerful PowerShell cmdlet

We learned that Get-ADComputer PowerShell cmdlet can be used to retrieve the stale computer accounts from Active Directory domains. We provided PowerShell commands as well as PowerShell scripts to get the information from multiple Active Directory domains. We also learned how to move stale computer accounts to a specific organizational unit using the Move-ADObject PowerShell cmdlet.

About The Author

Nirmal Sharma is a MCSEx3, MCITP and was awarded the Microsoft MVP award in Directory Services and Windows Networking. He specializes in Microsoft Azure, Office 365, Directory Services, Failover Clusters, Hyper-V, PowerShell Scripting and System Center products. Nirmal has been involved with Microsoft Technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites.

Read Next

Static vs Dynamic IP Address

Static vs Dynamic IP Address

Most people are familiar with Internet Protocol (IP) Addresses, but many people don’t know you have 2 types. In this article, you’ll learn about static…

Read More »

3 thoughts on “Spring cleaning: Collect AD stale accounts and move them to an OU”

  2. Josh love

    This is a late reply but you use the CMDlet Get-ADUser instead
    This Will Export a list of accounts inactive accounts in the LAB domain, Test OU, in the User OU. Remove: ” -SearchBase “OU=Users, OU=TEST, DC=LAB, DC=local” ” if you want to search the whole domain.

    $DaysInactive = 90

    $time = (Get-Date).Adddays(-($DaysInactive))

    Get-ADUser -Filter {LastLogonTimeStamp -lt $time} -ResultPageSize 2000 -resultSetSize $null -Server $ThisDomain -SearchBase “OU=Users, OU=TEST, DC=LAB, DC=local” -Properties Name, OperatingSystem, SamAccountName, DistinguishedName, LastLogonDate | Export-CSV “C:\Temp\StaleUsers.CSV” –NoTypeInformation

    Reply
  3. Josh love

    Note there is a “-WhatIf” switch at the end of the Variable statement. This is make it output something like this:

    What if: Performing the operation “Move” on target “CN=Matt,OU=Users,OU=Test,DC=Lab,DC=local”.
    What if: Performing the operation “Move” on target “CN=Frank,OU=Users,OU=Test,DC=Lab,DC=local”.

    Remove the -WhatIf after verifying that it’s not doing something crazy to the accounts and it will move them. Then you can navigate to the OU in AD and highlight all and disable. Also make sure you have the OU created you’re intending on moving them to. I guess you could remove the ForEach loop statement, I just have it setup to switch between using the multi-domain csv.

    $DisabledUsersOU = “OU=OldUsers, OU=GraveYard, OU=Test, DC=Lab, DC=local”
    ForEach ($ThisDomain in “Lab.local”)
    {
    $InactiveDaysNow = 90
    $time = (Get-Date).Adddays(-($InactiveDaysNow))
    $UsersInactiveCount=Get-ADUser -Filter {LastLogonTimeStamp -lt $time} -ResultPageSize 2000 -resultSetSize $null -Server $ThisDomain | Move-ADObject –TargetPath $DisabledUsersOU -WhatIf
    $UsersInactiveCount
    }

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top