Query AD for Windows XP SP Level

This is as much a learning question as it is a pressing, both in equal measures.  I need to poll our AD to determine what computers are running Windows XP and what service pack level they are at (none, 1, 2, or 3).  I would like to do this with PowerShell, but I am open to any method which will get me quick results.  I need to make sure that the query has computer name, OS with SP level, OU location, last logon, and status (active or disabled).

Thanks in advance!

Justin
LVL 31
Justin OwensITIL Problem ManagerAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Mike KlineCommented:
You can try adfind by Joe Richards

http://www.joeware.net/freetools/tools/adfind/index.htm

adfind -default -f "&(objectcategory=computer)(operatingsystem= Windows XP Professional)"  samaccountname operatingsystem operatingsystemservicepack lastlogontimestamp -tdc -csv > c:\computers.csv

Thanks
Mike
0
Justin OwensITIL Problem ManagerAuthor Commented:
Mike,
As always, you come up with fast answers, and for that I am grateful.  That particular query worked like a charm, minus it does not tell me the enabled/disabled status of the computer account.
I will be keeping this open, hoping for two things:
  1. A way to display the enabled/disabled status (necessity) -and-
  2. The same thing through PowerShell (preferred but not required)
Yes, I know that is probably reinventing the wheel, but I do also want to look at this as a learning opportunity.
Cheers,
Justin
0
Chris DentPowerShell DeveloperCommented:
Hey Justin, Mike :)

With PowerShell, using Quest's CmdLets and I can't test this, so two versions to check:

Get-QADComputer | Select-Object Name, operatingSystem operatingSystemServicePack, `
  @{n='Enabled';e={ if ($_.UserAccountControl -BAnd 2) { $False } Else { $True } }}

And the "hmm perhaps" version:

Get-QADComputer -IncludedProperties operatingSystemServicePack | `
  Select-Object Name, operatingSystem operatingSystemServicePack, `
    @{n='Enabled';e={ if ($_.UserAccountControl -BAnd 2) { $False } Else { $True } }}

Because I can't quite remember what Get-QADComputer returns and AD is far far away at the moment.

HTH

Chris
0
Webinar: Cyber Crime Becomes Big Business

The rising threat of malware-as-a-service is not one to be overlooked. Malware-as-a-service is growing and easily purchased from a full-service cyber-criminal store in a “Virus Depot” fashion. Join us in our upcoming webinar as we discuss how to best defend against these attacks!

Mike KlineCommented:
...and I knew Chris would come through with powershell as he always does.  Thanks Chris

...MVP review board are you taking note :)

Thanks

Mike
0
Justin OwensITIL Problem ManagerAuthor Commented:
I am probably missing the obvious, Chris.
I downloaded and (supposedly) Quests's CmdLets, but I still get that cmdlet is not recognized....
0
Mike KlineCommented:
You can add the Quest snapin

add-PSSnapin  quest.activeroles.admanagement

or you should be able to go to start > Programs > Quest Software  open the shell there which should include the snapin.

Thanks

Mike
0
Justin OwensITIL Problem ManagerAuthor Commented:
Mike, thanks for the heads up on that.  Foolishly I thought that installing it would make them availible in the regular PS window...  Silly me....
Chris, I have attached the output of both of those commands in the Code box below.
Cheers,
Justin

PS H:\> Get-QADComputer | Select-Object Name, operatingSystem operatingSystemServicePack, `
>>   @{n='Enabled';e={ if ($_.UserAccountControl -BAnd 2) { $False } Else { $True } }}
>>
Select-Object : A positional parameter cannot be found that accepts argument 'System.Object[]'.
At line:1 char:32
+ Get-QADComputer | Select-Object <<<<  Name, operatingSystem operatingSystemServicePack, `
    + CategoryInfo          : InvalidArgument: (:) [Select-Object], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.SelectObjectCommand

PS H:\> Get-QADComputer -IncludedProperties operatingSystemServicePack | `
>>   Select-Object Name, operatingSystem operatingSystemServicePack, `
>>     @{n='Enabled';e={ if ($_.UserAccountControl -BAnd 2) { $False } Else { $True } }}
>>
Select-Object : A positional parameter cannot be found that accepts argument 'System.Object[]'.
At line:2 char:16
+   Select-Object <<<<  Name, operatingSystem operatingSystemServicePack, `
    + CategoryInfo          : InvalidArgument: (:) [Select-Object], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.SelectObjectCommand

Open in new window

0
Chris DentPowerShell DeveloperCommented:

Okay I didn't expect that error...

Could you try just this?

Get-QADComputer | Select-Object Name, operatingSystem operatingSystemServicePack

No lines to contend with :)

Chris
0
Justin OwensITIL Problem ManagerAuthor Commented:
Chris,
See below....

PS H:\> Get-QADComputer | Select-Object Name, operatingSystem operatingSystemServicePack
Select-Object : A positional parameter cannot be found that accepts argument 'operatingSystemServicePack'.
At line:1 char:32
+ Get-QADComputer | Select-Object <<<<  Name, operatingSystem operatingSystemServicePack
    + CategoryInfo          : InvalidArgument: (:) [Select-Object], ParameterBindingException
    + FullyQualifiedErrorId : PositionalParameterNotFound,Microsoft.PowerShell.Commands.SelectObjectCommand

Open in new window

0
Chris DentPowerShell DeveloperCommented:

Oh damn, sorry I missed a comma between operatingSystem and operatingSystemServicePack, back to the first version:

Get-QADComputer | Select-Object Name, operatingSystem, operatingSystemServicePack, `
  @{n='Enabled';e={ if ($_.UserAccountControl -BAnd 2) { $False } Else { $True } }}

Chris
0
Justin OwensITIL Problem ManagerAuthor Commented:
Chris,
That was it... It pulled computer name, OS, SP level and Enabled/Disabled status.....
Again, because my PS is not good at all, is there a way to make it only poll for Windows XP machines and ignore all other OSs?  Also, I would need to pipe that into a savable file, and not to the screen.....
Cheers,
Justin
0
Chris DentPowerShell DeveloperCommented:

Sure, and no problem :)

Chris
Get-QADComputer -OSName "*XP*" | Select-Object Name, operatingSystem, operatingSystemServicePack, `
  @{n='Enabled';e={ if ($_.UserAccountControl -BAnd 2) { $False } Else { $True } }} | `
  Export-CSV "SomeFile.csv"

Open in new window

0
Justin OwensITIL Problem ManagerAuthor Commented:
Cool... Now, I have over 41,000 Windows XP accounts in AD...  I need to bypass the 1000 size limit...

PS H:\> Get-QADComputer -OSName "*XP*" | Select-Object Name, operatingSystem, operatingSystemServicePack, `
>> @{n='Enabled';e={ if ($_.UserAccountControl -BAnd 2) { $False } Else { $True } }} | `
>> Export-CSV "h:\new_computer_test.csv"
>>
WARNING: This search was configured to retrieve only the first 1000 results. To retrieve more results, increase the
size limit using the -SizeLimit parameter or set the default size limit using Set-QADPSSnapinSettings with the
-DefaultSizeLimit parameter. Use 0 as the value of size limit to retrieve all possible search results.

Open in new window

0
Chris DentPowerShell DeveloperCommented:

Setting SizeLimit to 0 should have it return everything.

That's quite a lot, we have to hope they made Get-QADComputer more efficient than System.DirectoryServices. So, fingers crossed and watch your system RAM.

Chris
Get-QADComputer -OSName "*XP*" -SizeLimit 0 | Select-Object Name, operatingSystem, operatingSystemServicePack, `
  @{n='Enabled';e={ if ($_.UserAccountControl -BAnd 2) { $False } Else { $True } }} | `
  Export-CSV "SomeFile.csv"

Open in new window

0
Justin OwensITIL Problem ManagerAuthor Commented:
Chris, that got it, but I just noticed it didn't have last logon included....  I checked the get-help on that cmdlet, and it does't seem to have that as a built in variable.  Any and all guideance is appreciated.
0
Chris DentPowerShell DeveloperCommented:

lastLogon isn't replicated. I guess lastLogonTimeStamp will be okay?

You may have to convert this value, lets see how far it gets.

Check it out on a small selection / one system first, not in a position to test it at the moment unfortunately :)

Chris
Get-QADComputer -OSName "*XP*" -SizeLimit 0 -IncludedProperties lastLogonTimeStamp | `
  Select-Object Name, operatingSystem, operatingSystemServicePack, lastLogonTimeStamp, `
    @{n='Enabled';e={ if ($_.UserAccountControl -BAnd 2) { $False } Else { $True } }} | `
  Export-CSV "SomeFile.csv"

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Mike KlineCommented:
41,000 XP machines, big environment.  Another tool may help you is old computer by Joe Richards

http://www.joeware.net/freetools/tools/oldcmp/index.htm

Really good for getting rid of old boxes.  We disable at 120 days and delete after 180 days.

Thanks

Mike
0
Justin OwensITIL Problem ManagerAuthor Commented:
Mike,
You have no idea... 75% of our computers have already been migrated to Vista.  Deleting old computer accounts is outside the scope of the contract at the moment, so it is not an option, though I would desperately love for it to be.  Is there a switch in ADFind which also displays enabled/disabled status?  It would be nice to have two different reports to compare.
Cheers,
Justin
0
Justin OwensITIL Problem ManagerAuthor Commented:
Chris,
That last Query yielded the exact results I was seeking.  I will be closing the Question, but I am still looking forward to Mike's input on ADFind.
Cheers,
Justin
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Powershell

From novice to tech pro — start learning today.