Windows OS Hub
  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2012
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Group Policies
  • Windows Clients
    • Windows 10
    • Windows 8
    • Windows 7
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
  • PowerShell
  • Exchange

 Windows OS Hub / Active Directory / Get-ADComputer: Find Computer Details in Active Directory with PowerShell

August 19, 2019 Active DirectoryPowerShell

Get-ADComputer: Find Computer Details in Active Directory with PowerShell

You can use the PowerShell cmdlet Get-ADComputer to get various information about computer account objects (servers and workstations) from Active Directory domain. This is one of the most useful cmdlets for searching AD computers by various criteria (to get information about AD user accounts, another cmdlet is used – Get-ADUser).

Contents:
  • Get-ADComputer – Cmdlet Syntax
  • Get-ADComputer – Examples

Suppose your task is to find all inactive computers in Active Directory that have not been registered in a domain for more than 120 days and disable these accounts.

Before using Get-ADComputer cmdlet, you have to import Active Directory Module for Windows PowerShell with the command:

Import-Module activedirectory

Tip. In PowerShell 3.0 (introduced in Windows Server 2012) or later, this module is imported by default, if the following component is installed: Remote Server Administration Tools -> Role Administration Tools -> AD DS and AD LDS Tools -> Active Directory module for Windows PowerShell. To use the Get-ADComputer cmdlet in the desktop OSs (Windows 10, 8.1 or Windows 7), you must download and install the RSAT for your version of the OS and enable the AD-Powershell module from the Control Panel or using the command:

Enable-WindowsOptionalFeature -Online -FeatureName RSATClient-Roles-AD-Powershell

enabling ad module for powershell

Get-ADComputer – Cmdlet Syntax

You can get help on Get-ADComputer cmdlet parameters as usual with Get-Help command:

Get-Help Get-ADComputer

Get-ADComputer cmdlet syntax help

To get information from AD using the cmdlets from the AD for PowerShell module, you don’t need to have the domain admin privileges. It is sufficient that the account under which the cmdlet is being run is a member of the Domain Users / Authenticated Users group.

To get information about a specific computer account in the domain, specify its name as an argument of the -Identity parameter:

Get-ADComputer -Identity SRV-DB01

Get-ADComputer -Identity

DistinguishedName : CN=SRV-DB01,OU=Servers,OU=London,OU=UK,DC=woshub,DC=com
DNSHostName       : SRV-DB01.woshub.com
Enabled           : True
Name              : SRV-DB01
ObjectClass       : computer
ObjectGUID        : 87654321-1234-5678-0000-123412341234
SamAccountName    : SRV-DB01$
SID               : S-1-5-21-123456780-1234567890-0987654321-1234
UserPrincipalName :

The cmdlet Get-ADComputer returned only the basic properties of the Computer object from AD. We are interested in the time of the last computer registration in the AD domain, but this information is not displayed in the output of the command above. You can list all available properties of this computer object from Active Directory:

Get-ADComputer -Identity SRV-DB01 -Properties *

All AD computer properties

Using Get-Member, you can get a list of all the properties of the Computer class in AD:

Get-ADComputer -Filter * -Properties * | Get-Member

As you can see, the last logon date of this computer to the network is specified in the computer’s attribute LastLogonDate – 09/21/2015 0:20:17.

The Get-ADComputer cmdlet allows you to display any of the computer’s properties in the command results. Remove all unnecessary information leaving only values of Name and LastLogonDate attributes.

Get-ADComputer -identity SRV-DB01 -Properties * | FT Name, LastLogonDate -Autosize

Get-ADComputer LastLogonDate

So, we received data on the last time of registration in the domain for a single computer. Then you have to modify the command to make it display the information about the time of the last network registration for all computers in the domain. To do it, replace –Identity to –Filter *:

Get-ADComputer -Filter * -Properties * | FT Name, LastLogonDate -Autosize

LastLogonDate of AD computers - table view

We got a simple table that contains only 2 fields: computer name and LastLogonData date. You can add other fields of the Computer object from AD to this table.

To display the information about the computer objects in a particular OU (organizational unit), use the –SearchBase parameter:

Get-ADComputer -SearchBase ‘OU=Paris,DC=woshub,DC=loc’ -Filter * -Properties * | FT Name, LastLogonDate -Autosize

Sort the query results by the date of the last logon using the Sort cmdlet:

Get-ADComputer -Filter * -Properties * | Sort LastLogonDate | FT Name, LastLogonDate -Autosize

Sort by LastLogonDate

So, we have got the list of computers and the date they last logged on to the Active Directory domain. Now we want to disable the computer accounts that weren’t used for 120 days or more.

Using Get-Date we can get the value of the current date in the variable and reduce it to 120 days:

$date_with_offset= (Get-Date).AddDays(-120)

The resulting date variable can be used as a filter of Get-ADComputer query in LastLogonDate field:

Get-ADComputer -Properties LastLogonDate -Filter {LastLogonDate -lt $date_with_offset } | Sort LastLogonDate | FT Name, LastLogonDate -Autosize

So we have created a list of inactive computer accounts that have not been registered on the network for more than 120 days. Use the Disable-ADAccount or Set-ADComputer command to disable them.

Tip. For the first time, it’s better to test the results of the command with the –WhatIf switch, which allows to see what happens if the command has been run with no changes to the system.

Get-ADComputer -Properties LastLogonDate -Filter {LastLogonData -lt $date_with_offset } | Set-ADComputer -Enabled $false -whatif

Now you can disable all inactive computer accounts:

Get-ADComputer -Properties LastLogonDate -Filter {LastLogonData -lt $datecutoff} | Set-ADComputer -Enabled $false

Note. Also you can get a list of blocked, disabled and inactive computers and domain users using a separate cmdlet Search-ADAccount.

Get-ADComputer – Examples

Below are some more useful examples of using the Get-ADComputer cmdlet to query and search computer objects in the domain by specific criteria.

Get the total number of all active (unlocked) computers in Active Directory:

(Get-ADComputer -Filter {enabled -eq "true"}).count

Calculate the number of Windows Server instances in the AD domain:

(Get-ADComputer -Filter {enabled -eq "true" -and OperatingSystem -Like '*Windows Server*' }).count

Get-ADComputer count desktop or server objects in the adGet a list of computers in a specific OU whose names begin with LonPC:

Get-ADComputer -Filter {Name -like "LonPC*"} -SearchBase ‘OU=London,DC=woshub,DC=com’  -Properties IPv4Address | Format-table Name,DNSHostName,IPv4Address | ft -Wrap –Auto

When searching in the OU, you can use the additional parameter -SearchScope 1, which means that you need to search only in the OU root. The -SearchScope 2 option indicates a recursive search for computers in all nested OUs.

To find all workstation computers running Windows 10:

Get-ADComputer -Filter {OperatingSystem -like '*Windows 10*'}

Get the list of servers in the domain with the OS version, Service Pack installed and IP address:

Get-ADComputer -Filter 'operatingsystem -like "*Windows server*" -and enabled -eq "true"' -Properties  Name,Operatingsystem, OperatingSystemVersion, OperatingSystemServicePack,IPv4Address | Sort-Object -Property Operatingsystem | Select-Object -Property Name,Operatingsystem, OperatingSystemVersion, OperatingSystemServicePack, IPv4Address| ft -Wrap –Auto

The output was such a beautiful table with a list of Windows Server in the AD:

get-ad-computers list with os version and ip address

The -LDAPFilter attribute allows you to use various LDAP queries as a parameter of the Get-ADComputer cmdlet, for example:

Get-ADComputer -LDAPFilter "(name=*db*)"|ft

Find all disabled computers in a specific Active Directory OU:

Get-ADComputer -filter * -SearchBase ‘OU=Computers,OU=London,DC=woshub,dc=com’ | Where-Object {$_.enabled -eq $False}

To delete all computer accounts that have not been logged into the domain for more than 6 months, you can use the command:
Get-ADComputer -properties lastLogonDate -filter * | where { $_.lastLogonDate -lt (get-date).addmonths(-6) } | Remove-ADComputer

The result of the Get-ADComputer command can be exported to a plain text file:

Get-ADComputer -Filter { OperatingSystem -Like '*Windows Server 2008*' } -Properties OperatingSystem | Select DNSHostName, OperatingSystem | Format-Table -AutoSize C:\Script\server_system.txt

You can also get a list of computers and export it to a CSV file:

Get-ADComputer -Filter * -Property * | Select-Object Name,OperatingSystem,OperatingSystemServicePack | Export-CSV All-Windows.csv -NoTypeInformation -Encoding UTF8

Or get an HTML report file with a list of computers and necessary properties:

Get-ADComputer -Filter {OperatingSystem -Like '*Windows Server 2012*' } -Properties * | Select-Object Name,OperatingSystem | ConvertTo-Html | Out-File C:\ps\ad_computers_list.html

ad-computer objects html report

To perform a specific action with all the computers in the resulting list, you must use the Foreach loop. In this example, we want to create a list of servers in the domain and request specific information from each server (the result file should contain the server name, manufacturer and server model).

$Computers = Get-ADComputer -Filter {OperatingSystem -Like '*Windows Server*'}
Foreach ($Computer in $Computers)
{
$Hostname = $Computer.Name
$ComputerInfo = (Get-WmiObject -Computername $Hostname Win32_ComputerSystem)
$Manufacturer = $Computer.Manufacturer
$Model = $Computer.Model
Write-Host "Name: $Hostname"
Write-Host "Manufacturer: $Manufacturer"
Write-Host "Model: $Model"
Write-Host " "
$Content = "$Hostname;$Manufacturer;$Model"
Add-Content -Value $Content -Path "C:\PS\ServersInfo.txt"
}

You can use a shorter loop syntax. Suppose you need to run a specific command on all computers in a specific OU (in this example, I want to run a group policy update command on all servers):

get-adcomputer -SearchBase "OU=Servers,DC=woshub,DC=com" -Filter * | %{ Invoke-Command -Computer $_.Name -ScriptBlock {gpupdate /force} }

Using Get-AdComputer and the PowerShell startup script, you can control various computer settings. For example, I monitor the status of the SCCM agent (service) on users’ computers. A small logon script is executed on each computer during startup, which saves the ccmexec service status to a unused computer attribute – extensionAttribute10.

Then, using the following command, I can find computers on which the CCMExec service is missing or not running.

get-adcomputer -filter {extensionAttribute10 -ne "SCCM Agent:Running"} -SearchBase “OU=Compters,OU=London,DC=woshub,DC=com” -properties dNSHostName,extensionAttribute10,LastLogonDate  |select-object dNSHostName,extensionAttribute10,LastLogonDate

get service status on the ad computers

16 comments
1
Facebook Twitter Google + Pinterest
previous post
Configuring Windows Firewall Settings and Rules with Group Policy
next post
Secure Password (Credentials) Encryption in PowerShell Scripts

Related Reading

How to Sign a PowerShell Script (PS1) with...

February 25, 2021

Configuring PowerShell Script Execution Policy

February 18, 2021

Configuring Proxy Settings on Windows Using Group Policy...

February 17, 2021

Updating Group Policy Settings on Windows Domain Computers

February 16, 2021

How to Find Inactive Computers and Users in...

January 29, 2021

16 comments

Blake Masri April 1, 2016 - 6:17 pm

When i run Get-ADComputer -Identity GM172Q13
it works
But when i run
Get-ADComputer -Identity GM172Q13 -Properties *
I get:
Get-ADComputer : One or more properties are invalid.
Parameter name: msDS-AssignedAuthNPolicy
At line:2 char:1
+ Get-ADComputer -Identity GM172Q13 -Properties *
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (GM172Q13:ADComputer) [Get-ADComputer], ArgumentException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Commands.GetADComputer
Any ideas?

Reply
Blake Masri April 1, 2016 - 6:34 pm

Figured it out…. “This has been identified as a bug, and there’s a hotfix as described in KB2923122 that you can install. You could also install KB2928680 that contains the above hotfix, and others as well.”

Reply
carlochapline May 13, 2016 - 4:39 am

 Nice write-up !
Thanks for sharing this.
Here is another informative article which summarizes almost the similar concern and helps to find out inactive users & computer accounts in active directory. You can take further action to disable or remove them : http://activedirectorycleanup.blogspot.in/2014/08/find-inactive-users-compueters-inAD.html

Reply
Aniket Barve May 19, 2016 - 12:51 am

Nice information.
Is there a way i can import a list of computer names (Desktops) from a text file that I have and query againts only that list of ADcomputers to check there last logon time stamp ?
 
When i lookup help for Get-ADcomputers , the -Identity parameter accepts pipeline binding only by value and not by Propertyname, henec i am not able to do it.
Is there a way you could suggest.
I am trying something like this
$name = Get-content -path c:\pclist.txt
ForEach-Object
{ Get-Adcomputer -Identity $name -properties * | Format-table  name,created,lastlogon}

Reply
admin May 19, 2016 - 7:29 am

Hi,
Try to run the command below

get-content c:\pclist.txt | % {Get-ADComputer -Identity $_ -properties * | select name,created,lastlogon}

Reply
Dustin June 28, 2016 - 8:26 pm

Correct the .txt file output to this:
PS C:\Users\dwalker2> Get-ADComputer -Filter { OperatingSystem -Like ‘*Windows Server*’ } -Properties OperatingSystem | Select Name, OperatingSystem | Format-Table -Autosize | Out-File C:\Script\server_systems.txt

Reply
Barry Dragoon March 29, 2017 - 10:01 pm

When using an “Authenticated User” account, not a privileged account (i.e., a Domain Admin account), I’m unable to get the “OperatingSystem” attribute. Is there a method to retrieve the “OperatingSystem” attribute without using a “Domain Admin” or other ‘privileged’ account?

Reply
admin April 26, 2017 - 5:50 am

It’s pretty strange, by default, any domain user can get the value of this attribute

Reply
Kenni February 1, 2018 - 3:22 pm

Great!
is there a way to tell which user(account) was last logged on?

Reply
Max February 19, 2018 - 11:24 am

The computer account in AD does not store info about the current user of the system. This can be done using additional logon script.
But you can find logged user remotely using WMI in the interactive mode:
Get-WmiObject –ComputerName PCNameHere –Class Win32_ComputerSystem | Select-Object UserName

Reply
Kenni March 6, 2018 - 11:53 am

Thanks Max

The Get-WMIObject is a great approach

Reply
How to get Active Directory Computer’s info via Powershell? – Xture July 11, 2018 - 12:01 pm

[…] http://woshub.com/get-adcomputer-getting-active-directory-computers-info-via-powershell/ […]

Reply
rahul September 13, 2019 - 4:54 am

Can u pls suggest me to get windows version of adcomputers using powershell command

Reply
admin September 13, 2019 - 5:05 am

Try this code:
get-adcomputer -filter * -properties *|select Name,OperatingSystem,OperatingSystemVersion |ft

Reply
Kooma January 21, 2020 - 10:19 pm

I have list of SAM account names and I need to confirm the OS version on these machines, is there any PS script to help me with this?

Reply
admin January 28, 2020 - 6:06 am

Save the list of computer names to a plain text file and run the following PS code to get the OS version:
get-content c:\ps\pclist.txt | % {Get-ADComputer -Identity $_ -properties * | select name,operatingSystem,operatingSystemVersion}

Reply

Leave a Comment Cancel Reply

Categories

  • Active Directory
  • Group Policies
  • Exchange
  • Windows 10
  • Windows 8
  • Windows 7
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2008 R2
  • PowerShell
  • VMWare
  • MS Office

Recent Posts

  • Accessing USB Flash Drive from VMWare ESXi

    February 26, 2021
  • How to Sign a PowerShell Script (PS1) with a Code Signing Certificate?

    February 25, 2021
  • Change the Default Port Number (TCP/1433) for a MS SQL Server Instance

    February 24, 2021
  • How to Shadow (Remote Control) a User’s RDP session on RDS Windows Server 2016/2019?

    February 22, 2021
  • Configuring PowerShell Script Execution Policy

    February 18, 2021
  • Configuring Proxy Settings on Windows Using Group Policy Preferences

    February 17, 2021
  • Updating Group Policy Settings on Windows Domain Computers

    February 16, 2021
  • Managing Administrative Shares (Admin$, IPC$, C$, D$) in Windows 10

    February 11, 2021
  • Packet Monitor (PktMon) – Built-in Packet Sniffer in Windows 10

    February 10, 2021
  • Fixing “Winload.efi is Missing or Contains Errors” in Windows 10

    February 5, 2021

Follow us

woshub.com
  • Facebook
  • Twitter
  • RSS
Popular Posts
  • How to Configure Google Chrome Using Group Policy ADMX Templates?
  • Allow RDP Access to Domain Controller for Non-admin Users
  • Get-ADUser: Getting Active Directory Users Info via PowerShell
  • How to Find the Source of Account Lockouts in Active Directory domain?
  • Changing Desktop Background Wallpaper in Windows through GPO
  • How to Refresh AD Groups Membership without Reboot/Logoff?
  • Managing User Photos in Active Directory Using ThumbnailPhoto Attribute
Footer Logo

@2014 - 2018 - Windows OS Hub. All about operating systems for sysadmins


Back To Top