Stale computer accounts accumulate in every Active Directory environment over time — decommissioned PCs, laptops that have left the business and VMs that no longer exist. Cleaning them up improves security, reduces noise in reports and keeps your AD organised. This guide covers how to find and remove stale computer accounts using PowerShell in 2026.
Why Stale Accounts Are a Security Risk
- Stale accounts can be exploited by attackers to gain a foothold in your environment
- They appear in SCCM collections and reports creating inaccurate data
- They make it harder to audit your actual device estate
- They clutter Group Policy application and slow down AD queries
Find Stale Computer Accounts (90+ Days)
$days = 90
$cutoff = (Get-Date).AddDays(-$days)
Get-ADComputer -Filter {LastLogonDate -lt $cutoff -and Enabled -eq $true} `
-Properties LastLogonDate, OperatingSystem, Description |
Select-Object Name, LastLogonDate, OperatingSystem, Description |
Sort-Object LastLogonDate |
Format-Table -AutoSizeExport Stale Computers to CSV
$days = 90
$cutoff = (Get-Date).AddDays(-$days)
$outputPath = "C:ReportsStaleComputers_$(Get-Date -Format 'yyyyMMdd').csv"
Get-ADComputer -Filter {LastLogonDate -lt $cutoff -and Enabled -eq $true} `
-Properties LastLogonDate, OperatingSystem, Description, DistinguishedName |
Select-Object Name, LastLogonDate, OperatingSystem, Description, DistinguishedName |
Sort-Object LastLogonDate |
Export-Csv -Path $outputPath -NoTypeInformation
Write-Host "Exported to $outputPath"Disable Stale Accounts (Do This First)
Always disable before deleting — wait 30 days after disabling before removing permanently. This gives a safety net if a machine was incorrectly identified as stale.
$days = 90
$cutoff = (Get-Date).AddDays(-$days)
$disabledOU = "OU=Disabled Computers,DC=domain,DC=com"
$staleComputers = Get-ADComputer -Filter {LastLogonDate -lt $cutoff -and Enabled -eq $true} -Properties LastLogonDate
foreach($computer in $staleComputers) {
Disable-ADAccount -Identity $computer
Move-ADObject -Identity $computer.DistinguishedName -TargetPath $disabledOU
Write-Host "Disabled and moved: $($computer.Name)"
}Delete Stale Accounts After Grace Period
# Delete disabled computers from Disabled OU after 30 day grace period
$disabledOU = "OU=Disabled Computers,DC=domain,DC=com"
Get-ADComputer -Filter {Enabled -eq $false} -SearchBase $disabledOU |
Remove-ADComputer -Confirm:$falseFind Stale User Accounts Too
$cutoff = (Get-Date).AddDays(-90)
Get-ADUser -Filter {LastLogonDate -lt $cutoff -and Enabled -eq $true} `
-Properties LastLogonDate, Department |
Select-Object Name, SamAccountName, LastLogonDate, Department |
Export-Csv -Path "C:\Reports\StaleUsers.csv" -NoTypeInformationFrequently Asked Questions
How often should I run Active Directory cleanup?
Run a stale account review quarterly at minimum. High-turnover organisations should run it monthly. Automating the disable step via a scheduled PowerShell script and reviewing before deletion is the safest approach.
What if LastLogonDate is empty for a computer account?
A null LastLogonDate usually means the computer has never logged into the domain or the attribute has not replicated. Use LastLogonTimestamp instead which replicates across all DCs, though it is only accurate to within 9-14 days by design.
Should I delete or just disable stale accounts?
Always disable first and wait at least 30 days before deleting. This gives a recovery window if an account was incorrectly identified — for example a laptop offline for 3 months but still in use.
Will removing stale computer accounts affect SCCM?
Yes — SCCM may have orphaned records. Run SCCM Discovery and Heartbeat after the AD cleanup to reconcile the databases. The Delete Aged Discovery Data maintenance task also helps clean up stale SCCM records.
About The Author
Discover more from TechyGeeksHome
Subscribe to get the latest posts sent to your email.