Query AD for Windows XP SP Level

This is as much a learning question as it is a pressing, both in equal measures.  I need to poll our AD to determine what computers are running Windows XP and what service pack level they are at (none, 1, 2, or 3).  I would like to do this with PowerShell, but I am open to any method which will get me quick results.  I need to make sure that the query has computer name, OS with SP level, OU location, last logon, and status (active or disabled).

Thanks in advance!

Justin
LVL 31
Justin OwensITIL Problem ManagerAsked:
Who is Participating?
 
Chris DentPowerShell DeveloperCommented:

lastLogon isn't replicated. I guess lastLogonTimeStamp will be okay?

You may have to convert this value, lets see how far it gets.

Check it out on a small selection / one system first, not in a position to test it at the moment unfortunately :)

Chris
Get-QADComputer -OSName "*XP*" -SizeLimit 0 -IncludedProperties lastLogonTimeStamp | `
  Select-Object Name, operatingSystem, operatingSystemServicePack, lastLogonTimeStamp, `
    @{n='Enabled';e={ if ($_.UserAccountControl -BAnd 2) { $False } Else { $True } }} | `
  Export-CSV "SomeFile.csv"

Open in new window

0
 
Mike KlineCommented:
You can try adfind by Joe Richards

http://www.joeware.net/freetools/tools/adfind/index.htm

adfind -default -f "&(objectcategory=computer)(operatingsystem= Windows XP Professional)"  samaccountname operatingsystem operatingsystemservicepack lastlogontimestamp -tdc -csv > c:\computers.csv

Thanks
Mike
0
 
Justin OwensITIL Problem ManagerAuthor Commented:
Mike,
As always, you come up with fast answers, and for that I am grateful.  That particular query worked like a charm, minus it does not tell me the enabled/disabled status of the computer account.
I will be keeping this open, hoping for two things:
  1. A way to display the enabled/disabled status (necessity) -and-
  2. The same thing through PowerShell (preferred but not required)
Yes, I know that is probably reinventing the wheel, but I do also want to look at this as a learning opportunity.
Cheers,
Justin
0
Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

 
Chris DentPowerShell DeveloperCommented:
Hey Justin, Mike :)

With PowerShell, using Quest's CmdLets and I can't test this, so two versions to check:

Get-QADComputer | Select-Object Name, operatingSystem operatingSystemServicePack, `
  @{n='Enabled';e={ if ($_.UserAccountControl -BAnd 2) { $False } Else { $True } }}

And the "hmm perhaps" version:

Get-QADComputer -IncludedProperties operatingSystemServicePack | `
  Select-Object Name, operatingSystem operatingSystemServicePack, `
    @{n='Enabled';e={ if ($_.UserAccountControl -BAnd 2) { $False } Else { $True } }}

Because I can't quite remember what Get-QADComputer returns and AD is far far away at the moment.

HTH

Chris
0
 
Mike KlineCommented:
...and I knew Chris would come through with powershell as he always does.  Thanks Chris

...MVP review board are you taking note :)

Thanks

Mike
0
 
Justin OwensITIL Problem ManagerAuthor Commented:
I am probably missing the obvious, Chris.
I downloaded and (supposedly) Quests's CmdLets, but I still get that cmdlet is not recognized....
0
 
Mike KlineCommented:
You can add the Quest snapin

add-PSSnapin  quest.activeroles.admanagement

or you should be able to go to start > Programs > Quest Software  open the shell there which should include the snapin.

Thanks

Mike
0
 
Justin OwensITIL Problem ManagerAuthor Commented:
Mike, thanks for the heads up on that.  Foolishly I thought that installing it would make them availible in the regular PS window...  Silly me....
Chris, I have attached the output of both of those commands in the Code box below.
Cheers,
Justin

PS H:\> Get-QADComputer | Select-Object Name, operatingSystem operatingSystemServicePack, `
>>   @{n='Enabled';e={ if ($_.UserAccountControl -BAnd 2) { $False } Else { $True } }}
>>
Select-Object : A positional parameter cannot be found that accepts argument 'System.Object[]'.
At line:1 char:32
+ Get-QADComputer | Select-Object <<<<  Name, operatingSystem operatingSystemServicePack, `
    + CategoryInfo          : InvalidArgument: (:) [Select-Object], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.SelectObjectCommand

PS H:\> Get-QADComputer -IncludedProperties operatingSystemServicePack | `
>>   Select-Object Name, operatingSystem operatingSystemServicePack, `
>>     @{n='Enabled';e={ if ($_.UserAccountControl -BAnd 2) { $False } Else { $True } }}
>>
Select-Object : A positional parameter cannot be found that accepts argument 'System.Object[]'.
At line:2 char:16
+   Select-Object <<<<  Name, operatingSystem operatingSystemServicePack, `
    + CategoryInfo          : InvalidArgument: (:) [Select-Object], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.SelectObjectCommand

Open in new window

0
 
Chris DentPowerShell DeveloperCommented:

Okay I didn't expect that error...

Could you try just this?

Get-QADComputer | Select-Object Name, operatingSystem operatingSystemServicePack

No lines to contend with :)

Chris
0
 
Justin OwensITIL Problem ManagerAuthor Commented:
Chris,
See below....

PS H:\> Get-QADComputer | Select-Object Name, operatingSystem operatingSystemServicePack
Select-Object : A positional parameter cannot be found that accepts argument 'operatingSystemServicePack'.
At line:1 char:32
+ Get-QADComputer | Select-Object <<<<  Name, operatingSystem operatingSystemServicePack
    + CategoryInfo          : InvalidArgument: (:) [Select-Object], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.SelectObjectCommand

Open in new window

0
 
Chris DentPowerShell DeveloperCommented:

Oh damn, sorry I missed a comma between operatingSystem and operatingSystemServicePack, back to the first version:

Get-QADComputer | Select-Object Name, operatingSystem, operatingSystemServicePack, `
  @{n='Enabled';e={ if ($_.UserAccountControl -BAnd 2) { $False } Else { $True } }}

Chris
0
 
Justin OwensITIL Problem ManagerAuthor Commented:
Chris,
That was it... It pulled computer name, OS, SP level and Enabled/Disabled status.....
Again, because my PS is not good at all, is there a way to make it only poll for Windows XP machines and ignore all other OSs?  Also, I would need to pipe that into a savable file, and not to the screen.....
Cheers,
Justin
0
 
Chris DentPowerShell DeveloperCommented:

Sure, and no problem :)

Chris
Get-QADComputer -OSName "*XP*" | Select-Object Name, operatingSystem, operatingSystemServicePack, `
  @{n='Enabled';e={ if ($_.UserAccountControl -BAnd 2) { $False } Else { $True } }} | `
  Export-CSV "SomeFile.csv"

Open in new window

0
 
Justin OwensITIL Problem ManagerAuthor Commented:
Cool... Now, I have over 41,000 Windows XP accounts in AD...  I need to bypass the 1000 size limit...

PS H:\> Get-QADComputer -OSName "*XP*" | Select-Object Name, operatingSystem, operatingSystemServicePack, `
>> @{n='Enabled';e={ if ($_.UserAccountControl -BAnd 2) { $False } Else { $True } }} | `
>> Export-CSV "h:\new_computer_test.csv"
>>
WARNING: This search was configured to retrieve only the first 1000 results. To retrieve more results, increase the
size limit using the -SizeLimit parameter or set the default size limit using Set-QADPSSnapinSettings with the
-DefaultSizeLimit parameter. Use 0 as the value of size limit to retrieve all possible search results.

Open in new window

0
 
Chris DentPowerShell DeveloperCommented:

Setting SizeLimit to 0 should have it return everything.

That's quite a lot, we have to hope they made Get-QADComputer more efficient than System.DirectoryServices. So, fingers crossed and watch your system RAM.

Chris
Get-QADComputer -OSName "*XP*" -SizeLimit 0 | Select-Object Name, operatingSystem, operatingSystemServicePack, `
  @{n='Enabled';e={ if ($_.UserAccountControl -BAnd 2) { $False } Else { $True } }} | `
  Export-CSV "SomeFile.csv"

Open in new window

0
 
Justin OwensITIL Problem ManagerAuthor Commented:
Chris, that got it, but I just noticed it didn't have last logon included....  I checked the get-help on that cmdlet, and it does't seem to have that as a built in variable.  Any and all guideance is appreciated.
0
 
Mike KlineCommented:
41,000 XP machines, big environment.  Another tool may help you is old computer by Joe Richards

http://www.joeware.net/freetools/tools/oldcmp/index.htm

Really good for getting rid of old boxes.  We disable at 120 days and delete after 180 days.

Thanks

Mike
0
 
Justin OwensITIL Problem ManagerAuthor Commented:
Mike,
You have no idea... 75% of our computers have already been migrated to Vista.  Deleting old computer accounts is outside the scope of the contract at the moment, so it is not an option, though I would desperately love for it to be.  Is there a switch in ADFind which also displays enabled/disabled status?  It would be nice to have two different reports to compare.
Cheers,
Justin
0
 
Justin OwensITIL Problem ManagerAuthor Commented:
Chris,
That last Query yielded the exact results I was seeking.  I will be closing the Question, but I am still looking forward to Mike's input on ADFind.
Cheers,
Justin
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.