This is a very common discussion, and a simple search using your favorite search engine provides multiple results from both the community and my Microsoft Peers. This is my take on the topic and the guidance I usually provide.
These are common questions I get:
What AD attribute should be used pwdlastset or Lastlogontimestamp to determine if a computer object is stale? I like this guidance “One-Liner: My Take On Finding Stale User and Computer Accounts”. Ian recommends using both attributes as a way to determine when an object is stale. Since it is using the get-adcomputer powershell cmdlet, I am going to add to that recommendation and include the ipv4address attribute equals null, along with looking for cluster related spn entries (Cluster and Stale Computer Accounts). Create a report and review the results to see if this guidance works.
UPDATE: this script is going to use hash tables. Click here for more info.
Create a Report
This script example is to identify the impact based on the criteria. Run the PowerShell cmdlets below and review the findings.
Reviewing the Results
Open stale_computer_report.csv in Excel, look over the results. Check to make sure the objects with ip addresses aren't showing as True in the Stale column.
Following this blog theme, by looking at the data with charts and tables creates an easier way to review and tell a story about the data,
To do this in excel, select insert, pivot chart, and then pivot chart again.
Select Chart 1
View Stale Information By Domain
In the PivotChart Fields drag the fields to match the following
This will produce a nice graph grouped by domain that shows the number of computers that are / not stale.
View Stale Data Grouped by Parent OU
Drag the fields to match the following
View Stale Data Grouped by Operating System
Now that you have the new data you can also chart/graph it by operating system. Drag the fields to match the following
Gather just the Computers that are stale
Determine if the report is good, if so start disabling the computers.
There are multiple ways to do this. Hopefully, you will leverage some of this to discover what is going on with computer objects in your environment and use it to help with Active Directory object hygiene.
Thank you for reading and have a good day.