The following command line will trundle through Active Directory and pull out a list of any machine/computer accounts which have been inactive for more than 12 weeks:
Dsquery computer “OU=Example Standard Computers,OU=Desktops,OU=All Workstations,DC=web,DC=local” –inactive 12
If you want the command to then disable the accounts you can pipe the dsmod command onto the end of the line:
Dsquery computer “OU=Example Standard Computers,OU=Desktops,OU=All Workstations,DC=web,DC=local” –inactive 12 | dsmod computer –disabled yes
If you inadvertently disabled too many accounts or need to undo what you've done, you can run the above command but change the end from
dsmod computer –disabled yes to
dsmod computer –disabled no.
Alternatively if you want the command to then delete the accounts you can change the end of the command to the following:
Dsquery computer “OU=Example Standard Computers,OU=Desktops,OU=All Workstations,DC=web,DC=local” –inactive 12 | dsrm -c -noprompt
NB: the Delete command should be used with caution. Since the last logon times (which inform the -inactive part of the query) are not replicated between Domain Controllers, it is always a good idea to first disable all the machine accounts, leave them for a few weeks and then delete them.
You can paste any of these commands into notepad and save it as a batch file (add the suffix .bat onto the filename when you Save As...). The batch file can then be used as part of a Scheduled Task to automate the process and keep Active Directory tidy. You can also run these commands as Powershell commands.