Windows OS Hub / Active Directory / Get-ADComputer: Getting Active Directory Computers Info via Powershell

December 9, 2015 Active Directory PowerShell

Get-ADComputer: Getting Active Directory Computers Info via Powershell

We go on studying useful PowerShell cmdlets to interact with Active Directory. In our last article, we told about Get-AD User cmdlet that allowed to get any information about AD user accounts. Today we’ll discuss Get-ADComputer cmdlet and its use to get information about computer accounts in Active Directory.

Let’s set a practical task: using Powershell, you have to get a list of computer accounts not registered in the domain network for more than 120 days (inactive computers) and disable them.

Before using Get-ADComputer cmdlet, you have to import Active Directory Module for Windows PowerShell.

Import-Module activedirectory

Tip. In PowerShell 3.0 (installed in Windows Server 2012) or later, this module is imported by default.

You can get help on Get-ADComputer cmdlet parameters as usual:

Get-Help Get-ADComputer

To get information about a certain computer, specify its name with -Identity parameter:

Get-ADComputer -Identity SRV-DB01

We need to know the date of its last registration in AD, but this information is not displayed with this command. Let’s view all properties of this computer in Active Directory:

Get-ADComputer -Identity SRV-DB01 -Properties *

As we can see, the last logon date (LastLogonDate) is 21.09.2015 0:20:17

Remove all unnecessary information leaving only values of Name and LastLogonDate fields.

Get-ADComputer -identity SRV-DB01 -Properties * | FT Name, LastLogonDate -Autosize

Then you have to modify the command so that it displayed the necessary information about all computers in the domain. To do it, replace –Identity to -Filter:

Get-ADComputer -Filter * -Properties * | FT Name, LastLogonDate -Autosize

To display the information about the computers in a certain OU, use SearchBase parameter:

Get-ADComputer -SearchBase ‘OU=Paris,DC=woshub,DC=loc’ -Filter * -Properties * | FT Name, LastLogonDate -Autosize

Sort the request results by the date of the last logon using Sort command.

Get-ADComputer -Filter * -Properties * | Sort LastLogonDate | FT Name, LastLogonDate -Autosize

So, we have got the list of computers and the date of their last log to Active Directory domain. Now we need to disable the computer accounts not used for 120 days or more.

Using Get-Date we get the value of the current date in the variable and reduce it by 120 days:

$date_with_offset= (Get-Date).AddDays(-120)

The variable containing the date can be used as a filter of Get-ADComputer query in LastLogonDate field

Get-ADComputer -Properties LastLogonDate -Filter {LastLogonDate -lt $date_with_offset } | Sort LastLogonDate | FT Name, LastLogonDate -Autosize

So we have got the list of computers not registered in the network for more than 120 days. Using Disable-ADAccount, disable them.

Tip. Firstly, you’d better test the command results using –WhatIf, which allows to see what happens if the command has been run with no changes to the system.

Get-ADComputer -Properties LastLogonDate -Filter {LastLogonData -lt $date_with_offset } | Set-ADComputer -Enabled $false -whatif

Get-ADComputer -Properties LastLogonDate -Filter {LastLogonData -lt $datecutoff} | Set-ADComputer -Enabled $false

Here are some useful tricks for Get-ADComputer

To get the number of all computer accounts in Active Directory:

Get-ADComputer -Filter {SamAccountName -like "*"} | Measure-Object

To select all computers running Windows XP:

Get-ADComputer -Filter {OperatingSystem -like '*XP*'}

To select only server systems:

Get-ADComputer -Filter { OperatingSystem -Like '*Windows Server*' } -Properties OperatingSystem | Select Name, OperatingSystem | Format-Table -AutoSize

The results of the command can be exported to a plain text file:

Get-ADComputer -Filter { OperatingSystem -Like '*Windows Server*' } -Properties OperatingSystem | Select Name, OperatingSystem | Format-Table -AutoSize C:\Script\server_systems.txt

Or a CSV file:

Get-ADComputer -Filter * -Property * | Select-Object Name,OperatingSystem,OperatingSystemServicePack | Export-CSV All-Windows.csv -NoTypeInformation -Encoding UTF8

Windows 10 Compact OS: Reducing the Disk Footprint

11 comments

Blake Masri April 1, 2016 - 6:17 pm

When i run Get-ADComputer -Identity GM172Q13
it works
But when i run
Get-ADComputer -Identity GM172Q13 -Properties *
I get:
Get-ADComputer : One or more properties are invalid.
Parameter name: msDS-AssignedAuthNPolicy
At line:2 char:1
+ Get-ADComputer -Identity GM172Q13 -Properties *
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (GM172Q13:ADComputer) [Get-ADComputer], ArgumentException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.GetADComputer
Any ideas?

Blake Masri April 1, 2016 - 6:34 pm

Figured it out…. “This has been identified as a bug, and there’s a hotfix as described in KB2923122 that you can install. You could also install KB2928680 that contains the above hotfix, and others as well.”

carlochapline May 13, 2016 - 4:39 am

Nice write-up !
Thanks for sharing this.
Here is another informative article which summarizes almost the similar concern and helps to find out inactive users & computer accounts in active directory. You can take further action to disable or remove them : http://activedirectorycleanup.blogspot.in/2014/08/find-inactive-users-compueters-inAD.html

Aniket Barve May 19, 2016 - 12:51 am

Nice information.
Is there a way i can import a list of computer names (Desktops) from a text file that I have and query againts only that list of ADcomputers to check there last logon time stamp ?

When i lookup help for Get-ADcomputers , the -Identity parameter accepts pipeline binding only by value and not by Propertyname, henec i am not able to do it.
Is there a way you could suggest.
I am trying something like this
$name = Get-content -path c:\pclist.txt
ForEach-Object
{ Get-Adcomputer -Identity $name -properties * | Format-table name,created,lastlogon}

admin May 19, 2016 - 7:29 am

Hi,
Try to run the command below

get-content c:\pclist.txt | % {Get-ADComputer -Identity $_ -properties * | select name,created,lastlogon}

Dustin June 28, 2016 - 8:26 pm

Correct the .txt file output to this:
PS C:\Users\dwalker2> Get-ADComputer -Filter { OperatingSystem -Like ‘*Windows Server*’ } -Properties OperatingSystem | Select Name, OperatingSystem | Format-Table -Autosize | Out-File C:\Script\server_systems.txt

Barry Dragoon March 29, 2017 - 10:01 pm

When using an “Authenticated User” account, not a privileged account (i.e., a Domain Admin account), I’m unable to get the “OperatingSystem” attribute. Is there a method to retrieve the “OperatingSystem” attribute without using a “Domain Admin” or other ‘privileged’ account?

admin April 26, 2017 - 5:50 am

It’s pretty strange, by default, any domain user can get the value of this attribute

Kenni February 1, 2018 - 3:22 pm

Great!
is there a way to tell which user(account) was last logged on?

Max February 19, 2018 - 11:24 am

The computer account in AD does not store info about the current user of the system. This can be done using additional logon script.
But you can find logged user remotely using WMI in the interactive mode:
Get-WmiObject –ComputerName PCNameHere –Class Win32_ComputerSystem | Select-Object UserName

Kenni March 6, 2018 - 11:53 am

Thanks Max

The Get-WMIObject is a great approach

Get-ADComputer: Getting Active Directory Computers Info via Powershell

Here are some useful tricks for Get-ADComputer

Windows 10 Compact OS: Reducing the Disk Footprint

Group Policy Editor (gpedit.msc) for Windows 10 Home

Related Reading

11 comments

Leave a Comment Cancel Reply