PowerShell: Get-ADComputer to retrieve computer last logon date (and disable them) – part 2


In this article we’ll look at using Get-ADComputer and Set-ADComputer to list computer accounts which haven’t logged in for xx days, and then automatically disable them.

In part 1 we looked at how to use Get-ADComputer to list computers by name and sort them by their last logon date with the premise that we can use the information to remove historic computer accounts from the domain.

Now we know the computer accounts we want to work with we will look at modifying the PowerShell command to automatically disable them.

As a recap, the command that we ended up with from part 1 was:

Get-ADComputer -Filter * -Properties *  | Sort LastLogonDate | FT Name, LastLogonDate -Autosize | Out-File C:\Temp\ComputerLastLogonDate.txt

A comment from part 1 of this series by Ryan pointed out that it would use less resources to use -Properties LastLogonDate, rather than -Properties * so to keep things as efficient as possible I’ll be using -Properties LastLogonDate from now on.

So the current command we have is:

Get-ADComputer -Filter * -Properties LastLogonDate  | Sort LastLogonDate | FT Name, LastLogonDate -Autosize | Out-File C:\Temp\ComputerLastLogonDate.txt

As we want to list computers that haven’t logged on for xx days, we first need to find todays’ date and set an offset for the number of days old we are looking for.

So let’s start with Get-Command *Date* to list all commands with Date in them.

Get-Command DateOk, so lets take a look at Get-Date.

Get-DateNext let’s add an offset to todays’ date and save it in a variable.

$datecutoff = (Get-Date).AddDays(-120)

datecutoff get-date adddays

So now we can specify a date xx days ago, all we need to do it compare this to the last logon data to give us out list of computer accounts we are interested in working with. I’ve changed the order of -Properties and -Filter because it makes more sense to me logically,

$datecutoff = (Get-Date).AddDays(-365)

Get-ADComputer  -Properties LastLogonDate -Filter {LastLogonDate -lt $datecutoff} | Sort LastLogonDate | FT Name, LastLogonDate -Autosize

get-adcomputer properties lastlogondate filter lastlogondate lt datecutoff sort lastlogondate ft name lastlogondate autosize

Now we have our list of computer accounts older than 365 days on this example, we need to look at disabling them. There are a couple of Commands we can use to do this. Set-ADComputer is the obvious choice as we are already using Get-ADComputer, another option would be Disable-ADAccount.

So to disable a computer account the command is:

Set-ADComputer -Enabled $false

Now combining the two commands together I’ve added the -WhatIf switch so the command doesn’t actualy make any changes, but describes what would happen if the command was run.

Get-ADComputer -Properties LastLogonDate -Filter {LastLogonData -lt $datecutoff} | Set-ADComputer -Enabled $false -whatif

get-adcomputer properties lastlogondate filter lastlogondate lt datecutoff set-adcomputer enabled false whatifFrom the output above you can set that for each computer account listed the set command will be run against it, which is exactly what we want.

So the final commands to disable computer accounts over 365 days old (in our example) is:

$datecutoff = (Get-Date).AddDays(-365)

Get-ADComputer -Properties LastLogonDate -Filter {LastLogonData -lt $datecutoff} | Set-ADComputer -Enabled $false

Remember if you are using SBS 2011 you’ll need to either run the PowerShell as Administrator by right clicking the PowerShell icon and selecting Run as Administrator.

Run PowerShell as Administrator

Then, we’ll need to import the Active Directory Module with the command:

Import-Module activedirectory

Import-Module activedirectory

Alternatively you could run the Active Directory Module for Windows PowerShell from the Start – Administrative Tools menu.

Active Directory Module for Windows PowerShell

Below are some links to Microsoft Technet references.

Get-ADComputer can be found here: http://technet.microsoft.com/en-us/library/ee617192.aspx

Dates and time information can be found here: http://technet.microsoft.com/en-us/library/ff730960.aspx

Comparison Operators information can be found here: http://technet.microsoft.com/en-gb/library/hh847759.aspx

Set-ADComputer cmdlet can be found here: http://technet.microsoft.com/en-us/library/ee617263.aspx

Disable-ADAccount cmdlet can be found here: http://technet.microsoft.com/en-gb/library/ee617197.aspx

Related Posts:

1. PowerShell: Get-ADComputer to retrieve computer last logon date – part 1

2. PowerShell: Get-ADUser to retrieve logon scripts and home directories – Part 1

3. PowerShell: Get-ADUser to retrieve password last set and expiry information

4. Exchange PowerShell: How to find users hidden from the Global Address List

5. Exchange PowerShell: How to enumerate and modify Distribution Group properties

14 thoughts on “PowerShell: Get-ADComputer to retrieve computer last logon date (and disable them) – part 2

  1. Matt

    When I am looking through my AD computers, more than half of them have a null value for LastLogonDate. Do you know why this would be occurring, and what I can do about it?

  2. billerdude

    Great post! I really like how you walk through each step in a logical manner to ensure that all the small steps that are required to get the end result are covered. I really appreciate how you talked through not only identifying the logic required to complete the task, but also how to translate that thought process into a PowerShell script. Great job!

  3. Hans

    your posts are really good!
    why would a computer have no lastlogon data?
    How can i include computers with no lastlogon data in the cut off date so as to disable them as well?


  4. Ale

    Hans, take a look at the output of this one liner (using 240 days as a cutoff date) to include computers with no LastLogonDate:

    get-adcomputer -properties LastLogonDate -filter * | where {$_.LastLogonDate -lt (Get-Date).AddDays(-240)} | sort LastLogonDate | FT Name, LastLogonDate -autosize

    and maybe later:

    get-adcomputer -properties LastLogonDate -filter * | where {$_.LastLogonDate -lt (Get-Date).AddDays(-240)} | Set-ADComputer -Enabled $false

    1. OxfordSBSguy.com

      Hi Kevin, looking online there are a few scritps available, but they all look quite complex to me! I don’t know of an easy PowerShell oneliner. If you find out please let me know.

  5. Franki

    This is what I’ve been using..

    Search-ADAccount -AccountInactive -DateTime “01.12.2014” –ComputersOnly | Sort-Object | export-csv computers.csv

    Has always worked well enough for us.. is there a reason why adcomputer is better ?

  6. Joerg

    Hi Carl,

    thanks for this article, really helps understanding the commands.
    Just wanted to inform you that there is a little mistake in the commands at the end, since they use “LastLogonData” instead of “LastLogonDate” (which does not give any results) 🙂


  7. Matthew Karns

    Great posting, I like the step by step look into your methods.

    Instead of disabling the account that has not logged in within the past 365 days, I am looking for a script that would automatically generate an email of those computers and email it to me

    1. OxfordSBSguy.com Post author

      Yes, use Get-ADComputer -Identity computername. For more details use “Get-Help Get-ADComputer -examples”.


Leave a Reply

Your email address will not be published. Required fields are marked *