Good Active Directory hygiene is important for many reasons. One easy way to keep your directory clean is by periodically removing stale computer accounts. Many times when a Windows machine is disjoined from a domain, rebuilt with a different name etc…, removing the computer account is often overlooked or Administrators are not notified that a machine is no longer being used. A Windows machine will reset its computer account password every 30 days by default. A good indicator that a Windows computer is stale is when that account has not reset its password for a good length of time such as 90 or 120 days. The following script will look for all computer accounts where the password has not been set for over 90 days. You will need to have the “Active Directory Module for PowerShell” installed on the computer you are running it from as it uses the “Get-ADComputer” cmdlet.
$date = [DateTime]::Today.AddDays(-90)
Get-ADComputer -Filter ‘PasswordLastSet -le $date’ -SearchBase “OU=WhereIStoreComputers,DC=pipe2,DC=Text,DC=com” -properties PasswordLastSet
The output will contain the following properties for each computer account:
Of course you will have to modify this script to reflect your Domain and OU structure. All you need to do is point the searchbase to the OU where you would like the search to begin and it will also search all OUs underneath it. You can also increase the number of days for a computer to be considered stale.The other important thing is to always check your list after its run before removing any accounts. There may be a good reason a machine has not reset its password for a long period of time such as the account is not for a Windows machine or it is a remote user that has not been in the office for a while.
I decided to take this a bit further. Using some additional code, I put together something that will email a list of all computer accounts where the password has not been set for over 90 days in HTML format. This script will do the following:
- Check for computer accounts where the computer account password has not been reset for over 90 Days.
- Will send an HTML email using an smtp server.
- The email will have a subject that contains the name of the machine sending the report and the date when the report was generated.
- A count of how many machines have not had a password reset in over 90 days.
- A list of all machines in a table that not have not had a password reset in over 90 days including the Name, Distinguished Name and Password Last Set Date and time.
Since some of the lines in this script above were too long to output properly on this page I have also inserted the StaleMachineEmail link above containing the code so it is easier to copy and view. Also, if you have any feedback on this script, ideas to make it more efficient or robust please leave a comment!