Recently we discovered that my Active Directory cleanup script is not 100% correct. This is not an error in the coding, but rather due to an error on the machine it's querying.
We noticed some machine names that we knew were not inactive account were showing up as stale. Upon further investigation in the computer's event logs we saw a lot of problems indicating it was not communicating with the domain controller correctly. This resulted in old lastLogon timestamps.
After removing the computer from the domain and reaadding it we had up-to-date timestamps and the logs were clear.
I am currently working on implementing a way for the script to ping the computer name before adding outputting it to the Stale Account text file. If it resolves into an IP address, we know it is active because it has a DNS entry. If it does not, it's pretty safe to say it's a stale account.
I will post the new and improved script once it's finished.