Active Directory: Identify Stale Computer Accounts

Active Directory: Identify Stale Computer Accounts

Using the Active Directory Modules included with Windows 7 + Windows 2008 R2 we can use powershell to identify computer accounts which are “stale” and have not changed their passwords in a specified amount of time.

Define the Windows for “Stale”

Example will check for 365 days old.

PS> $LastSetDate = [DateTime]::Now - [TimeSpan]::Parse("365")

Count the Number of PCs which are Stale

PS> (Get-AdComputer -Filter {PasswordLastSet -le $LastSetDate} -Properties PasswordLastSet -ResultSetSize $null | ft SamAccountName,PasswordLastSet).count

Output a List of the Computer Accounts

PS> (Get-AdComputer -Filter {PasswordLastSet -le $LastSetDate}  -Properties PasswordLastSet -ResultSetSize $null | ft  SamAccountName,PasswordLastSet)