Find Inactive Computer Objects in Active Directory Using the lastLogonTimeStamp Property

Inactive computer objects in ad

From time to time I find myself re-inventing this piece of code. Maybe you do too?

The problem you want to solve is the following:

How do you identify obsolete computer objects in Active Directory in order to do some overdue housekeeping?

There are different properties that can help you get your hands on this information. I usually use the following property:

lastLogonTimeStamp

All domain joined Windows operating systems have an account and a password in Active Directory, just like users (except, the computer account password is 120 characters long!).

To operate properly computer accounts perform a logon to the domain just like users do.

Every time a user or computer logs on to Active Directory the authenticating domain controller will check the lastLogonTimeStamp attribute of the account. If the value is older than 14 days the lastLogonTimeStamp attribute is updated with the current time. The 14 day check is to avoid overloading the AD replication and is controlled by the ms-DS-Logon-Time-Sync-Interval attribute in the domain naming context.

If the value of the lastLogonTimeStamp attribute is a lot older than 14 days it’s an indication that the account is not active anymore.

Get the full details on lastLogonTimeStamp here.

Converting lastLogonTimeStamp From FileTime to DateTime

The value of the lastLogonTimeStamp will look a bit odd at first sight. Here’s my birthday e.g.:

116961336000000000

The format of the attribute is a FileTime structure which measures the number of 100 nano-second intervals since January 1st 1601 (UTC time).

Out of pure embarrassment I’m not going to convert the above value for you! But I will show you how to convert your lastLogonTimeStamp properties in PowerShell. Very simple:

[datetime]::FromFileTime($Server.lastLogonTimeStamp)

With the conversion in place let’s have a look at a script to get you the complete list from your Active Directory.

How to Get All Obsolete Computer Objects From Active Directory Using PowerShell

Using the previous information a PowerShell solution could look like this:

$Servers = Get-ADComputer -Properties lastLogonTimeStamp -Filter * -ResultSetSize $null
"Name;DN;lastLogonTimeStamp" | Out-File ".\ServerList.txt"
ForEach ($Server In $Servers)
{
  $Output = $Server.Name + ";" + $Server.distinguishedName + ";" + [datetime]::FromFileTime($Server.lastLogonTimeStamp)
  Write-Host $Output
  $Output | Out-File ".\ServerList.txt" -Append
}

This will get you a nice semicolon separated list with the name, distinguishedName and lastLogonTimeStamp of all computer objects in your Active Directory.

The list is printed to the console and also saved to a txt file.

You can then paste the result into Excel and do all the sorting and filtering you want.

Speed Up Your Office 365 Management

If you have a hybrid AD with Office 365 integration you can simplify your user, mailbox and license management a great deal!

Install the Easy365Manager extension to the AD Users & Computers tool and manage everything in one consolidated well-known tool. Be the smart guy:

Easy365Manager Administrator