Solved

Power Shell to retireve information from AD

Posted on 2014-09-12
17
167 Views
Last Modified: 2014-10-15
Hi, I am trying to write two powershell scripts against Active Directory, first one will be to .... Gets time stamps for all computers in the domain that have NOT logged in for last 90 days....and export them into csv file...for both windows and MAC computers....
Second Script would be to export computers in a particular group, and only list them if they have been active in the last 90 days......
0
Comment
Question by:Leo
  • 9
  • 8
17 Comments
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40318784
No need for a PS script, its really only 2 commands, 1 to generate each file.  You could drop them in a script if needed.  The commands are:

1. All computers that have not logged on for more than 90 days:

Get-ADComputer -Filter * -Property Name, lastLogonDate | where lastLogonDate -lt (Get-Date).AddDays(-90) | select Name,lastLogonDate,DistinguishedName,Enabled | sort lastLogonDate  | Export-Csv InActiveComputers-90DaysOrMore.csv -noTypeInformation

Open in new window


2. Active computers in the last 90 days, in a specific group (OU):

Get-ADComputer -Filter * -SearchBase "OU=<Path-To-Your-Group-OU>,DC=<YourDomainName>,DC=<YourExtension>" -Property Name, lastLogonDate | where lastLogonDate -ge (Get-Date).AddDays(-90) | select Name,lastLogonDate,DistinguishedName,Enabled | sort lastLogonDate  | Export-Csv ActiveComputers-Last90Days.csv -noTypeInformation

Open in new window


On the 2nd command, you will have to customize the -SearchBase option in order to account for your AD structure.

Dan
0
 
LVL 8

Author Comment

by:Leo
ID: 40321769
Thanks, would these commands will generate information for mac/linux/ubuntu computers as well?
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40321797
If it is in Active Directory, then it should find the objects.  Since I don't have any MACs or Linux objects in the directory which I support, I can not give you a definitive "yes" answer.

Dan
0
 
LVL 8

Author Comment

by:Leo
ID: 40322218
When i run the first powershell command, i am getting this error....

Export-Csv : Cannot bind parameter 'Delimiter'. Cannot convert value
"InActiveComputers-90DaysOrMore.csv" to type "System.Char". Error: "String
must be exactly one character long."
At line:1 char:225
+ ... ecomputers.csv InActiveComputers-90DaysOrMore.csv -noTypeInformation
+                    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:) [Export-Csv], ParameterBind
   ingException
    + FullyQualifiedErrorId : CannotConvertArgumentNoMessage,Microsoft.PowerSh
   ell.Commands.ExportCsvCommand


What its saying Export-csv in invalid parameter? i am trying to export it to C:\TEMP\Inactivecomputers.csv
0
 
LVL 8

Author Comment

by:Leo
ID: 40322230
Apologies, i was able to run it and export it....
there is a column of "Enabled", and it says True and False, what does that represent?
0
 
LVL 8

Author Comment

by:Leo
ID: 40322465
can you please guide me to write a powershell script which can generate list of computer from inside security group in OU......your second script.... I dont know how to pass parameter to list computers inside a security group....

Get-ADComputer -Filter * -SearchBase " OU=Corporate,OU=Groups,OU=Computers,OU=Domain,DC=domain,DC=lan" -Property Name, lastLogonDate | where lastLogonDate -ge (Get-Date).AddDays(-90) | select Name,lastLogonDate,DistinguishedName,Enabled | sort lastLogonDate  | Export-Csv C:\TEMP\ActiveComputers-Last90Days.csv -noTypeInformation.

So there are few Security groups from which i want to pull up list of computers, one by one, so if i want to define a security group inside Corporate, lets say IT, how should i define it?
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40322644
You can disable objects accounts in AD, this field represents whether or not the object is disabled/deactivated.

Enabled = True means not "disabled"

Right clicking on an object in ADUC, gives you the option to "Disable Account"

Dan
0
 
LVL 8

Author Comment

by:Leo
ID: 40322722
Thanks....
What about my second question?  Powershell command to list computer inside security group?
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40322863
You can use Get-ADGroupMember.  For example:

Get-ADGroupMember "<YourGroupName>" | select name

Open in new window


Will return all members in that group.  You could then pipe the output of this command into a text file, like so:

Get-ADGroupMember "<YourGroupName>"  | select name | select -ExpandProperty Name | Out-File c:\test\group-members.txt

Open in new window


Then use the output file as an input file for the first command.  Like so:

Get-Content c:\test\group-members.txt | Get-ADComputer -Property Name, lastLogonDate | where lastLogonDate -lt (Get-Date).AddDays(-90) | select Name,lastLogonDate,DistinguishedName,Enabled | sort lastLogonDate  | Export-Csv c:\test\InActiveComputers-90DaysOrMore.csv -noTypeInformation

Open in new window


Dan
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40322865
You could put the second and third commands in a powershell script file and run that script when ever you need to.
0
 
LVL 8

Author Comment

by:Leo
ID: 40322999
so the command "Get-ADGroupMember "<YourGroupName>" how can i make it work for what i am after? i have to define security group in that....how can i define it? the OU group its located is in;
 OU=Corporate,OU=Groups,OU=Computers,OU=Domain,DC=domain,DC=lan"
thanks.
0
 
LVL 26

Accepted Solution

by:
Dan McFadden earned 500 total points
ID: 40323010
When you say "Security Group" I assumed you meant an AD object that was a group, not an AD path.  I wouldn't necessarily define an OU and a group.  So, if you are grouping computers in OUs and want to run a report for objects in that OU, then take the second command in my first post and replace the SearchBase item with this:

 -SearchBase "OU=<Path-To-Your-Group-OU>,DC=<YourDomainName>,DC=<YourExtension>" 

Open in new window


With the OU path to your "group."  That would look like:

 -SearchBase "OU=Corporate,OU=Groups,OU=Computers,OU=Domain,DC=domain,DC=lan" 

Open in new window


Dan
0
 
LVL 8

Author Comment

by:Leo
ID: 40323169
Sorry about all the confusion, i have uploaded the picture of our AD....now if you look at it, the computer list i am trying to generate is in ITS_PCs...how can i  write a powershell script to generate list of the PCs from this security group?
AD.jpg
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40323185
Use Get-ADGroupMember

 Get-ADGroupMember "ITS_PCs"  | select name | select -ExpandProperty Name | Out-File c:\test\group-members.txt 

Open in new window


This generates a list of the members in that group.
0
 
LVL 8

Author Comment

by:Leo
ID: 40323191
so i dont have to define the whole path? i.e;
OU=Corporate,OU=Groups,OU=Computers,OU=Domain,DC=domain,DC=lan" ?
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40323197
No.
0
 
LVL 26

Expert Comment

by:Dan McFadden
ID: 40323200
I suggest just running the command I posted at 16:12 and compare the output file to that of the actual group as seen in AD using ADUC.

Dan
0

Join & Write a Comment

I thought I'd write this up for anyone who has a request to create an anonymous whistle-blower-type submission form created using SharePoint 2010 (this would probably work the same for 2013). It's not 100% fool-proof but it's as close as you can get…
Resolve DNS query failed errors for Exchange
This video teaches viewers how to add simple and professional themes to their slides.
The viewer will learn how to edit the master slide. They will also learn how to combine multiple themes into one master slide to use them in their presentation.

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now