Solved

How to find old computers in Active Directory using Powershell

Posted on 2011-03-18
5
1,306 Views
Last Modified: 2012-05-11
I need to find computers that haven't been used in a while in AD on a Windows 2008 R2 DC. Let's say 30 days. How would I go about listing all of those computers in alphabetical order?
0
Comment
Question by:Greg27
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
5 Comments
 
LVL 27

Expert Comment

by:KenMcF
ID: 35167402
You can use the 2008R2 AD cmdlets and do something like this

$d = [DateTime]::Today.AddDays(-30)
Get-ADComputer -Filter 'PasswordLastSet -ge $d' -Properties PasswordLastSet | FT Name,PasswordLastSet
0
 

Author Comment

by:Greg27
ID: 35167483
This is showing me all computers and the last password date set on it. I really need a list of all computers that haven't been logged into for at least 30 days. I have a feeling I have some computers listed in AD that no longer exist on my network. Thanks.
0
 
LVL 27

Assisted Solution

by:KenMcF
KenMcF earned 100 total points
ID: 35167564
If these computers are active on the network it will be difficult to get the last time a user logged onto it. You will need to query the audit logs. If these computers are not on the network there are a few attributes you can look at. passwordlastset, Lastlogon, and lastLogonTimeStamp. There are other utilies as well, one I like is oldcmp.exe from joeware.net and the Quest AD cmdlets

get-qadcomputer -Notloggedonfor 30
get-qadcomputer -inactivefor 30


This is what the switches look for

    - The number of days that the account remains in the expired state
    - The number of days that the password of the account remains unchanged
    - The number of days that the account remains unused for logon
0
 
LVL 5

Accepted Solution

by:
sweeps earned 400 total points
ID: 35167628
The best way is to use a program (its free and works great).....

http://cjwdev.wordpress.com/category/ad-tidy/ 

you can set it down to which ou, user or computer, you can export a list, you can have it ping what it thinks is old comp to make sure they are not online.   you can disable or delete in the the program..

awesome program,  have used it for 3 months now.
0
 

Author Closing Comment

by:Greg27
ID: 35323946
Thanks for the help! I ended up giving the most points to sweeps because that is the tool I used and I don't have the Quest AD cmdlets since I am running Powershell 2 with the AD cmdlets built-in.
0

Featured Post

Best Practices: Disaster Recovery Testing

Besides backup, any IT division should have a disaster recovery plan. You will find a few tips below relating to the development of such a plan and to what issues one should pay special attention in the course of backup planning.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Synchronize a new Active Directory domain with an existing Office 365 tenant
The Nano Server Image Builder helps you create a custom Nano Server image and bootable USB media with the aid of a graphical interface. Based on the inputs you provide, it generates images for deployment and creates reusable PowerShell scripts that …
Exchange organizations may use the Journaling Agent of the Transport Service to archive messages going through Exchange. However, if the Transport Service is integrated with some email content management application (such as an antispam), the admini…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

734 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question