Get-ADComputer: Find Computer Properties in Active Directory with PowerShell | Ranjan.info

you can use Get-ADComputer PowerShell cmdlet to retrieve various information about computer account objects (servers and workstations) in Active Directory domains. This is one of the most useful cmdlets to find AD computers by various criteria

Suppose, your task is to find all inactive computers in Active Directory that have not been registered in a domain for more than 120 days and disable these computer accounts.

Before you can use the Get-ADComputer cmdlet, you must install and import the Active Directory Module for Windows PowerShell.

Import-Module activedirectory

tip, In version PowerShell 3.0 (introduced in Windows Server 2012) or newer, this module is imported by default if the following component is installed: Remote Server Administration Tools -> Role Administration Tools -> AD DS and AD LDS Tools -> Active Directory Module for Windows PowerShell. To use the Get-ADComputer cmdlet on a desktop client (Windows 11 or 11), you need to download and install RSAT and enable the AD-Powershell module from Control Panel or by using the command:

Enable-WindowsOptionalFeature -Online -FeatureName RSATClient-Roles-AD-Powershell

List computer object properties with Get-ADComputer

You can normally get help on the Get-ADComputer cmdlet parameters from the Get-Help command:

Get-Help Get-ADComputer

Get ADComputer cmdlet syntax help

To get information from AD using the cmdlets for the PowerShell module from AD, you do not need domain administrator privileges. It is enough to use a regular user account that is a member of domain user either authenticated users group.

To get information about a specific computer account in the domain, specify its name as an argument -identity Parameters:

Get-ADComputer -Identity SRV-DB01

receive-adcomputer-detection

DistinguishedName : CN=SRV-DB01,OU=Servers,OU=London,OU=UK,DC=woshub,DC=com
DNSHostName       : SRV-DB01.woshub.com
Enabled           : True
Name              : SRV-DB01
ObjectClass       : computer
ObjectGUID        : 87654321-1234-5678-0000-123412341234
SamAccountName    : SRV-DB01$
SID               : S-1-5-21-123456780-1234567890-0987654321-1234
UserPrincipalName :

The cmdlet Get-ADComputer returned only the basic properties of the Computer object from AD. We are interested in the time of the last computer registration in the AD domain, but this information is not displayed in the output of the above command. You can list all available properties of this computer object from Active Directory:

Get-ADComputer -Identity SRV-DB01 -Properties *

Show all ad computer properties with powershell

This list of computer attributes is also available on the Attribute Editor tab in the Active Directory Users and Computers console (dsa.msc).

Active Directory Computer Attribute Editor in ADUC Console

Using Get-Member, you can access AD . You can get the list of all the properties of the Computer class in

Get-ADComputer -Filter * -Properties * | Get-Member

As you can see, this computer’s last logon time on the network is specified in the computer’s attribute last logon date , 6/2/2022 3:53:50 am,

The Get-ADComputer cmdlet allows you to display any properties of the computer in the command results. Remove all unnecessary information, leaving only the value of Name And last logon date Attributes in the output.

Get-ADComputer -identity SRV-DB01 -Properties * | FT Name, LastLogonDate -Autosize

Show last logon date of ad computer with powershell get-addcomputer

So, we received data on the last time of registration in the domain for a single computer. You will then need to modify the command to display information about the time of the last network registration for all computers in the domain. To do this, replace -identity To -filter*,

Get-ADComputer -Filter * -Properties * | FT Name, LastLogonDate -Autosize

LastLogonDate - Table view of AD computers

We’ve got a simple table that has only 2 fields: Computer Name and LastLogonData Date. You can add other fields of the Computer object from AD to this table.

To display information about computer objects in a particular OU (Organizational Unit), use –search base Parameters:

Get-ADComputer -SearchBase ‘OU=Paris,DC=woshub,DC=loc’ -Filter * -Properties * | FT Name, LastLogonDate -Autosize

Sort query results by date of last logon sort cmdlet,

Get-ADComputer -Filter * -Properties * | Sort LastLogonDate | FT Name, LastLogonDate -Autosize

Sort by LastLogonDate

So, we have a list of domain computers and the date they last logged on to the Active Directory network. Now we want to disable computer accounts that haven’t been used for more than 20 days.

using the get Date We can get the value of the current date in the variable and reduce it to 120 days:

$date_with_offset= (Get-Date).AddDays(-120)

The resulting date variable can be used in the LastLogonDate field as a filter for a Get-ADComputer query:

Get-ADComputer -Properties LastLogonDate -Filter {LastLogonDate -lt $date_with_offset } | Sort LastLogonDate | FT Name, LastLogonDate -Autosize

So we’ve got a list of inactive computer accounts that haven’t been registered on the domain network for more than 120 days. Use disable-adaccount either set-adcomputer Order to deactivate these accounts.

tip, For the first time, it is better to test the results of the command -what if Switch, which allows to see what happens if the command has been run without any changes to the AD objects.

Get-ADComputer -Properties LastLogonDate -Filter {LastLogonData -lt $date_with_offset } | Set-ADComputer -Enabled $false -whatif

You can now disable all inactive computer accounts:

Get-ADComputer -Properties LastLogonDate -Filter {LastLogonData -lt $datecutoff} | Set-ADComputer -Enabled $false

Comment, Also, you can get the list of blocked, disabled and inactive computers and domain users by using Search-ADAccount cmdlet.

Using Search Filters with Get-ADComputer

you can use -filter Argument of the Get-ADComputer cmdlet to search for multiple Active Directory computers based on specific criteria. Here you can use wildcard and logical comparison operators. Only basic computer object attributes can be used as filters.

If you need to use search filters on extended computer attributes, they can be specified via the where-object pipe. There are many examples in the next section of this article.

Below are some more useful examples of using the Get-ADComputer cmdlet to query and find computer objects in a domain by specific criteria.

Get the total number of all active (unblocked) computers in Active Directory:

(Get-ADComputer -Filter {enabled -eq "true"}).count

You can use multiple filters to search computers based on multiple parameters at once. To do this, use the PowerShell logical comparison operators (-and, -eq, -ne, -gt, -ge, -lt, -le, -like, -notlike, -and, -or, etc.).

Count the number of Windows Server hosts in the AD domain:

(Get-ADComputer -Filter {enabled -eq "true" -and OperatingSystem -Like '*Windows Server*' }).count

Get-ADComputer counts desktop or server objects in AD

Get the list of computers in a specific OU whose names start with LonPC:

Get-ADComputer -Filter {Name -like "LonPC*"} -SearchBase ‘OU=London,DC=woshub,DC=com’  -Properties IPv4Address | Format-table Name,DNSHostName,IPv4Address | ft -Wrap –Auto

When searching in OU, you can use additional parameters -searchscope 1which means you only need to search in the root OU. -searchscope 2 Option means recursive search for computers in all nested OUs.

To find all workstation computers running Windows 10:

Get-ADComputer -Filter {OperatingSystem -like '*Windows 10*'}

Get a list of servers in a domain along with the OS version the service pack is installed on. and IP address:

Get-ADComputer -Filter 'operatingsystem -like "*Windows server*" -and enabled -eq "true"' -Properties  Name,Operatingsystem, OperatingSystemVersion, OperatingSystemServicePack,IPv4Address | Sort-Object -Property Operatingsystem | Select-Object -Property Name,Operatingsystem, OperatingSystemVersion, OperatingSystemServicePack, IPv4Address| ft -Wrap –Auto

The output was such a neat table with a list of Windows Servers in AD:

List Active Directory Computer Properties with PowerShell

Query Active Directory Passengers with Get-ADComputer: Example

The following are some more useful examples of using the Get-ADComputer cmdlet to select computers in a domain based on certain criteria.

-ldapfilter The attribute allows you to use various LDAP queries as parameters to the Get-ADComputer cmdlet, for example:

Get-ADComputer -LDAPFilter "(name=*db*)"|ft

Find all disabled computer objects in a specific Active Directory OU:

Get-ADComputer -filter * -SearchBase ‘OU=Computers,OU=London,DC=woshub,dc=com’ | Where-Object {$_.enabled -eq $False}

To delete all computer accounts that haven’t been logged into the domain for more than 6 months, you can use the command:

Get-ADComputer -properties lastLogonDate -filter * | where { $_.lastLogonDate -lt (get-date).addmonths(-6) } | Remove-ADComputer

Display the time the computer’s password was last changed in Active Directory. By default, the password should be changed automatically by the computer once every 30 days. If the computer password does not match the password in AD, the computer’s trust relationship with the domain will be broken:

Get-ADComputer –Identity MUNPC321 -Properties PasswordLastSet

The result of the Get-ADComputer command can be exported to a plain text file:

Get-ADComputer -Filter { OperatingSystem -Like '*Windows Server 2016*' } -Properties OperatingSystem | Select DNSHostName, OperatingSystem | Format-Table -AutoSize C:\Script\server_system.txt

You can also get the list of computers and export it to a CSV file:

Get-ADComputer -Filter * -Property * | Select-Object Name,OperatingSystem,OperatingSystemServicePack | Export-CSV All-Windows.csv -NoTypeInformation -Encoding UTF8

Or get an HTML report with a list of computers and required properties:

Get-ADComputer -Filter {OperatingSystem -Like '*Windows Server 2012*' } -Properties * | Select-Object Name,OperatingSystem | ConvertTo-Html | Out-File C:\ps\ad_computers_list.html

ad-computer object html report

You can query the AD computer remotely via WMI or CIM. For example, to display the serial numbers of all servers in a domain:

Get-ADComputer -Filter 'operatingsystem -like "*Windows server*" -and enabled -eq "true"' | Select-Object Name | Foreach-Object {Get-CimInstance Win32_Bios -ComputerName $_.Name -ErrorAction SilentlyContinue | Select-Object PSComputerName,SerialNumber}

To perform a specific action with all computers from the resulting list, you should use For each the noose. In this example, we want to get a list of Windows Server hosts in a domain along with the model and manufacturer.

$Computers = Get-ADComputer -Filter {OperatingSystem -Like '*Windows Server*'}
Foreach ($Computer in $Computers)
{
$Hostname = $Computer.Name
$ComputerInfo = (Get-WmiObject -Computername $Hostname Win32_ComputerSystem)
$Manufacturer = $Computer.Manufacturer
$Model = $Computer.Model
Write-Host "Name: $Hostname"
Write-Host "Manufacturer: $Manufacturer"
Write-Host "Model: $Model"
Write-Host " "
$Content = "$Hostname;$Manufacturer;$Model"
Add-Content -Value $Content -Path "C:\PS\ServersInfo.txt"
}

You can use a short loop syntax. Suppose you need to run a specific command on all computers in a specific OU. In this example, I’ll use the Invoke-Command to run the Group Policy Update command on all servers:

get-adcomputer -SearchBase "OU=Servers,DC=woshub,DC=com" -Filter * | %{ Invoke-Command -Computer $_.Name -ScriptBlock {gpupdate /force} }

Similarly, you can get various useful information from all the computers in the domain:

Using Get-ADComputer and PowerShell startup scripts, you can control various computer settings or store various useful information in computer attributes in AD (for example, you can add a username to the computer description).

For example, I monitor the status of the SCCM agent on users’ computers. When each computer boots, it runs a small logon script that saves ccmaxec Service status for unused computer attribute – extensionAttribute10, Then, using the following command, I can find the computers on which the CCMEXEC service is missing or not running.

get-adcomputer -filter {extensionAttribute10 -ne "SCCM Agent:Running"} -SearchBase “OU=Compters,OU=London,DC=woshub,DC=com” -properties dNSHostName,extensionAttribute10,LastLogonDate  |select-object dNSHostName,extensionAttribute10,LastLogonDate

Advertisement Get service status on computer

Leave a Comment