Solved

How to find old computers in Active Directory using Powershell

Posted on 2011-03-18
5
1,300 Views
Last Modified: 2012-05-11
I need to find computers that haven't been used in a while in AD on a Windows 2008 R2 DC. Let's say 30 days. How would I go about listing all of those computers in alphabetical order?
0
Comment
Question by:Greg27
  • 2
  • 2
5 Comments
 
LVL 27

Expert Comment

by:KenMcF
ID: 35167402
You can use the 2008R2 AD cmdlets and do something like this

$d = [DateTime]::Today.AddDays(-30)
Get-ADComputer -Filter 'PasswordLastSet -ge $d' -Properties PasswordLastSet | FT Name,PasswordLastSet
0
 

Author Comment

by:Greg27
ID: 35167483
This is showing me all computers and the last password date set on it. I really need a list of all computers that haven't been logged into for at least 30 days. I have a feeling I have some computers listed in AD that no longer exist on my network. Thanks.
0
 
LVL 27

Assisted Solution

by:KenMcF
KenMcF earned 100 total points
ID: 35167564
If these computers are active on the network it will be difficult to get the last time a user logged onto it. You will need to query the audit logs. If these computers are not on the network there are a few attributes you can look at. passwordlastset, Lastlogon, and lastLogonTimeStamp. There are other utilies as well, one I like is oldcmp.exe from joeware.net and the Quest AD cmdlets

get-qadcomputer -Notloggedonfor 30
get-qadcomputer -inactivefor 30


This is what the switches look for

    - The number of days that the account remains in the expired state
    - The number of days that the password of the account remains unchanged
    - The number of days that the account remains unused for logon
0
 
LVL 5

Accepted Solution

by:
sweeps earned 400 total points
ID: 35167628
The best way is to use a program (its free and works great).....

http://cjwdev.wordpress.com/category/ad-tidy/ 

you can set it down to which ou, user or computer, you can export a list, you can have it ping what it thinks is old comp to make sure they are not online.   you can disable or delete in the the program..

awesome program,  have used it for 3 months now.
0
 

Author Closing Comment

by:Greg27
ID: 35323946
Thanks for the help! I ended up giving the most points to sweeps because that is the tool I used and I don't have the Quest AD cmdlets since I am running Powershell 2 with the AD cmdlets built-in.
0

Featured Post

Courses: Start Training Online With Pros, Today

Brush up on the basics or master the advanced techniques required to earn essential industry certifications, with Courses. Enroll in a course and start learning today. Training topics range from Android App Dev to the Xen Virtualization Platform.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory replication delay is the cause to many problems.  Here is a super easy script to force Active Directory replication to all sites with by using an elevated PowerShell command prompt, and a tool to verify your changes.
Synchronize a new Active Directory domain with an existing Office 365 tenant
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
With Secure Portal Encryption, the recipient is sent a link to their email address directing them to the email laundry delivery page. From there, the recipient will be required to enter a user name and password to enter the page. Once the recipient …

776 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question