?
Solved

Power Shell to retireve information from AD

Posted on 2014-09-12
17
Medium Priority
?
177 Views
Last Modified: 2014-10-15
Hi, I am trying to write two powershell scripts against Active Directory, first one will be to .... Gets time stamps for all computers in the domain that have NOT logged in for last 90 days....and export them into csv file...for both windows and MAC computers....
Second Script would be to export computers in a particular group, and only list them if they have been active in the last 90 days......
0
Comment
Question by:Leo
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 9
  • 8
17 Comments
 
LVL 28

Expert Comment

by:Dan McFadden
ID: 40318784
No need for a PS script, its really only 2 commands, 1 to generate each file.  You could drop them in a script if needed.  The commands are:

1. All computers that have not logged on for more than 90 days:

Get-ADComputer -Filter * -Property Name, lastLogonDate | where lastLogonDate -lt (Get-Date).AddDays(-90) | select Name,lastLogonDate,DistinguishedName,Enabled | sort lastLogonDate  | Export-Csv InActiveComputers-90DaysOrMore.csv -noTypeInformation

Open in new window


2. Active computers in the last 90 days, in a specific group (OU):

Get-ADComputer -Filter * -SearchBase "OU=<Path-To-Your-Group-OU>,DC=<YourDomainName>,DC=<YourExtension>" -Property Name, lastLogonDate | where lastLogonDate -ge (Get-Date).AddDays(-90) | select Name,lastLogonDate,DistinguishedName,Enabled | sort lastLogonDate  | Export-Csv ActiveComputers-Last90Days.csv -noTypeInformation

Open in new window


On the 2nd command, you will have to customize the -SearchBase option in order to account for your AD structure.

Dan
0
 
LVL 8

Author Comment

by:Leo
ID: 40321769
Thanks, would these commands will generate information for mac/linux/ubuntu computers as well?
0
 
LVL 28

Expert Comment

by:Dan McFadden
ID: 40321797
If it is in Active Directory, then it should find the objects.  Since I don't have any MACs or Linux objects in the directory which I support, I can not give you a definitive "yes" answer.

Dan
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 8

Author Comment

by:Leo
ID: 40322218
When i run the first powershell command, i am getting this error....

Export-Csv : Cannot bind parameter 'Delimiter'. Cannot convert value
"InActiveComputers-90DaysOrMore.csv" to type "System.Char". Error: "String
must be exactly one character long."
At line:1 char:225
+ ... ecomputers.csv InActiveComputers-90DaysOrMore.csv -noTypeInformation
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Export-Csv], ParameterBind
   ingException
    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerSh
   ell.Commands.ExportCsvCommand


What its saying Export-csv in invalid parameter? i am trying to export it to C:\TEMP\Inactivecomputers.csv
0
 
LVL 8

Author Comment

by:Leo
ID: 40322230
Apologies, i was able to run it and export it....
there is a column of "Enabled", and it says True and False, what does that represent?
0
 
LVL 8

Author Comment

by:Leo
ID: 40322465
can you please guide me to write a powershell script which can generate list of computer from inside security group in OU......your second script.... I dont know how to pass parameter to list computers inside a security group....

Get-ADComputer -Filter * -SearchBase " OU=Corporate,OU=Groups,OU=Computers,OU=Domain,DC=domain,DC=lan" -Property Name, lastLogonDate | where lastLogonDate -ge (Get-Date).AddDays(-90) | select Name,lastLogonDate,DistinguishedName,Enabled | sort lastLogonDate  | Export-Csv C:\TEMP\ActiveComputers-Last90Days.csv -noTypeInformation.

So there are few Security groups from which i want to pull up list of computers, one by one, so if i want to define a security group inside Corporate, lets say IT, how should i define it?
0
 
LVL 28

Expert Comment

by:Dan McFadden
ID: 40322644
You can disable objects accounts in AD, this field represents whether or not the object is disabled/deactivated.

Enabled = True means not "disabled"

Right clicking on an object in ADUC, gives you the option to "Disable Account"

Dan
0
 
LVL 8

Author Comment

by:Leo
ID: 40322722
Thanks....
What about my second question?  Powershell command to list computer inside security group?
0
 
LVL 28

Expert Comment

by:Dan McFadden
ID: 40322863
You can use Get-ADGroupMember.  For example:

Get-ADGroupMember "<YourGroupName>" | select name

Open in new window


Will return all members in that group.  You could then pipe the output of this command into a text file, like so:

Get-ADGroupMember "<YourGroupName>"  | select name | select -ExpandProperty Name | Out-File c:\test\group-members.txt

Open in new window


Then use the output file as an input file for the first command.  Like so:

Get-Content c:\test\group-members.txt | Get-ADComputer -Property Name, lastLogonDate | where lastLogonDate -lt (Get-Date).AddDays(-90) | select Name,lastLogonDate,DistinguishedName,Enabled | sort lastLogonDate  | Export-Csv c:\test\InActiveComputers-90DaysOrMore.csv -noTypeInformation

Open in new window


Dan
0
 
LVL 28

Expert Comment

by:Dan McFadden
ID: 40322865
You could put the second and third commands in a powershell script file and run that script when ever you need to.
0
 
LVL 8

Author Comment

by:Leo
ID: 40322999
so the command "Get-ADGroupMember "<YourGroupName>" how can i make it work for what i am after? i have to define security group in that....how can i define it? the OU group its located is in;
 OU=Corporate,OU=Groups,OU=Computers,OU=Domain,DC=domain,DC=lan"
thanks.
0
 
LVL 28

Accepted Solution

by:
Dan McFadden earned 2000 total points
ID: 40323010
When you say "Security Group" I assumed you meant an AD object that was a group, not an AD path.  I wouldn't necessarily define an OU and a group.  So, if you are grouping computers in OUs and want to run a report for objects in that OU, then take the second command in my first post and replace the SearchBase item with this:

 -SearchBase "OU=<Path-To-Your-Group-OU>,DC=<YourDomainName>,DC=<YourExtension>" 

Open in new window


With the OU path to your "group."  That would look like:

 -SearchBase "OU=Corporate,OU=Groups,OU=Computers,OU=Domain,DC=domain,DC=lan" 

Open in new window


Dan
0
 
LVL 8

Author Comment

by:Leo
ID: 40323169
Sorry about all the confusion, i have uploaded the picture of our AD....now if you look at it, the computer list i am trying to generate is in ITS_PCs...how can i  write a powershell script to generate list of the PCs from this security group?
AD.jpg
0
 
LVL 28

Expert Comment

by:Dan McFadden
ID: 40323185
Use Get-ADGroupMember

 Get-ADGroupMember "ITS_PCs"  | select name | select -ExpandProperty Name | Out-File c:\test\group-members.txt 

Open in new window


This generates a list of the members in that group.
0
 
LVL 8

Author Comment

by:Leo
ID: 40323191
so i dont have to define the whole path? i.e;
OU=Corporate,OU=Groups,OU=Computers,OU=Domain,DC=domain,DC=lan" ?
0
 
LVL 28

Expert Comment

by:Dan McFadden
ID: 40323197
No.
0
 
LVL 28

Expert Comment

by:Dan McFadden
ID: 40323200
I suggest just running the command I posted at 16:12 and compare the output file to that of the actual group as seen in AD using ADUC.

Dan
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Auditing domain password hashes is a commonly overlooked but critical requirement to ensuring secure passwords practices are followed. Methods exist to extract hashes directly for a live domain however this article describes a process to extract u…
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question