Learn How to Find Disabled Computers in Active Directory Via PowerShell
Organizations that use AD must maintain it regularly. Moreover, this maintenance requirement report can’t be complete unless admins have an answer on how to find disabled computers in Active Directory. The good news is that there is more than one way with which admins can identify the dormant devices, including PowerShell, Command Line, ADUC, and more.
However, the presence of so many approaches only adds to the confusion. Moreover, it may just be the first phase of a larger question of what is Active Directory migration. So to avoid any delay in segregating a list of defunct machines it is better to rely on a guide. That is exactly what this write-up provides. Before we move on to the best solution let us see the reasons that trigger a sudden demand to check the computers that are no longer in use.
Table of Contents
- Why View Old Computers in Active Directory
- Report Disabled Computers in AD Via PowerShell
- ADUC to Get Stale Computer List
- Admin Center to Find Inactive Computers
- Legacy Method of Disabled Computer Identification
- Implementing LDAP Queries
- Use Event Viewer
- Scriptless Way to List Inactive Computer Accounts
- Conclusion
- FAQs
Why Find Old Computers in Active Directory at All?
Behind every reason is the need to maintain Active Directory hygiene be it this or the Active Directory group membership report. Here is a list of the most common reasons for you to check and match:
- Strengthen Security: With fewer vulnerable devices, administrators can reduce the attack surface that any potential adversary might use to infiltrate the AD. Thereby improving the security posture of the organization.
- Enhance Efficiency: Defunct computer objects only bog down the live infrastructure. If admins have a list of all inactive computers they can remove them and bring back speed in the day-to-day operations.
- Allow Auditing: Organizations often have to undergo compliance checks. If during these checks regulators find a large number of inactive machines this only raises suspicion. To avoid any legal trouble admins have to find these inactive computers beforehand.
Now that the reasons are out of the way let’s get to the methods.
How to Find Disabled Computers in Active Directory Using PowerShell Report?
For those who prefer command-line interfaces and automation, PowerShell offers robust capabilities to manage Active Directory, and also using it you can easily find disabled computers in your AD environment.
Here’s how:
Launch a new PowerShell module and type:
Get-ADComputer -Filter "Enabled -eq 'false'" Select Name, Enabled <# Add Other attributes you wish to see #>
For a more in-depth result, use the following script:
# Import the Active Directory module Import-Module ActiveDirectory # Define the thresholds for inactive computers (e.g., 90 days) $inactiveThreshold = (Get-Date).AddDays(-90) # Fetch all computer objects from Active Directory $computers = Get-ADComputer -Filter * -Property Name, DistinguishedName, Enabled, LastLogonDate # Initialize arrays to hold categorized computer objects $normalComputers = @() $inactiveComputers = @() $disabledComputers = @() # Categorize the computer objects foreach ($computer in $computers) { if (-not $computer.Enabled) { $disabledComputers += $computer } elseif ($computer.LastLogonDate -lt $inactiveThreshold) { $inactiveComputers += $computer } else { $normalComputers += $computer } } # Function to create a custom object for export function Create-CustomObject { param ( [array]$Computers, [string]$Category ) $result = @() foreach ($computer in $Computers) { $obj = [PSCustomObject]@{ Name = $computer.Name DistinguishedName = $computer.DistinguishedName Category = $Category } $result += $obj } return $result } # Combine all results $allResults = @() $allResults += Create-CustomObject -Computers $normalComputers -Category "Normal" $allResults += Create-CustomObject -Computers $inactiveComputers -Category "Inactive" $allResults += Create-CustomObject -Computers $disabledComputers -Category "Disabled" # Export to CSV $csvPath = "C:\Users\Administrator\Desktop\ADComputerCategories.csv" $allResults | Export-Csv -Path $csvPath -NoTypeInformation # Function to display the results in a colored table function Show-Results { param ( [array]$Computers, [string]$Category, [string]$Color ) Write-Host "$Category Computers:" -ForegroundColor $Color $Computers | Format-Table Name, DistinguishedName, @{Name="Category"; Expression = {$Category}} -AutoSize Write-Host "" } # Display the results Show-Results -Computers $normalComputers -Category "Normal" -Color "Green" Show-Results -Computers $inactiveComputers -Category "Inactive" -Color "Yellow" Show-Results -Computers $disabledComputers -Category "Disabled" -Color "Red" Write-Host "Results exported to $csvPath"
If you have AD Users and a computer (MMC) on your AD then you may also use it to get the data.
Report and List Inactive Computer Accounts in Active Directory with ADUC
One of the most straightforward methods to find disabled computers in Active Directory is by using the Active Directory Users and Computers (ADUC) management console.
Follow these Steps:
- Launch ADUC > Click on View > Enable Advanced Features
- Show all Domain Objects > Go to Computers
- Right-click on the computer you suspect of being inactive or disabled.
- Select the Properties option from the Context Menu.
- In the Properties Dialog box Go to the Attribute Editor Tab
- Search for the following Attributes:
- lastLogon: Displays the time within 100 nanosecond intervals once the user enters the domain and uses this computer object. Calculated from the user activity automatically
- lastLogoff: Displays the time when user activity stopped on this computer
- lastLogonTimestamp: Calculated after putting the login time in the admin-defined starting point.
- userAccountControl: When you click on the “userAccountControl” attribute you will see one of two integer values 4128 for an enabled account and 4130 for a disabled one. These directly correspond to the flags that you see where the 0x00001022 = (ACCOUNTDISABLE) tells you everything you need to know. If you don’t see this then the computer object is available for use.
The presence of the digit “2” in the left-most place indicates that the object is disabled.
Another direct GUI-based way to check the computer status is through the Active Directory Admin Center. Moreover, if the ADUC snapin is not present, this might be the only default way available that does not involve code.
Steps to Find Old Computers in Active Directory using Admin Center
- Search for Admin Center using the Windows Search bar or Open it via the Tools Menu in Server Manager.
- In the ADUC portal check if the “Computers” container is present below the domain name. If positive then click on it otherwise click on the black arrow and choose Computers from the Context menu.
- When the Computers are visible click on them and look at the Tasks pane.
- The defunct computers are marked as (disabled), whereas enabled computers just display their name.
- To see inactive or old computers that have not been used in a while select a computer and click on properties.
- Toggle the Extensions tab > Select Attribute Editor > Check for the same Attributes that we mentioned during the above ADUC tutorial.
Legacy Techniques to Find Stale Computer Objects in AD
If you operate an older version of Windows Server, then the command line will suffice. It is similar to the one used to find locked out accounts in Active Directory setup.
Open CMD on your workstation and type
> dsquery computer -disabled
Or
> search-adaccount -accountinactive -computersonly
Another method is to use the Visual Basic script.
' This code finds disabled computer accounts in an AD domain. ' ------ SCRIPT CONFIGURATION ------ strDomainDN = "" ' To find disabled computers in Active Directory replace with your actual domain name in LDAP format ' ------ END CONFIGURATION --------- strBase = "<LDAP://" & strDomainDN & ">;" strFilter = "(&(objectclass=computer)(userAccountControl:1.2.840.113556.1.4.803:=2))" ' Filter for disabled accounts strAttrs = "name;userAccountControl" ' Retrieve name and account control attribute Const ADS_UF_ACCOUNTDISABLE As Integer = &H2 ' Flag for disabled account Set objConn = CreateObject("ADODB.Connection") objConn.Provider = "ADsDSOObject" objConn.Open "Active Directory Provider" Set objRS = objConn.Execute(strBase & strFilter & strAttrs & strScope) objRS.MoveFirst While Not objRS.EOF If (objRS.Fields("userAccountControl").Value And ADS_UF_ACCOUNTDISABLE) = ADS_UF_ACCOUNTDISABLE Then Wscript.Echo objRS.Fields(0).Value & " (Disabled)" Else Wscript.Echo objRS.Fields(0).Value & " (Enabled)" End If objRS.MoveNext Wend ' Clean up Set objRS = Nothing Set objConn = Nothing
Implementing LDAP Queries
LDAP (Lightweight Directory Access Protocol) queries provide another way for finding disabled computers programmatically from the AD environment.
Using LDAP Browser Tools:
- Step 1. Launch an LDAP browser tool like Apache Directory Studio, Softerra LDAP Browser, or JXplorer.
- Step 2. Establish a connection to your Active Directory domain or server within the LDAP browser.
- Step 3. Navigate to the query interface within the LDAP browser and input the constructed LDAP query.
- Step 4. Run the query, and the results should display a list of disabled computers within the Active Directory.
# Import the Active Directory module Import-Module ActiveDirectory # Execute the LDAP query to find disabled computers Get-ADComputer -LDAPFilter "(&(objectCategory=computer)(objectClass=computer)(!userAccountControl:1.2.840.113556.1.4.803:=2))"
Another traditional mechanism present inside AD is the Event Viewer so let us see how to use it and find all disabled and inactive computer objects.
Find Old and Defunct Computer Accounts in Active Directory via Event Viewer
- Press Windows + R to launch the run module > Type “eventvwr.msc” and press Enter.
- Once the event viewer opens, expand the Windows logs section and go to the Security tab.
- After the Security subsection is available, take your cursor to the Actions pane and click on Create Custom View.
- In the dialog that appears, select the By log tab.
- Choose the Security log and put 4725 in the Includes/Excludes Event IDs field.
- Click OK and give your custom view a name.
However, the Event Viewer is not a foolproof way to find inactive computers in Active Directory because of the following reasons.
- Computer accounts are also treated as user accounts in the Active Directory. Meaning there is no way to filter out computer-only results from the list. Admins have to manually sort out the information that they require.
- Moreover, in case a computer object was disabled just after its creation, or a computer was in an inactive state no users have logged into it then it won’t appear in the event log at all. As it can’t show an event that has not happened yet.
- Admins have to create a complex filter that combines. Computer creation event (4624), followed by removing all active computers (-4634). These multiple runs inside Event Viewer overcomplicate the task by a substantial amount.
Best Scriptless Way to Report & List Inactive Computer Accounts in Active Directory
Although PowerShell is available for listing inactive computer objects, administrators try to avoid using it for one reason or another. This does not mean that they want to put their IT infrastructure at risk; the opposite is true. They may not be confident in their ability to manage the scripts. Worry not, as if you wish to find disabled computers in Active Directory, you can trust the SysTools Active Directory Reporter. It combines the speed of the scripts with the ease of the GUI. All that in a single package. So get a copy and start with the steps given below.
Step 1. Enter the tool’s dashboard by filling in the dummy credential (administrator) in User ID and Password.
Step 2. Make sure the tool is active, and then click the big blue button “REGISTER DOMAIN CONTOLLER” in the middle of your screen.
Step 3. Type the Domain Friendly name and IP Address then press Save & Continue.
Step 4. On the Domain Details page, enter your Admin-level credentials and hit Save & Continue.
Step 5. Go to the Reports Tab and pick the Disabled option under the Computers category.
Step 6. Once you are on the specific page, choose a predefined timeframe or set the Date boundaries yourself.
Step 7. Then press the Preview button to get a glimpse of what your data would look like.
Step 8. Toggle the Download option and select CSV.
Step 9. Pick a folder path to keep the CSV report.
Step 10. Open and see what the disabled computer data looks like.
Conclusion
In this writeup, admins got a multi-method list to find disabled computers in Active Directory. Along with the tutorial, we helped clear up the difference between an inactive and a disabled computer. Moreover, for those who did not want a traditional approach, we gave an automated alternative too.
Frequently Asked Questions
Q. What’s the difference between a disabled and an inactive computer object?
Check out this table and see for yourself.
State | Description |
Inactive/Stale/Old | Not used in a certain period |
Disabled | Blocked from logging on to the domain |
A disabled computer is a predefined criterion that is built into AD. While the definition of an inactive computer is set by the organization itself.
Q. Why can’t I find disabled computers in Active Directory using PowerShell?
Although rare, this sort of situation is not new. A simple answer might be that the computer might not exist with the criteria you are trying to search for. Moreover, it may have been deleted.
Q. Are PowerShell scripts a safe way to track inactive computers inside the AD?
The safety of PowerShell scripts is a matter of attitude. Admins who are always alert face fewer problems than those who employ a casual approach. Moreover, if you want to minimize the risk there is always the option of going with the professional grade solution described above.
Q. Do disabled computers retain their data indefinitely?
Disabling a computer in Active Directory does not directly affect the data stored on the physical computer itself. It is just to prevent the computer from logging into the domain network.