Why this matters now

Hybrid identity skews simple “last logon” signals. VPN-less access, cloud apps, and service principals make accounts look active when they’re not. Cleanup automation provides a lean directory and an audit-ready trail without manual toil.

What most teams do—and why it falls short

The classic script finds users with LastLogonDate older than N days, disables them, then moves them to a quarantine OU. After a grace window, it deletes objects and prunes empty OUs. It works, but keep these in mind:

• lastLogonTimestamp lag: replicated infrequently; use it as a screen, not a verdict.
• LastLogonDate is derived: convenient, not exact; verify for high-risk scopes.
• OU deletions fail: protection flags and non-empty OUs block unattended deletes.

First principles to design around

• Signals are probabilistic. Build review and rollback.
• OUs amplify policy. Moving objects changes GPO scope and delegation.
• Safety beats speed. Report → disable+move → delete, with grace and logs.
• Scheduling is part of it. Use explicit PowerShell arguments in Task Scheduler.

Choose your cleanup style: a comparison

Timestamp-driven cleanup (fastest)

Signal: LastLogonDate/lastLogonTimestamp, optionally pwdLastSet and Enabled. Pros: quick and simple. Cons: coarse signals; possible false positives.

Event-correlated cleanup (more accurate)

Signal: timestamps plus sign-in logs (VPN, RADIUS, Entra, workstation events). Pros: fewer mistakes. Cons: more plumbing.

Structural OU hygiene (prevents drift)

Signal: OU age, emptiness, naming standards, GPO lineage. Pros: durable structure. Cons: ongoing governance.

The main technical playbook (copy, adapt, version)

This is the production path: discover → stage → review → enforce → prune. Safe defaults, reversible moves, explicit logs.

0) Requirements

• Windows Server with RSAT / ActiveDirectory module.
• Service account with least-privilege: read tree; write in quarantine OU; delete in a controlled subtree only.
• Neutral quarantine OU with minimal GPOs.

1) Policy inputs

• Inactivity thresholds (e.g., 90 days for users, 45 days for workstations).
• Grace window (e.g., 30 days disabled before deletion).
• Exclusions (Domain Admins, service accounts, break-glass identities).
• Outputs (CSV/JSON logs, ~400-day retention).

2) Discovery: users and computers

Use replicated signals to flag candidates. Scope your search bases to avoid surprises.

Import-Module ActiveDirectory

$now          = Get-Date
$userAgeDays  = 90
$compAgeDays  = 45
$searchBase   = "OU=Corp,DC=contoso,DC=com"
$quarantineOU = "OU=Quarantine,OU=Corp,DC=contoso,DC=com"

$cutUser = $now.AddDays(-$userAgeDays)
$cutComp = $now.AddDays(-$compAgeDays)

# Users likely inactive
$staleUsers = Get-ADUser -SearchBase $searchBase -LDAPFilter "(|(objectClass=user)(objectClass=msDS-GroupManagedServiceAccount))" `
  -Properties LastLogonDate, lastLogonTimestamp, pwdLastSet, Enabled, MemberOf |
  Where-Object {
    $_.Enabled -eq $true -and
    $_.LastLogonDate -lt $cutUser -and
    ($_ | Select-Object -ExpandProperty MemberOf) -notmatch "CN=Domain Admins|CN=Service Accounts|CN=BreakGlass"
  }

# Computers likely inactive
$staleComputers = Get-ADComputer -SearchBase $searchBase -LDAPFilter "(objectClass=computer)" `
  -Properties LastLogonDate, OperatingSystem, Enabled |
  Where-Object { $_.Enabled -eq $true -and $_.LastLogonDate -lt $cutComp }

Why not lastLogon? It’s per-DC and not replicated. lastLogonTimestamp replicates but lags—use it as advisory.

3) Stage: disable + move (reversible)

Never delete on first pass. Disable and move to quarantine. On initial runs, append -WhatIf.

# Log all actions
$log = @()

foreach ($u in $staleUsers) {
  try {
    Disable-ADAccount -Identity $u.SamAccountName
    Move-ADObject -Identity $u.DistinguishedName -TargetPath $quarantineOU
    $log += [pscustomobject]@{Time=Get-Date; Type='User'; Action='Disabled+Moved'; Name=$u.SamAccountName; DN=$u.DistinguishedName}
  } catch {
    $log += [pscustomobject]@{Time=Get-Date; Type='User'; Action='Error'; Name=$u.SamAccountName; Error=$_.Exception.Message}
  }
}

foreach ($c in $staleComputers) {
  try {
    Disable-ADAccount -Identity $c.SamAccountName
    Move-ADObject -Identity $c.DistinguishedName -TargetPath $quarantineOU
    $log += [pscustomobject]@{Time=Get-Date; Type='Computer'; Action='Disabled+Moved'; Name=$c.SamAccountName; DN=$c.DistinguishedName}
  } catch {
    $log += [pscustomobject]@{Time=Get-Date; Type='Computer'; Action='Error'; Name=$c.SamAccountName; Error=$_.Exception.Message}
  }
}

$log | Export-Csv "\\fileserver\IdentityOps\logs\OU-Cleanup-$(Get-Date -f yyyyMMdd).csv" -NoTypeInformation

4) Review: notify, approve, then delete

After the grace window, delete only items still in quarantine and still disabled.

$cutDelete = (Get-Date).AddDays(-30)

$deleteCandidates = Get-ADObject -SearchBase $quarantineOU -SearchScope Subtree -LDAPFilter "(|(objectClass=user)(objectClass=computer))" `
  -Properties whenChanged, isCriticalSystemObject, Enabled |
  Where-Object {
    $_.Enabled -eq $false -and
    $_.whenChanged -lt $cutDelete -and
    -not $_.isCriticalSystemObject
  }

foreach ($obj in $deleteCandidates) {
  try {
    Set-ADObject -Identity $obj.DistinguishedName -ProtectedFromAccidentalDeletion:$false
    Remove-ADObject -Identity $obj.DistinguishedName -Confirm:$false
  } catch {
    # log error
  }
}

5) OU hygiene: find and safely remove empty OUs

Inventory first; delete after sign-off. Export ACLs if you must preserve delegation models.

$emptyOUs = Get-ADOrganizationalUnit -Filter * -SearchBase $searchBase |
  Where-Object { (Get-ADObject -Filter * -SearchBase $_.DistinguishedName -SearchScope OneLevel).Count -eq 0 }

$emptyOUs | Select-Object Name, DistinguishedName |
  Export-Csv "\\fileserver\IdentityOps\reports\EmptyOUs-$(Get-Date -f yyyyMMdd).csv" -NoTypeInformation

# If approved:
foreach ($ou in $emptyOUs) {
  try {
    Set-ADOrganizationalUnit -Identity $ou.DistinguishedName -ProtectedFromAccidentalDeletion:$false
    Remove-ADOrganizationalUnit -Identity $ou.DistinguishedName -Confirm:$false
  } catch {
    # log error
  }
}

6) Scheduling the job

Use Task Scheduler with explicit arguments:

Program/script:  powershell.exe
Arguments:      -NoProfile -ExecutionPolicy Bypass -File "C:\Ops\Scripts\OU-Cleanup.ps1"

Run whether user is logged on or not. Use a hardened service account. Enable highest privileges if required.

Subtleties that bite teams

• Replication randomness: lastLogonTimestamp updates on a randomized interval—offset thresholds and re-check next run.
• Clock drift: future timestamps can appear if a DC’s time is off; monitor NTP and treat such items as “unknown.”
• Quiet quarantine: keep GPOs minimal; block inheritance if needed.
• Service/shared accounts: tag and exclude from interactive-logon heuristics.

Mental models to guide design

• Signals vs. decisions: timestamps are signals; disable/move/delete are decisions—separate them with review.
• Two-phase commit: disable+move first; delete later after delay.
• Containers are contracts: OUs carry GPO scope and delegation; deleting one tears a contract.
• Policy as code: thresholds and exclusions live in version control and evolve via pull requests.

Misconceptions, risks, and correctives

• “LastLogonDate is exact.” It’s derived and can lag; validate for high-risk users.
• “Empty OU = safe.” Delegations and GP scope may still matter; export ACLs and get sign-off.
• “Works interactively = works as a task.” Use -NoProfile, -ExecutionPolicy Bypass, and absolute script paths.

Expert essentials checklist

• Define inactivity windows per object type and role.
• Exclude service, privileged, and break-glass accounts.
• Stage: disable → move → delete with a grace period.
• Log everything; keep at least a year.
• Keep the quarantine OU simple and safe.
• Export OU ACLs before deletion.
• Schedule with hardened credentials and explicit arguments.
• Test in non-prod; dry-run with -WhatIf.

Snippet-ready queries

Users inactive 90+ days, excluding specific groups

Get-ADUser -Filter * -SearchBase "OU=Corp,DC=contoso,DC=com" -Properties LastLogonDate,Enabled,MemberOf |
  Where-Object { $_.Enabled -and $_.LastLogonDate -lt (Get-Date).AddDays(-90) } |
  Where-Object { $_.MemberOf -notmatch "CN=Domain Admins|CN=Service Accounts|CN=BreakGlass" } |
  Select-Object Name,SamAccountName,LastLogonDate,DistinguishedName

Computers inactive 45+ days

Get-ADComputer -Filter * -SearchBase "OU=Workstations,DC=contoso,DC=com" -Properties LastLogonDate,Enabled |
  Where-Object { $_.Enabled -and $_.LastLogonDate -lt (Get-Date).AddDays(-45) } |
  Select-Object Name,LastLogonDate,DistinguishedName

Empty OUs under a branch

Get-ADOrganizationalUnit -Filter * -SearchBase "OU=Corp,DC=contoso,DC=com" |
  Where-Object { (Get-ADObject -Filter * -SearchBase $_.DistinguishedName -SearchScope OneLevel).Count -eq 0 } |
  Sort-Object Name

Disable + move to quarantine

$user = "jdoe"
Disable-ADAccount $user
Move-ADObject (Get-ADUser $user).DistinguishedName -TargetPath "OU=Quarantine,OU=Corp,DC=contoso,DC=com"