How to Find Inactive Computers in Active Directory

Admins often struggle to manage organizational resources effectively due to unused computers. These computers may be inactive due to low usage or temporarily disabled during employee offboarding or transfers. To manage these devices wisely, it’s important to differentiate them as inactive and disabled computers. Misjudging them could result in unnecessary deletions and service disruptions.

Here’s a clear difference between the two to help decide their relevance and take appropriate actions .

In Active Directory, computers act as resource hubs that store sensitive and critical organizational data. When these computers remain inactive for extended periods, they create both security risks and unnecessary resource consumption . Therefore, properly managing these computers is essential to optimize resource usage and management overhead.

When it comes to managing inactive Active Directory computers, disabling them serves as the first layer of defense against potential security risks, such as device compromise or unauthorized actions by former employees. By proactively disabling these accounts, you can prevent misuse and secure your Active Directory environment from vulnerabilities.

Let’s dive into the steps to effectively disable inactive computers in Active Directory.

• Open ADUC and right- click the inactive computer.
• Choose Disable Account from the context menu.
• Click Yes in the warning dialog box to disable the selected computer in Active Directory.

Utilize the below PowerShell cmdlet to disable an inactive computer in your Active Directory environment.

Set-ADComputer -Identity <ComputerName>  -Enabled $false

Note: Replace the <ComputerName> with the sAMAccountName of the targeted computer before running the cmdlet.

• All Active Directory Computers report: Monitor and manage computers across all organizational units of a domain in a centralized, single report.
• Quick Actions: Select any inactive computer from the list, click More Action, and choose Disable Computer to complete the task effortlessly.

Pro Tip: You can select multiple computers and disable them all at once, no need for complex PowerShell scripts or time-consuming native solutions.

Once inactive computers are disabled and approved for deletion, the next step is to remove them from Active Directory. This process reduces security risks and improves management efficiency. It also offers benefits such as resource management, smoother migrations, etc.

For instance, during migration, excess inactive resource accounts can lead to additional costs and time-consuming processes. By removing the inactive computers, we can ensure that only active AD computers are migrated into the new AD environment.

Follow the steps below to remove the inactive computers from your Active Directory environment:

• Launch the Active Directory Users and Computers console.
• Navigate to the respective OU where the computer is located and right-click on the respective computer.
• Click on Delete to initiate the removal. Then, select ‘Yes’ in the confirmation window to delete the computer from Active Directory.

Manually navigating through multiple OUs to locate and delete inactive computers can be a tedious and time-consuming process. Instead, you can use their identity in the following PowerShell cmdlet to remove them from Active Directory.

Remove-ADComputer -Identity "<ComputerName>"

Use the below PowerShell script to remove multiple AD computer accounts quickly to avoid unnecessary replication and security risks.

$Computers = @("<ComputerName>", "<ComputerName>", "<ComputerName>") 
 foreach ($Computer in $Computers) { 
   Remove-ADComputer -Identity $Computer -Confirm:$false 
 }

To remove multiple computers with specific location property, you shall use the below PowerShell cmdlet.

Note: Replace the <LocationConfiguredinProperties> with the value defined in each computer’s Location filed under Properties page.

Get-ADComputer -Filter 'Location -eq "<LocationConfiguredinProperties>"' | Remove-ADComputer

In a large Active Directory hierarchy, a quick response during a security breach is essential. This includes identifying and disabling all inactive computers in AD, then isolating them in OUs with minimal permissions. These measures help to prevent unnecessary access or security risks via inactive AD computers and protect critical resources.

Utilize the script below to disable and move AD computer accounts using PowerShell.

$DaysInactive = 90 , $time = (Get-Date).Adddays(-($DaysInactive))
$ComputerList = @(Search-ADAccount -ComputersOnly -AccountInactive -TimeSpan 90 | Select Name, DistinguishedName)
$ComputerList 
foreach ($Computer in $ComputerList) { 
Disable-ADAccount -Identity  $Computer.DistinguishedName 
Move-ADObject -Identity $Computer.DistinguishedName -TargetPath ""
}

Note: The above PowerShell script will disable computer accounts that have been inactive for over 90 days and move those to the specified OU.

Expert Tip: Schedule the above PowerShell script in Task Scheduler to automate the process of disabling inactive computer accounts and moving them to a specific organizational unit.

Create a custom flow agent with the required conditions and automate all your time-consuming Active Directory management processes in just a few clicks.