We continue to study useful PowerShell cmdlets to retrieve information from Active Directory. In one of the previous articles, we talked about Get-AD User cmdlet, which allows you to get any information about AD user accounts. Today we’ll discuss the Get-ADComputer cmdlet and its use to get various information about the computer accounts (servers and workstations) in the Active Directory domain.
Let’s set a practical task: using Powershell you have to get a list of computer accounts not registered in the domain network for more than 120 days (inactive computers) and disable them.
Before using Get-ADComputer cmdlet, you have to import Active Directory Module for Windows PowerShell with the command:
Import-Module activedirectory
Enable-WindowsOptionalFeature -Online -FeatureName RSATClient-Roles-AD-Powershell
Get-ADComputer – Cmdlet Syntax
You can get help on Get-ADComputer cmdlet parameters as usual with Get-Help command:
Get-Help Get-ADComputer
To get information about a specific computer account in the domain, specify its name with -Identity parameter:
Get-ADComputer -Identity SRV-DB01
We need to know the date of last registration of this computer in the AD domain, but this information is not displayed in the output of the command. Let’s display all the available properties of the computer object in Active Directory:
Get-ADComputer -Identity SRV-DB01 -Properties *
As you can see, the last logon date of this computer to the network is specified in the attribute LastLogonDate – 09/21/2015 0:20:17.
Remove all unnecessary information leaving only values of Name and LastLogonDate attributes.
Get-ADComputer -identity SRV-DB01 -Properties * | FT Name, LastLogonDate -Autosize
Then you have to modify the command so that it displays the information about the time of the last network registration for all computers in the domain. To do it, replace –Identity to -Filter:
Get-ADComputer -Filter * -Properties * | FT Name, LastLogonDate -Autosize
To display the information about the computer objects in a particular OU, use the SearchBase parameter:
Get-ADComputer -SearchBase ‘OU=Paris,DC=woshub,DC=loc’ -Filter * -Properties * | FT Name, LastLogonDate -Autosize
Sort the query results by the date of the last logon using Sort command.
Get-ADComputer -Filter * -Properties * | Sort LastLogonDate | FT Name, LastLogonDate -Autosize
So, we have got the list of computers and the date they last logged on to the Active Directory domain. Now we want to disable the computer accounts not used for 120 days or more.
Using Get-Date we can get the value of the current date in the variable and reduce it by 120 days:
$date_with_offset= (Get-Date).AddDays(-120)
The resulting date variable can be used as a filter of Get-ADComputer query in LastLogonDate field.
Get-ADComputer -Properties LastLogonDate -Filter {LastLogonDate -lt $date_with_offset } | Sort LastLogonDate | FT Name, LastLogonDate -Autosize
So we have created a list of inactive computer accounts that have not been registered for more than 120 days. Use the Disable-ADAccount command to disable them.
Get-ADComputer -Properties LastLogonDate -Filter {LastLogonData -lt $date_with_offset } | Set-ADComputer -Enabled $false -whatif
Now you can disable all inactive computer accounts:
Get-ADComputer -Properties LastLogonDate -Filter {LastLogonData -lt $datecutoff} | Set-ADComputer -Enabled $false
Get-ADComputer: Real World Examples
Below are some more useful examples of using the Get-ADComputer cmdlet to query computer objects in the domain.
To get the number of all computer accounts in Active Directory:
Get-ADComputer -Filter {SamAccountName -like "*"} | Measure-Object
List the computers whose names start with LonPC:
Get-ADComputer -Filter 'Name -like "LonPC*"' -Properties IPv4Address | Format-table Name,DNSHostName,IPv4Address -Autosize
To select all workstation computers running Windows XP:
Get-ADComputer -Filter {OperatingSystem -like '*XP*'}
To select only Windows Server computer objects:
Get-ADComputer -Filter { OperatingSystem -Like '*Windows Server*' } -Properties OperatingSystem | Select Name, OperatingSystem | Format-Table -AutoSize
Get the list of servers in the domain with the version of the OS and the Service Pack installed:
Get-ADComputer -Filter {OperatingSystem -Like '*Windows Server*' } -Property * | Format-Table Name,OperatingSystem,OperatingSystemServicePack -Wrap -Auto
To delete all computer accounts that have not been accessed the domain for more than 6 months, you can use the command:
Get-ADComputer -properties lastLogonDate -filter * | where { $_.lastLogonDate -lt (get-date).addmonths(-6) } | Remove-ADComputer
To select disabled computers in the specific OU use the command:
Get-ADComputer -filter * -SearchBase «OU=Computers, OU=Berlin,dc=woshub,dc=loc» | Where-Object {$_.enabled -eq $False}
The results of the command can be exported to a plain text file:
Get-ADComputer -Filter { OperatingSystem -Like '*Windows Server*' } -Properties OperatingSystem | Select Name, OperatingSystem | Format-Table -AutoSize C:\Script\server_systems.txt
Or a CSV file:
Get-ADComputer -Filter * -Property * | Select-Object Name,OperatingSystem,OperatingSystemServicePack | Export-CSV All-Windows.csv -NoTypeInformation -Encoding UTF8
To perform a specific action with all the computers in the resulting list, you must use the Foreach loop. In this example, we want to create a list of servers in the domain and request specific information from each server (the list should contain the server name, manufacturer and server model).
$Computers = Get-ADComputer -Filter {OperatingSystem -Like '*Windows Server*'}
Foreach ($Computer in $Computers)
{
$Hostname = $Computer.Name
$ComputerInfo = (Get-WmiObject -Computername $Hostname Win32_ComputerSystem)
$Manufacturer = $Computer.Manufacturer
$Model = $Computer.Model
Write-Host "Name: $Hostname"
Write-Host "Manufacturer: $Manufacturer"
Write-Host "Model: $Model"
Write-Host " "
$Content = "$Hostname;$Manufacturer;$Model"
Add-Content -Value $Content -Path "C:\PS\ServersInfo.txt"
}
You can use a shorter loop syntax. Suppose you need to run a specific command on all computers in a specific OU (in this example, I want to run a group policy update command on all servers):
get-adcomputer -SearchBase "OU=Servers,DC=woshub,DC=loc" -Filter * | %{ Invoke-Command -Computer $_.Name -ScriptBlock {gpupdate /force} }
12 comments
When i run Get-ADComputer -Identity GM172Q13
it works
But when i run
Get-ADComputer -Identity GM172Q13 -Properties *
I get:
Get-ADComputer : One or more properties are invalid.
Parameter name: msDS-AssignedAuthNPolicy
At line:2 char:1
+ Get-ADComputer -Identity GM172Q13 -Properties *
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidArgument: (GM172Q13:ADComputer) [Get-ADComputer], ArgumentException
+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.GetADComputer
Any ideas?
Figured it out…. “This has been identified as a bug, and there’s a hotfix as described in KB2923122 that you can install. You could also install KB2928680 that contains the above hotfix, and others as well.”
Nice write-up !
Thanks for sharing this.
Here is another informative article which summarizes almost the similar concern and helps to find out inactive users & computer accounts in active directory. You can take further action to disable or remove them : http://activedirectorycleanup.blogspot.in/2014/08/find-inactive-users-compueters-inAD.html
Nice information.
Is there a way i can import a list of computer names (Desktops) from a text file that I have and query againts only that list of ADcomputers to check there last logon time stamp ?
When i lookup help for Get-ADcomputers , the -Identity parameter accepts pipeline binding only by value and not by Propertyname, henec i am not able to do it.
Is there a way you could suggest.
I am trying something like this
$name = Get-content -path c:\pclist.txt
ForEach-Object
{ Get-Adcomputer -Identity $name -properties * | Format-table name,created,lastlogon}
Hi,
Try to run the command below
get-content c:\pclist.txt | % {Get-ADComputer -Identity $_ -properties * | select name,created,lastlogon}
Correct the .txt file output to this:
PS C:\Users\dwalker2> Get-ADComputer -Filter { OperatingSystem -Like ‘*Windows Server*’ } -Properties OperatingSystem | Select Name, OperatingSystem | Format-Table -Autosize | Out-File C:\Script\server_systems.txt
When using an “Authenticated User” account, not a privileged account (i.e., a Domain Admin account), I’m unable to get the “OperatingSystem” attribute. Is there a method to retrieve the “OperatingSystem” attribute without using a “Domain Admin” or other ‘privileged’ account?
It’s pretty strange, by default, any domain user can get the value of this attribute
Great!
is there a way to tell which user(account) was last logged on?
The computer account in AD does not store info about the current user of the system. This can be done using additional logon script.
But you can find logged user remotely using WMI in the interactive mode:
Get-WmiObject –ComputerName PCNameHere –Class Win32_ComputerSystem | Select-Object UserName
Thanks Max
The Get-WMIObject is a great approach
[…] http://woshub.com/get-adcomputer-getting-active-directory-computers-info-via-powershell/ […]