Find Inactive Computers in Active Directory in 5+ Manners
Computer activity monitoring is one of the core tasks of the administrator handling the AD for an organization. So if they don’t know how to find inactive computers in Active Directory, they will not be able to fulfill their duties. Moreover, unknown old computers on a network may allow backdoor entry for nefarious entities. Thereby posing a critical security risk. Not to mention, organizations may want to cut operating costs.
For that, a good way to start is to get rid of infrastructure like stale machines that are no longer operational. So, we present this writeup that contains multiple methods to detect the workstations on which users have not logged in for a while. It is a good practice to include the stale computer check in the AD migration checklist. Let us start with a familiar method also used to find what OU a user is in.
Table of Content
Traditional Means to Look for Inactive Computers in AD
The most basic method is to use ADUC
- Open Active Directory Users and Computers portal
- Click on the View tab and toggle Advanced Features
- Go to the Computer whose Activity you want to view right click and select Properties.
- Inside the Properties tab, tap on the Attribute Editor tab and search for lastlogon.
- Click on it to edit and copy the Value present.
If your organization’s AD does not have the ADUC snap-in installed, don’t worry. Another similar tool that admins have at their disposal is the Active Directory Admin Center. To use it follow the instructions as stated.
- Launch ADAC
- Use the global search and look for the computer whose login dates are in question.
- Select the correct search result object
- Click on the Extention Tab from the left side pane
- Select Attribute Editor option
- Scroll till you see the lastLogon time classification
Both ADAC and ADUC share a similar set of limitations. Starting from a confusing structure. Despite being GUI, the continuous change in the dashboard combined with an indirect search option makes it tough for even veteran admins to search for what they want.
Use Event Viewer
These are a list of audit logs that contain the user login and logout times among other data. Here, admins can view and match the computer to see when it was last used. Let us see how to use it.
- Open Event Viewer
- Expand the Windows Logs tab from the Left side pane
- Choose Security option
- Look at the latest logs.
Although it can be used to determine inactive computers, it is not an efficient way. Logs can have thousands of entries that admins have to go through one by one. Although the data can be exported, it still needs to be cleaned and edited to become presentable. Moreover, admins might see an empty audit log if the data has been cleared recently.
We have some scripts that admins can check out to see if this fulfills their requirements.
Use Code to Make a List of Computers that Users Have not Logged In
Use PowerShell
To view the Computer login time:
Get-ADComputer -Filter * -Properties * | FT Name, Lastlogondate
The blank space under Lastlogondate indicates that the computer has never been used since its creation. The no password scenario also means that admins have to rethink ADMT password migration scenarios.
To get this list in CSV format, make the following changes to the cmdlet
Get-ADComputer -Filter * -Properties * Name, Lastlogondate | Export-CSV “C:\Users\admin\Desktop\Old-Computers.CSV”
Use Cmd
The following command line query can give you the required data. However, the catch is that it presents the date in a illegible format. Admins have to convert the default Date file integer into its datetime equivalent.
dsquery * domainroot -filter "(objectCategory=Computer)" -attr distinguishedName sAMAccountName lastLogon
Scripts are not foolproof and considering that Active Directory updates in real-time any error or intrusion via the commands can be falsely registered as a logon attempt. Thus making the data garbage. However, we saved the best for last, admins can use the professional utility to get the report they are looking for.
Automated Way to Find Stale Computers in Active Directory
The easiest way to beat the generic ADUC and skip over confusing PowerShell scripts is to use SysTools Active Directory Reporting Software. With a dedicated category selection screen, administrators can segregate the inactive computers from the rest. Which is quite effective in shortening the duration of migrating users and computers from one forest to another.
Moreover, the date picker menu allows the admin to choose the time frame from which they want the data. The tool has a built-in preview screen with adjustable viewing formats. This can be used to get a glimpse at computers that have not logged in for a while before the export itself. All this is possible by just following a small series of steps.
Steps to Follow to Check Stale Computers in an AD
Step 1. Open the tool and wait for the default credentials (administrator) to fill up automatically, then log in.
Step 2. Click on the “REGISTER DOMAIN CONTROLLER” button appearing in the middle of your screen.
Step 3. Type the Domain Friendly Name you want to use, and fill in the IP Address to find inactive computers in Active Directory.
Step 4. Inside the Domain Details Page, use your admin ID and password to validate.
Step 5. Go to the reports section and choose the Active Computers category under the computer workload.
Step 6. Use the duration picker to set a custom date range or pick a preset time interval from 5 days all the way up to 1 year.
Step 7. Press the Preview button to generate a list of computers that have not logged in. You can identify them by the value of the Status column.
Step 8. Click on Download, and select the CSV option.
Conclusion
We now hope that users can find inactive computers in Active Directory without much effort. In this write-up, we gave administrators multiple methods to list down old machines and workstations that included everything from ADUC, and ADAC portals to script-based PowerShell and Command line methods. Moreover, those who feel the traditional methods are inefficient can rely on the tool discussed earlier. Admins can use the software to speed up the task and list all computers that have not logged in for a set number of days.