Find Old Computer Accounts in Active Directory using PowerShell

How to find old computer accounts in Active Directory using PowerShell. What's an old computer account in Active Directory? Well, it's a computer account where the password hasn't been update for a long time. This is a reasonable measure of whether the computer account is currently used or not. It's not fool proof, a computer can be configured to never update its password, and some computer accounts represent something other than an actual computer (like a cluster for example).  So, before you go and delete all of your old computer accounts, you should do some further analysis.

Anyway, the date when the computer account password was last set is stored in an AD attribute called pwdLastSet.  It's stored as a large integer (Intt64) and represents the number of 100-nanosecond increments since midnight, Jan 1st, 1601, a huge number.  The idea is to figure out how many days have elapsed between the stored date and today, giving the age of the password.  I've shown you how to do this with Perl in the article: Find Old Computer Accounts using Perl

Boy is it a heck of a lot easier to do in PowerShell!  The big difference is that .Net handles the conversion from a large integer to a date in one call, and PowerShell has some date match functions that make it easy to compare the dates.  There's a bunch of code in the Perl version just to figure out how many days have passed since Jan 1, 1601, including how many leap years and all that nonsense.  PowerShell's New-TimeSpan cmdLet does that for you.  Sweet.

This script searches for computer accounts in Active Directory, gets the pwdLastSet attribute, converts it to a date and calculates the difference, in days, between then and now.  It then returns the name of the computer and the password age in days, if it's older than 60 days.

$domain = New-Object System.DirectoryServices.DirectoryEntry
$searcher = New-Object System.DirectoryServices.DirectorySearcher
$searcher.SearchRoot = $domain
$searcher.PageSize = 100
$searcher.Filter = "(objectCategory=Computer)"
$proplist = ("name","pwdLastSet")
foreach ($i in $propList){$prop=$searcher.PropertiesToLoad.Add($i)}
$results = $searcher.FindAll()
foreach ($result in $results){
 $pwdAge=New-TimeSpan $([datetime]::FromFileTime([int64]::Parse($pwdlastset))) $(Get-Date)
 if($pwdAge.days -gt 60){


Anonymous said...

Hi Brian,

Thanks for sharing a nice techie on powershell to get informations....


<a href=">Ganesan K</a>

Anonymous said...

Brian, thanks for the article. FYI, pwdlastset is only part of the picture. A computer could fail to set its password and still have some functionality. To be more thorough, you can check the following, pwdLastSet, badPasswordTime, lastLogonTimestamp.

Brian said...

It's true, a computer may not update its computer account password, you can disable it in the registry for example. You could check the age of the lastLogon attribute I suppose, maybe I'll write a post on how to do that. LastLogonTimeStamp won't always work, it's blank in my domain, and badPasswordTime records when the account tried to logon with a bad password, so that's not relevant.

Post a Comment

Related Posts Plugin for WordPress, Blogger...