you can use Get-ADComputer PowerShell cmdlet to retrieve various information about computer account objects (servers and workstations) in Active Directory domains. This is one of the most useful cmdlets to find AD computers by various criteria
Suppose, your task is to find all inactive computers in Active Directory that have not been registered in a domain for more than 120 days and disable these computer accounts.
Before you can use the Get-ADComputer cmdlet, you must install and import the Active Directory Module for Windows PowerShell.
Import-Module activedirectory
Enable-WindowsOptionalFeature -Online -FeatureName RSATClient-Roles-AD-Powershell
List computer object properties with Get-ADComputer
You can normally get help on the Get-ADComputer cmdlet parameters from the Get-Help command:
Get-Help Get-ADComputer
To get information from AD using the cmdlets for the PowerShell module from AD, you do not need domain administrator privileges. It is enough to use a regular user account that is a member of domain user either authenticated users group.
To get information about a specific computer account in the domain, specify its name as an argument -identity Parameters:
Get-ADComputer -Identity SRV-DB01
DistinguishedName : CN=SRV-DB01,OU=Servers,OU=London,OU=UK,DC=woshub,DC=com DNSHostName : SRV-DB01.woshub.com Enabled : True Name : SRV-DB01 ObjectClass : computer ObjectGUID : 87654321-1234-5678-0000-123412341234 SamAccountName : SRV-DB01$ SID : S-1-5-21-123456780-1234567890-0987654321-1234 UserPrincipalName :
The cmdlet Get-ADComputer returned only the basic properties of the Computer object from AD. We are interested in the time of the last computer registration in the AD domain, but this information is not displayed in the output of the above command. You can list all available properties of this computer object from Active Directory:
Get-ADComputer -Identity SRV-DB01 -Properties *
This list of computer attributes is also available on the Attribute Editor tab in the Active Directory Users and Computers console (dsa.msc).
Get-ADComputer -Filter * -Properties * | Get-Member
As you can see, this computer’s last logon time on the network is specified in the computer’s attribute last logon date , 6/2/2022 3:53:50 am,
The Get-ADComputer cmdlet allows you to display any properties of the computer in the command results. Remove all unnecessary information, leaving only the value of Name And last logon date Attributes in the output.
Get-ADComputer -identity SRV-DB01 -Properties * | FT Name, LastLogonDate -Autosize
So, we received data on the last time of registration in the domain for a single computer. You will then need to modify the command to display information about the time of the last network registration for all computers in the domain. To do this, replace -identity To -filter*,
Get-ADComputer -Filter * -Properties * | FT Name, LastLogonDate -Autosize
We’ve got a simple table that has only 2 fields: Computer Name and LastLogonData Date. You can add other fields of the Computer object from AD to this table.
To display information about computer objects in a particular OU (Organizational Unit), use –search base Parameters:
Get-ADComputer -SearchBase ‘OU=Paris,DC=woshub,DC=loc’ -Filter * -Properties * | FT Name, LastLogonDate -Autosize
Sort query results by date of last logon sort cmdlet,
Get-ADComputer -Filter * -Properties * | Sort LastLogonDate | FT Name, LastLogonDate -Autosize
So, we have a list of domain computers and the date they last logged on to the Active Directory network. Now we want to disable computer accounts that haven’t been used for more than 20 days.
using the get Date We can get the value of the current date in the variable and reduce it to 120 days:
$date_with_offset= (Get-Date).AddDays(-120)
The resulting date variable can be used in the LastLogonDate field as a filter for a Get-ADComputer query:
Get-ADComputer -Properties LastLogonDate -Filter {LastLogonDate -lt $date_with_offset } | Sort LastLogonDate | FT Name, LastLogonDate -Autosize
So we’ve got a list of inactive computer accounts that haven’t been registered on the domain network for more than 120 days. Use disable-adaccount either set-adcomputer Order to deactivate these accounts.
Get-ADComputer -Properties LastLogonDate -Filter {LastLogonData -lt $date_with_offset } | Set-ADComputer -Enabled $false -whatif
You can now disable all inactive computer accounts:
Get-ADComputer -Properties LastLogonDate -Filter {LastLogonData -lt $datecutoff} | Set-ADComputer -Enabled $false
Using Search Filters with Get-ADComputer
you can use -filter Argument of the Get-ADComputer cmdlet to search for multiple Active Directory computers based on specific criteria. Here you can use wildcard and logical comparison operators. Only basic computer object attributes can be used as filters.
If you need to use search filters on extended computer attributes, they can be specified via the where-object pipe. There are many examples in the next section of this article.
Below are some more useful examples of using the Get-ADComputer cmdlet to query and find computer objects in a domain by specific criteria.
Get the total number of all active (unblocked) computers in Active Directory:
(Get-ADComputer -Filter {enabled -eq "true"}).count
You can use multiple filters to search computers based on multiple parameters at once. To do this, use the PowerShell logical comparison operators (-and, -eq, -ne, -gt, -ge, -lt, -le, -like, -notlike, -and, -or, etc.).
Count the number of Windows Server hosts in the AD domain:
(Get-ADComputer -Filter {enabled -eq "true" -and OperatingSystem -Like '*Windows Server*' }).count
Get the list of computers in a specific OU whose names start with LonPC:
Get-ADComputer -Filter {Name -like "LonPC*"} -SearchBase ‘OU=London,DC=woshub,DC=com’ -Properties IPv4Address | Format-table Name,DNSHostName,IPv4Address | ft -Wrap –Auto
When searching in OU, you can use additional parameters -searchscope 1which means you only need to search in the root OU. -searchscope 2 Option means recursive search for computers in all nested OUs.
To find all workstation computers running Windows 10:
Get-ADComputer -Filter {OperatingSystem -like '*Windows 10*'}
Get a list of servers in a domain along with the OS version the service pack is installed on. and IP address:
Get-ADComputer -Filter 'operatingsystem -like "*Windows server*" -and enabled -eq "true"' -Properties Name,Operatingsystem, OperatingSystemVersion, OperatingSystemServicePack,IPv4Address | Sort-Object -Property Operatingsystem | Select-Object -Property Name,Operatingsystem, OperatingSystemVersion, OperatingSystemServicePack, IPv4Address| ft -Wrap –Auto
The output was such a neat table with a list of Windows Servers in AD:
Query Active Directory Passengers with Get-ADComputer: Example
The following are some more useful examples of using the Get-ADComputer cmdlet to select computers in a domain based on certain criteria.
-ldapfilter The attribute allows you to use various LDAP queries as parameters to the Get-ADComputer cmdlet, for example:
Get-ADComputer -LDAPFilter "(name=*db*)"|ft
Find all disabled computer objects in a specific Active Directory OU:
Get-ADComputer -filter * -SearchBase ‘OU=Computers,OU=London,DC=woshub,dc=com’ | Where-Object {$_.enabled -eq $False}
To delete all computer accounts that haven’t been logged into the domain for more than 6 months, you can use the command:
Get-ADComputer -properties lastLogonDate -filter * | where { $_.lastLogonDate -lt (get-date).addmonths(-6) } | Remove-ADComputer
Display the time the computer’s password was last changed in Active Directory. By default, the password should be changed automatically by the computer once every 30 days. If the computer password does not match the password in AD, the computer’s trust relationship with the domain will be broken:
Get-ADComputer –Identity MUNPC321 -Properties PasswordLastSet
The result of the Get-ADComputer command can be exported to a plain text file:
Get-ADComputer -Filter { OperatingSystem -Like '*Windows Server 2016*' } -Properties OperatingSystem | Select DNSHostName, OperatingSystem | Format-Table -AutoSize C:\Script\server_system.txt
You can also get the list of computers and export it to a CSV file:
Get-ADComputer -Filter * -Property * | Select-Object Name,OperatingSystem,OperatingSystemServicePack | Export-CSV All-Windows.csv -NoTypeInformation -Encoding UTF8
Or get an HTML report with a list of computers and required properties:
Get-ADComputer -Filter {OperatingSystem -Like '*Windows Server 2012*' } -Properties * | Select-Object Name,OperatingSystem | ConvertTo-Html | Out-File C:\ps\ad_computers_list.html
You can query the AD computer remotely via WMI or CIM. For example, to display the serial numbers of all servers in a domain:
Get-ADComputer -Filter 'operatingsystem -like "*Windows server*" -and enabled -eq "true"' | Select-Object Name | Foreach-Object {Get-CimInstance Win32_Bios -ComputerName $_.Name -ErrorAction SilentlyContinue | Select-Object PSComputerName,SerialNumber}
To perform a specific action with all computers from the resulting list, you should use For each the noose. In this example, we want to get a list of Windows Server hosts in a domain along with the model and manufacturer.
$Computers = Get-ADComputer -Filter {OperatingSystem -Like '*Windows Server*'}
Foreach ($Computer in $Computers)
{
$Hostname = $Computer.Name
$ComputerInfo = (Get-WmiObject -Computername $Hostname Win32_ComputerSystem)
$Manufacturer = $Computer.Manufacturer
$Model = $Computer.Model
Write-Host "Name: $Hostname"
Write-Host "Manufacturer: $Manufacturer"
Write-Host "Model: $Model"
Write-Host " "
$Content = "$Hostname;$Manufacturer;$Model"
Add-Content -Value $Content -Path "C:\PS\ServersInfo.txt"
}
You can use a short loop syntax. Suppose you need to run a specific command on all computers in a specific OU. In this example, I’ll use the Invoke-Command to run the Group Policy Update command on all servers:
get-adcomputer -SearchBase "OU=Servers,DC=woshub,DC=com" -Filter * | %{ Invoke-Command -Computer $_.Name -ScriptBlock {gpupdate /force} }
Using Get-ADComputer and PowerShell startup scripts, you can control various computer settings or store various useful information in computer attributes in AD (for example, you can add a username to the computer description).
For example, I monitor the status of the SCCM agent on users’ computers. When each computer boots, it runs a small logon script that saves ccmaxec Service status for unused computer attribute – extensionAttribute10, Then, using the following command, I can find the computers on which the CCMEXEC service is missing or not running.
get-adcomputer -filter {extensionAttribute10 -ne "SCCM Agent:Running"} -SearchBase “OU=Compters,OU=London,DC=woshub,DC=com” -properties dNSHostName,extensionAttribute10,LastLogonDate |select-object dNSHostName,extensionAttribute10,LastLogonDate
Leave a Comment