I was recently tasked with cleaning up aged / inactive computers in SCCM. Since SCCM’s System Discovery feature was set to enabled, this meant active and inactive computers in AD were being discovered and added. Of course, SCCM has the following built-in settings that you can use to keep your environment clean:
Administration/Hierarchy Configuration/Discovery Methods – System Discovery
Only discover computers that have logged on to a domain in a given period of time = 31 days
Only discover computers that have updated their computer account password in a given period of time = 90 days
Administration/Site Configuration/Sites – Site Maintenance
Delete Aged Discovery Data and Delete Inactive Client Discovery Data. Both of these tasks should be enabled for inactive client data deletion.
Delete Aged Discovery Data = runs daily for computers inactive for 90 days (12AM to 5AM)
Delete Inactive Client Discovery Data = runs daily for computers inactive for 90 days (12AM to 5AM)
Long story short, even though I had the correct settings in place within the CM console, I wanted to start with the root cause and decided to check AD for computers with LastLogonTimestamp of 90+ days. So what does this mean?
Active Directory computers have an attribute called lastLogonTimestamp, this stores the last time the computer was logged into. Computer password age: Just like user accounts, computers have a password. These get changed automatically every 30 days
My assumption was if a specific computer was not used or logged into in 90+ days, then it has been decommissioned or was replaced. Of course, there are users who take medical/personal leave or vacation, but if they come back and aren’t able to login to their machine, it’s a small problem to fix.
Here is the script I borrowed from TechNet:
# Gets time stamps for all computers in the domain that have NOT logged in since after specified date
# Mod by Tilo 2013-08-27
import-module activedirectory
$domain = "torontoit.co"
$DaysInactive = 90
$time = (Get-Date).Adddays(-($DaysInactive))
# Get all AD computers with lastLogonTimestamp less than our time
Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -Properties LastLogonTimeStamp |
# Output hostname and lastLogonTimestamp into CSV
select-object Name,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}} | export-csv C:\Users\YourUsername\Desktop\OldComputerObjects90Days.csv -notypeinformationThe output should look something like this:
From here, you’ll be able to confirm what needs to be cleaned up in AD, however it checks all of AD. If you want to be able to target a specific OU (e.g. Workstations only), you can run this script:
# This script will search through Active Directory to find Last Logon Timestamp of all computer objects for a targeted OU, and will export to a CSV.
# $SearchOU = 'Target OU, e.g. OU=workstations,OU=HQ,DC=Contoso,DC=com'
# $DaysInactive = X number of days that an object has been inactive
import-module activedirectory
$SearchOU = 'ou=Workstations,ou=HQ,dc=contoso,dc=com'
$DaysInactive = 90
$time = (Get-Date).Adddays(-($DaysInactive))
Get-ADComputer -SearchBase $SearchOU -Filter {LastLogonTimeStamp -lt $time} -Properties LastLogonTimeStamp |
select-object Name,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}} | export-csv C:\Users\YourUsername\Desktop\ComputersLastLogonTimeStamp.csv -notypeinformation