Active Directory becomes cluttered very quickly. Laptops get replaced, devices are rebuilt, users leave the business, but the computer objects are often forgotten.
Over time this creates:
-
Security risks
-
Confusing audit results
-
Licensing waste
-
Slower reporting and management
This PowerShell script exports a detailed list of computers from a chosen OU and highlights which machines have not logged in for more than 120 days. It gives you a simple CSV file showing exactly what should be reviewed or removed.
If you are already using PowerShell for clean-up tasks, you may also find How to Find Duplicate Files Using PowerShell useful when dealing with old user data.
Why people need this script
This script is ideal when:
-
You are preparing for a Cyber Essentials or ISO audit
-
You need to tidy Active Directory after a large refresh project
-
You want evidence for decommissioning machines
-
Your AD structure is full of unknown or legacy computers
It also works well alongside Fix Windows Log-On Issues by Repairing Critical Services and Forcing Group Policy, especially when dealing with broken or abandoned machines.
What the report shows
The CSV file contains:
-
Computer name
-
The OU it belongs to
-
When it last logged on
-
How many days it has been inactive
-
Operating system details
-
A suggested action – Keep or Delete
This makes it very easy to filter machines older than 120 days and clean them safely.
Script
<#
.SYNOPSIS
Exports a detailed Active Directory computer report from a specific OU to a CSV file.
.DESCRIPTION
This script retrieves all computer objects from the specified OU in Active Directory and outputs a report with key information including Name, LocationOU, Distinguished Name, Last Logon, OS info, and suggested actions.
.OUTPUTS
CSV file containing the computer report.
.NOTES
Author: DIGITALGEEKERY
#>
Import-Module ActiveDirectory
$ExportPath = "D:\AD_ComputerReport_120Days.csv"
$OU = "OU=Region,OU=All-Computers,DC=YourDomain,DC=Local"
$Computers = Get-ADComputer -SearchBase $OU -Filter * -Property Name,OperatingSystem,OperatingSystemVersion,LastLogonDate,Enabled,whenCreated,DistinguishedName
$Report = $Computers | Select-Object `
@{Name="Name";Expression={$<em data-start="2622" data-end="2691">.Name}},
@{Name="LocationOU";Expression={
$dnParts = ($</em>.DistinguishedName -split ',')
$regionIndex = $dnParts.IndexOf("OU=Region")
if ($regionIndex -gt 0 -and ($regionIndex - 1) -ge 0) {
$dnParts[$regionIndex - 1] -replace '^OU=', ''
} else { "Unknown" }
}},
@{Name="DistinguishedName";Expression={$<em data-start="2979" data-end="3043">.DistinguishedName}},
@{Name="LastLogonDate";Expression={$</em>.LastLogonDate}},
@{Name="DaysSinceLastLogon";Expression={
if ($<em data-start="3119" data-end="3153">.LastLogonDate) { (Get-Date) - $</em>.LastLogonDate | Select-Object -ExpandProperty Days } else { "Never" }
}},
@{Name="Enabled";Expression={$<em data-start="3266" data-end="3322">.Enabled}},
@{Name="OperatingSystem";Expression={$</em>.OperatingSystem}},
@{Name="OSVersion";Expression={$<em data-start="3378" data-end="3445">.OperatingSystemVersion}},
@{Name="DateCreated";Expression={$</em>.whenCreated}},
@{Name="SuggestedAction";Expression={
if (-not $<em data-start="3521" data-end="3557">.LastLogonDate -or ((Get-Date) - $</em>.LastLogonDate).Days -gt 120) { "Delete" }
else { "Keep" }
}}
$Report | Export-Csv -Path $ExportPath -NoTypeInformation -Encoding UTF8
Write-Host "AD computer report exported to $ExportPath"
How to use the results
Once the CSV is generated, open it in Excel and filter by:
-
SuggestedAction = Delete
-
Or DaysSinceLastLogon greater than 120
Before deleting anything, cross-check with your service desk or asset system. For bulk actions, your How to Add Domain Users to the Local Administrators Group in Windows and PowerShell Startup Scripts Using GPO posts pair well with this clean-up workflow.
