asked on
AD Script - Stale computers
Hi guys,
I need a script to check for old computers (past 35 days) in AD. Can someone provide an easy script that doesnt need to be modified? Also, can i have the output saved to a file?
Thanks!
I need a script to check for old computers (past 35 days) in AD. Can someone provide an easy script that doesnt need to be modified? Also, can i have the output saved to a file?
Thanks!
Windows Server 2008PowershellActive Directory
Last Comment
Kaffiend
dsquery computer domainroot -name -inactive 3
list the inactive computer for 3 weeks
http://www.windowstricks.i
list the inactive computer for 3 weeks
http://www.windowstricks.i
ASKER
DSQUERY does not work.
I'd rahter go with a powesrshell script, that is actually tested.
I'd rahter go with a powesrshell script, that is actually tested.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
So I was all set to point you at :
http://www.joeware.net/freetools/tools/oldcmp/
I used this tool years ago and it did a terrific job. In reading it's documentation the author used pwdlastset and/or lastlogontimestamp attributes on the computer account. The code that I posted used lastlogontimestamp, but it is important to note that attribute has special parameters under which it gets updated which are described in the blog post I previously posted.
This is one of those things that's so common, and yet you can go to some guy's blog download something that's for public consumption, meaning tested, and then boom it doesn't work as advertised. This happens to me all the time, and I there are so many questions right here on EE that reflect the same experience.
I tested the code since my last post it seems to work, but if you want 100% assurance that you aren't removing something active you should make the boundary 49 days.
Code again with minor corrections:
The only other way I know to do this is to search all DCs for the lastlogon attribute and only record/report the newest of those. That's because that attribute isn't replicated so whatever DC is used to logon would have the latest value. It can and has been done.
http://www.joeware.net/freetools/tools/oldcmp/
I used this tool years ago and it did a terrific job. In reading it's documentation the author used pwdlastset and/or lastlogontimestamp attributes on the computer account. The code that I posted used lastlogontimestamp, but it is important to note that attribute has special parameters under which it gets updated which are described in the blog post I previously posted.
This is one of those things that's so common, and yet you can go to some guy's blog download something that's for public consumption, meaning tested, and then boom it doesn't work as advertised. This happens to me all the time, and I there are so many questions right here on EE that reflect the same experience.
I tested the code since my last post it seems to work, but if you want 100% assurance that you aren't removing something active you should make the boundary 49 days.
Code again with minor corrections:
$Days = 35
$DateBound = (Get-Date).AddDays(-$Days)
$OutFile = "c:\temp\OldUsers.csv"
Get-ADComputer -Filter * -Properties lastlogontimestamp |
Select *,@{Name="LastLogonDate"; Expression = {[DateTime]::FromFileTime($_.lastlogontimestamp)}} |
?{$_.LastLogonDate -lt $DateBound} |
Select Name,lastLogonDate |
Export-Csv -Path $OutFile -NoTypeInformation
The only other way I know to do this is to search all DCs for the lastlogon attribute and only record/report the newest of those. That's because that attribute isn't replicated so whatever DC is used to logon would have the latest value. It can and has been done.
Just a comment here about dsquery.
It *does* work (though strangely, not inside of Powershell)
It was the first thing I would have thought of to use for your use case - a simple one-liner in the command prompt
dsquery computer -limit 0 -inactive 5 > c:\deadpcs.csv
(get computers that AD hasn't seen for 5 weeks, limit 0 is in there otherwise you only get the first 100 results)
It *does* work (though strangely, not inside of Powershell)
It was the first thing I would have thought of to use for your use case - a simple one-liner in the command prompt
dsquery computer -limit 0 -inactive 5 > c:\deadpcs.csv
(get computers that AD hasn't seen for 5 weeks, limit 0 is in there otherwise you only get the first 100 results)
https://blogs.technet.microsoft.com/askds/2009/04/15/the-lastlogontimestamp-attribute-what-it-was-designed-for-and-how-it-works/
Open in new window