Solved

Power Shell to retireve information from AD

Posted on 2014-09-12
17
174 Views
Last Modified: 2014-10-15
Hi, I am trying to write two powershell scripts against Active Directory, first one will be to .... Gets time stamps for all computers in the domain that have NOT logged in for last 90 days....and export them into csv file...for both windows and MAC computers....
Second Script would be to export computers in a particular group, and only list them if they have been active in the last 90 days......
0
Comment
Question by:Leo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
17 Comments
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 40318784
No need for a PS script, its really only 2 commands, 1 to generate each file.  You could drop them in a script if needed.  The commands are:

1. All computers that have not logged on for more than 90 days:

Get-ADComputer -Filter * -Property Name, lastLogonDate | where lastLogonDate -lt (Get-Date).AddDays(-90) | select Name,lastLogonDate,DistinguishedName,Enabled | sort lastLogonDate  | Export-Csv InActiveComputers-90DaysOrMore.csv -noTypeInformation

Open in new window


2. Active computers in the last 90 days, in a specific group (OU):

Get-ADComputer -Filter * -SearchBase "OU=<Path-To-Your-Group-OU>,DC=<YourDomainName>,DC=<YourExtension>" -Property Name, lastLogonDate | where lastLogonDate -ge (Get-Date).AddDays(-90) | select Name,lastLogonDate,DistinguishedName,Enabled | sort lastLogonDate  | Export-Csv ActiveComputers-Last90Days.csv -noTypeInformation

Open in new window


On the 2nd command, you will have to customize the -SearchBase option in order to account for your AD structure.

Dan
0
 
LVL 8

Author Comment

by:Leo
ID: 40321769
Thanks, would these commands will generate information for mac/linux/ubuntu computers as well?
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 40321797
If it is in Active Directory, then it should find the objects.  Since I don't have any MACs or Linux objects in the directory which I support, I can not give you a definitive "yes" answer.

Dan
0
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
LVL 8

Author Comment

by:Leo
ID: 40322218
When i run the first powershell command, i am getting this error....

Export-Csv : Cannot bind parameter 'Delimiter'. Cannot convert value
"InActiveComputers-90DaysOrMore.csv" to type "System.Char". Error: "String
must be exactly one character long."
At line:1 char:225
+ ... ecomputers.csv InActiveComputers-90DaysOrMore.csv -noTypeInformation
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Export-Csv], ParameterBind
   ingException
    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerSh
   ell.Commands.ExportCsvCommand


What its saying Export-csv in invalid parameter? i am trying to export it to C:\TEMP\Inactivecomputers.csv
0
 
LVL 8

Author Comment

by:Leo
ID: 40322230
Apologies, i was able to run it and export it....
there is a column of "Enabled", and it says True and False, what does that represent?
0
 
LVL 8

Author Comment

by:Leo
ID: 40322465
can you please guide me to write a powershell script which can generate list of computer from inside security group in OU......your second script.... I dont know how to pass parameter to list computers inside a security group....

Get-ADComputer -Filter * -SearchBase " OU=Corporate,OU=Groups,OU=Computers,OU=Domain,DC=domain,DC=lan" -Property Name, lastLogonDate | where lastLogonDate -ge (Get-Date).AddDays(-90) | select Name,lastLogonDate,DistinguishedName,Enabled | sort lastLogonDate  | Export-Csv C:\TEMP\ActiveComputers-Last90Days.csv -noTypeInformation.

So there are few Security groups from which i want to pull up list of computers, one by one, so if i want to define a security group inside Corporate, lets say IT, how should i define it?
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 40322644
You can disable objects accounts in AD, this field represents whether or not the object is disabled/deactivated.

Enabled = True means not "disabled"

Right clicking on an object in ADUC, gives you the option to "Disable Account"

Dan
0
 
LVL 8

Author Comment

by:Leo
ID: 40322722
Thanks....
What about my second question?  Powershell command to list computer inside security group?
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 40322863
You can use Get-ADGroupMember.  For example:

Get-ADGroupMember "<YourGroupName>" | select name

Open in new window


Will return all members in that group.  You could then pipe the output of this command into a text file, like so:

Get-ADGroupMember "<YourGroupName>"  | select name | select -ExpandProperty Name | Out-File c:\test\group-members.txt

Open in new window


Then use the output file as an input file for the first command.  Like so:

Get-Content c:\test\group-members.txt | Get-ADComputer -Property Name, lastLogonDate | where lastLogonDate -lt (Get-Date).AddDays(-90) | select Name,lastLogonDate,DistinguishedName,Enabled | sort lastLogonDate  | Export-Csv c:\test\InActiveComputers-90DaysOrMore.csv -noTypeInformation

Open in new window


Dan
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 40322865
You could put the second and third commands in a powershell script file and run that script when ever you need to.
0
 
LVL 8

Author Comment

by:Leo
ID: 40322999
so the command "Get-ADGroupMember "<YourGroupName>" how can i make it work for what i am after? i have to define security group in that....how can i define it? the OU group its located is in;
 OU=Corporate,OU=Groups,OU=Computers,OU=Domain,DC=domain,DC=lan"
thanks.
0
 
LVL 27

Accepted Solution

by:
Dan McFadden earned 500 total points
ID: 40323010
When you say "Security Group" I assumed you meant an AD object that was a group, not an AD path.  I wouldn't necessarily define an OU and a group.  So, if you are grouping computers in OUs and want to run a report for objects in that OU, then take the second command in my first post and replace the SearchBase item with this:

 -SearchBase "OU=<Path-To-Your-Group-OU>,DC=<YourDomainName>,DC=<YourExtension>" 

Open in new window


With the OU path to your "group."  That would look like:

 -SearchBase "OU=Corporate,OU=Groups,OU=Computers,OU=Domain,DC=domain,DC=lan" 

Open in new window


Dan
0
 
LVL 8

Author Comment

by:Leo
ID: 40323169
Sorry about all the confusion, i have uploaded the picture of our AD....now if you look at it, the computer list i am trying to generate is in ITS_PCs...how can i  write a powershell script to generate list of the PCs from this security group?
AD.jpg
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 40323185
Use Get-ADGroupMember

 Get-ADGroupMember "ITS_PCs"  | select name | select -ExpandProperty Name | Out-File c:\test\group-members.txt 

Open in new window


This generates a list of the members in that group.
0
 
LVL 8

Author Comment

by:Leo
ID: 40323191
so i dont have to define the whole path? i.e;
OU=Corporate,OU=Groups,OU=Computers,OU=Domain,DC=domain,DC=lan" ?
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 40323197
No.
0
 
LVL 27

Expert Comment

by:Dan McFadden
ID: 40323200
I suggest just running the command I posted at 16:12 and compare the output file to that of the actual group as seen in AD using ADUC.

Dan
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

The following article is intended as a guide to using PowerShell as a more versatile and reliable form of application detection in SCCM.
A company’s centralized system that manages user data, security, and distributed resources is often a focus of criminal attention. Active Directory (AD) is no exception. In truth, it’s even more likely to be targeted due to the number of companies …
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

733 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question