HOWTO: Identify Stale AD Users or Computers

There are a couple of ways to identify whether a computer account in Active Directory is stale. The approach I recommend is setting up a policy for your Active Directory domain that explains the rules; basically, if a computer account of any type doesn’t log on for a specified amount of time, the computer account may be subject to removal.

The issue here is remote systems, such as a laptop where the corresponding user may be able to do everything they need via a web application; you should give this some thought before performing wholesale account deletions. Further, I recommend the following staged approach if there are a lot of questions about the Active Directory domain, and basic housekeeping needs to be done:

Set a threshold of time for stale accounts to be removed (for example, two months).
Move the potentially stale accounts to a new organizational unit (OU) and disable them.
Run an additional threshold for stale accounts that have been in this OU for one additional month and delete them.
In my personal lab, I ran the dsquery command to see how many computer accounts have been idle for two months

The command dsquery computer -inactive 8 will run for the entire domain of the computer in question. Additional parameters, such as querying only specified OUs, can be performed to target certain areas such as old server accounts. If one of the computers in the result subsequently log its computer account onto Active Directory, dsquery would not return it on the next iteration should its activity now be within the threshold. As a safety measure, you can run this report quarterly and identify the consistently inactive accounts to clean it up in stages and to further get a handle on your computer account behavior.

You can substitute user for computer to do the same thing for user accounts