Solved

How to find old computers in Active Directory using Powershell

Posted on 2011-03-18
5
1,308 Views
Last Modified: 2012-05-11
I need to find computers that haven't been used in a while in AD on a Windows 2008 R2 DC. Let's say 30 days. How would I go about listing all of those computers in alphabetical order?
0
Comment
Question by:Greg27
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 27

Expert Comment

by:KenMcF
ID: 35167402
You can use the 2008R2 AD cmdlets and do something like this

$d = [DateTime]::Today.AddDays(-30)
Get-ADComputer -Filter 'PasswordLastSet -ge $d' -Properties PasswordLastSet | FT Name,PasswordLastSet
0
 

Author Comment

by:Greg27
ID: 35167483
This is showing me all computers and the last password date set on it. I really need a list of all computers that haven't been logged into for at least 30 days. I have a feeling I have some computers listed in AD that no longer exist on my network. Thanks.
0
 
LVL 27

Assisted Solution

by:KenMcF
KenMcF earned 100 total points
ID: 35167564
If these computers are active on the network it will be difficult to get the last time a user logged onto it. You will need to query the audit logs. If these computers are not on the network there are a few attributes you can look at. passwordlastset, Lastlogon, and lastLogonTimeStamp. There are other utilies as well, one I like is oldcmp.exe from joeware.net and the Quest AD cmdlets

get-qadcomputer -Notloggedonfor 30
get-qadcomputer -inactivefor 30


This is what the switches look for

    - The number of days that the account remains in the expired state
    - The number of days that the password of the account remains unchanged
    - The number of days that the account remains unused for logon
0
 
LVL 5

Accepted Solution

by:
sweeps earned 400 total points
ID: 35167628
The best way is to use a program (its free and works great).....

http://cjwdev.wordpress.com/category/ad-tidy/ 

you can set it down to which ou, user or computer, you can export a list, you can have it ping what it thinks is old comp to make sure they are not online.   you can disable or delete in the the program..

awesome program,  have used it for 3 months now.
0
 

Author Closing Comment

by:Greg27
ID: 35323946
Thanks for the help! I ended up giving the most points to sweeps because that is the tool I used and I don't have the Quest AD cmdlets since I am running Powershell 2 with the AD cmdlets built-in.
0

Featured Post

[Webinar] Learn How Hackers Steal Your Credentials

Do You Know How Hackers Steal Your Credentials? Join us and Skyport Systems to learn how hackers steal your credentials and why Active Directory must be secure to stop them. Thursday, July 13, 2017 10:00 A.M. PDT

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
A project that enables an administrator to perform actions within a user session context not just at the time of login but any time later on day(s) or week(s) later.
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
In this video, viewers are given an introduction to using the Windows 10 Snipping Tool, how to quickly locate it when it's needed and also how make it always available with a single click of a mouse button, by pinning it to the Desktop Task Bar. Int…

622 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question