We go on studying useful PowerShell cmdlets to interact with Active Directory. In our last article, we told about Get-AD User cmdlet that allowed to get any information about AD user accounts. Today we’ll discuss Get-ADComputer cmdlet and its use to get information about computer accounts in Active Directory.
Let’s set a practical task: using Powershell, you have to get a list of computer accounts not registered in the domain network for more than 120 days (inactive computers) and disable them.
Before using Get-ADComputer cmdlet, you have to import Active Directory Module for Windows PowerShell.
Import-Module activedirectory
You can get help on Get-ADComputer cmdlet parameters as usual:
Get-Help Get-ADComputer
To get information about a certain computer, specify its name with -Identity parameter:
Get-ADComputer -Identity SRV-DB01
We need to know the date of its last registration in AD, but this information is not displayed with this command. Let’s view all properties of this computer in Active Directory:
Get-ADComputer -Identity SRV-DB01 -Properties *
As we can see, the last logon date (LastLogonDate) is 21.09.2015 0:20:17
Remove all unnecessary information leaving only values of Name and LastLogonDate fields.
Get-ADComputer -identity SRV-DB01 -Properties * | FT Name, LastLogonDate -Autosize
Then you have to modify the command so that it displayed the necessary information about all computers in the domain. To do it, replace –Identity to -Filter:
Get-ADComputer -Filter * -Properties * | FT Name, LastLogonDate -Autosize
To display the information about the computers in a certain OU, use SearchBase parameter:
Get-ADComputer -SearchBase ‘OU=Paris,DC=woshub,DC=loc’ -Filter * -Properties * | FT Name, LastLogonDate -Autosize
Sort the request results by the date of the last logon using Sort command.
Get-ADComputer -Filter * -Properties * | Sort LastLogonDate | FT Name, LastLogonDate -Autosize
So, we have got the list of computers and the date of their last log to Active Directory domain. Now we need to disable the computer accounts not used for 120 days or more.
Using Get-Date we get the value of the current date in the variable and reduce it by 120 days:
$date_with_offset= (Get-Date).AddDays(-120)
The variable containing the date can be used as a filter of Get-ADComputer query in LastLogonDate field
Get-ADComputer -Properties LastLogonDate -Filter {LastLogonDate -lt $date_with_offset } | Sort LastLogonDate | FT Name, LastLogonDate -Autosize
So we have got the list of computers not registered in the network for more than 120 days. Using Disable-ADAccount, disable them.
Get-ADComputer -Properties LastLogonDate -Filter {LastLogonData -lt $datecutoff} | Set-ADComputer -Enabled $false
Here are some useful tricks for Get-ADComputer
To get the number of all computer accounts in Active Directory:
Get-ADComputer -Filter {SamAccountName -like "*"} | Measure-Object
To select all computers running Windows XP:
Get-ADComputer -Filter {OperatingSystem -like '*XP*'}
To select only server systems:
Get-ADComputer -Filter { OperatingSystem -Like '*Windows Server*' } -Properties OperatingSystem | Select Name, OperatingSystem | Format-Table -AutoSize
The results of the command can be exported to a plain text file:
Get-ADComputer -Filter { OperatingSystem -Like '*Windows Server*' } -Properties OperatingSystem | Select Name, OperatingSystem | Format-Table -AutoSize C:\Script\server_systems.txt
Or a CSV file:
Get-ADComputer -Filter * -Property * | Select-Object Name,OperatingSystem,OperatingSystemServicePack | Export-CSV All-Windows.csv -NoTypeInformation -Encoding UTF8
When i run Get-ADComputer -Identity GM172Q13
it works
But when i run
Get-ADComputer -Identity GM172Q13 -Properties *
I get:
Get-ADComputer : One or more properties are invalid.
Parameter name: msDS-AssignedAuthNPolicy
At line:2 char:1
+ Get-ADComputer -Identity GM172Q13 -Properties *
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (GM172Q13:ADComputer) [Get-ADComputer], ArgumentException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.GetADComputer
Any ideas?
Figured it out…. “This has been identified as a bug, and there’s a hotfix as described in KB2923122 that you can install. You could also install KB2928680 that contains the above hotfix, and others as well.”
Nice write-up !
Thanks for sharing this.
Here is another informative article which summarizes almost the similar concern and helps to find out inactive users & computer accounts in active directory. You can take further action to disable or remove them : http://activedirectorycleanup.blogspot.in/2014/08/find-inactive-users-compueters-inAD.html
Nice information.
Is there a way i can import a list of computer names (Desktops) from a text file that I have and query againts only that list of ADcomputers to check there last logon time stamp ?
When i lookup help for Get-ADcomputers , the -Identity parameter accepts pipeline binding only by value and not by Propertyname, henec i am not able to do it.
Is there a way you could suggest.
I am trying something like this
$name = Get-content -path c:\pclist.txt
ForEach-Object
{ Get-Adcomputer -Identity $name -properties * | Format-table name,created,lastlogon}
Hi,
Try to run the command below
get-content c:\pclist.txt | % {Get-ADComputer -Identity $_ -properties * | select name,created,lastlogon}
Correct the .txt file output to this:
PS C:\Users\dwalker2> Get-ADComputer -Filter { OperatingSystem -Like ‘*Windows Server*’ } -Properties OperatingSystem | Select Name, OperatingSystem | Format-Table -Autosize | Out-File C:\Script\server_systems.txt
When using an “Authenticated User” account, not a privileged account (i.e., a Domain Admin account), I’m unable to get the “OperatingSystem” attribute. Is there a method to retrieve the “OperatingSystem” attribute without using a “Domain Admin” or other ‘privileged’ account?
It’s pretty strange, by default, any domain user can get the value of this attribute