Overview:
One of my most recent tasks I’ve undertaken is cleaning up our Active Directory.  One problem we run into is removing old machines from use but the Computer Accounts get overlooked.  After a few years our AD OU’s are full of clutter and no one knows which accounts are real or old.  I started clean this up by going into each account and looking at the “lastLogonDate” attribute.  When I found one that was older then 3 months, I disabled it and moved it into an “Old Computers” OU.  After doing that for a while, the through crossed my mind that I could automate this process and never have to do it again.  After doing some research, the following script is what I implemented.
Note: After talking about the script, I will walk through what I did to automate it.

Script:
Copy and Paste the following code (blue text) into a text file and save it as a “.ps1”:

#Date Variable
$disabletime = (Get-Date).AddDays(-180)
$removetime = (Get-Date).AddDays(-270)

The two date variables above are used by the script to determine if an account needs to be disabled or removed after checking the last logon time.  You can change these to fit your needs, just change the number at the end to the number of days you want.

# Disable Computer Objects
Get-ADComputer -SearchBase 'OU=Computers,dc=domain,dc=com' -Property Name,DistinguishedName,lastLogonDate -Filter {lastLogonDate -lt $disabletime} | Set-ADComputer -Enabled $false

This line will disable any old computer accounts using the “$disabletime” variable as a guide.  I also wanted to control which OU’s the script scans because I have a few Test and Server Computers that I don’t want to be disabled.  You will want to change “OU=Computers,dc=domain,dc=com” to the OU that you want it to scan.  If you have multiple OU’s to scan, you can just add a new line for each OU.

# Move Computer Objects
Get-ADComputer -SearchBase 'OU=Computers,dc=domain,dc=com' -Property Name,Enabled -Filter {Enabled -eq $False} | Move-ADObject -TargetPath "OU=Old Computers,DC=domain,DC=com"

This line will move all disabled computer accounts into an “Old Computers” OU.  Again, you will want to change “OU=Computers,dc=domain,dc=com” to the OU’s you want to scan.  Also, you will want to change “OU=Old Computer,DC=domain,DC=com” to the OU you want to move the old computers into.

# Delete Older Disabled Computer Objects
Get-ADComputer -SearchBase 'OU=Old Computers,dc=domain,dc=com'-Property Name,lastLogonDate -Filter {lastLogonDate -lt $removetime } | Remove-ADComputer

This final line will remove the computer accounts in the “Old Computers” OU using the “$removetime” variable as a guide.  Again, you will want to change “OU=Old Computer,DC=domain,DC=com” to whatever OU you  moved the disabled computers into.

Save the script to a place you can access on your Domain Controller.  You can run it from there or in the next section I will walk through how to automate it within Task Scheduler.

Automation:

1. Start “Task Scheduler” on your Domain Controller.
2. Click “Create Basic Task…” on the right panel.
3. Name the task and enter a description.
4. Select when you want to run the task.  I selected “Daily”.
5. Change the time to what works best for your environment.  I made it run daily at 12:01 AM.
6. Leave it on “Start a program”.
7. Under “Program/script:”, enter “Powershell”.
8. Under “Add arguments (optional)”, enter your script location and name (ex. C:\Script.ps1).
9. Confirm and click “Finish”.
10. Once the task is created, you will want to open it and change it to “Run whether user is logged on or not” and “Run with highest privileges”.
11. When you click “OK” it will prompt you for the username and password of the administrator account so it can run while the user is logged off.

You can now run it and see if it completes correctly.