You can use the PowerShell cmdlet Get-ADComputer to get numerous details about laptop account objects (servers and workstations) from Active Directory area. This is among the most helpful cmdlets for looking AD computer systems by numerous standards (to get details about AD consumer accounts, one other cmdlet is used – ).
- Get-ADComputer – Cmdlet Syntax
- Get-ADComputer – Examples
Suppose your activity is to seek out all inactive computer systems in Active Directory that haven’t been registered in a site for greater than 120 days and disable these accounts.
Before utilizing Get-ADComputer cmdlet, you must import Active Directory Module for Windows PowerShell with the command:
Enable-WindowsOptionalFeature -Online -FunctionName RSATClient-Roles-AD-Powershell
Get-ADComputer – Cmdlet Syntax
You can get assistance on Get-ADComputer cmdlet parameters as regular with Get-Help command:
To get data from AD utilizing the cmdlets from the AD for PowerShell module, you don’t must have the area admin privileges. It is adequate that the account beneath which the cmdlet is being run is a member of the Domain Users / Authenticated Users group.
To get details about a particular laptop account in the area, specify its identify as an argument of the -Identity parameter:
Get-ADComputer -Identity SRV-DB01
DistinguishedName : CN=SRV-DB01,OU=Servers,OU=London,OU=UK,DC=woshub,DC=com DNSHostName : SRV-DB01.woshub.com Enabled : True Name : SRV-DB01 ObjectClass : laptop ObjectGUID : 87654321-1234-5678-0000-123412341234 SamAccountName : SRV-DB01$ SID : S-1-5-21-123456780-1234567890-0987654321-1234 UserPrincipalName :
The cmdlet Get-ADComputer returned solely the fundamental properties of the Computer object from AD. We have an interest in the time of the final laptop registration in the AD area, however this data just isn’t displayed in the output of the command above. You can checklist all accessible properties of this laptop object from Active Directory:
Get-ADComputer -Identity SRV-DB01 -Properties *
Using Get-Member, you may get an inventory of all of the properties of the Computer class in AD:
Get-ADComputer -Filter * -Properties * | Get-Member
As you possibly can see, the final logon date of this laptop to the community is specified in the pc’s attribute LastLogonDate – 09/21/2015 zero:20:17.
The Get-ADComputer cmdlet means that you can show any of the pc’s properties in the command outcomes. Remove all pointless data leaving solely values of Name and LastLogonDate attributes.
Get-ADComputer -identity SRV-DB01 -Properties * | FT Name, LastLogonDate -Autosize
So, we acquired knowledge on the final time of registration in the area for a single laptop. Then you must modify the command to make it show the details about the time of the final community registration for all computer systems in the area. To do it, substitute –Identity to –Filter *:
Get-ADComputer -Filter * -Properties * | FT Name, LastLogonDate -Autosize
We bought a easy desk that incorporates solely 2 fields: laptop identify and LastLogonData date. You can add different fields of the Computer object from AD to this desk.
To show the details about the pc objects in a specific OU (organizational unit), use the –SearchBase parameter:
Get-ADComputer -SearchBase ‘OU=Paris,DC=woshub,DC=loc’ -Filter * -Properties * | FT Name, LastLogonDate -Autosize
Sort the question outcomes by the date of the final logon utilizing the Sort cmdlet:
Get-ADComputer -Filter * -Properties * | Sort LastLogonDate | FT Name, LastLogonDate -Autosize
So, we’ve bought the checklist of computer systems and the date they final logged on to the Active Directory area. Now we wish to disable the pc accounts that weren’t used for 120 days or extra.
Using Get-Date we are able to get the worth of the present date in the variable and cut back it to 120 days:
The ensuing date variable can be utilized as a filter of Get-ADComputer question in LastLogonDate subject:
Get-ADComputer -Properties LastLogonDate -Filter | Sort LastLogonDate | FT Name, LastLogonDate -Autosize
So we’ve created an inventory of inactive laptop accounts that haven’t been registered on the community for greater than 120 days. Use the Disable-ADAccount or Set-ADComputer command to disable them.
Get-ADComputer -Properties LastLogonDate -Filter | Set-ADComputer -Enabled $false -whatif
Now you possibly can disable all inactive laptop accounts:
Get-ADComputer -Properties LastLogonDate -Filter | Set-ADComputer -Enabled $false
Get-ADComputer – Examples
Below are some extra helpful examples of utilizing the Get-ADComputer cmdlet to question and search laptop objects in the area by particular standards.
Get the overall variety of all lively (unlocked) computer systems in Active Directory:
(Get-ADComputer -Filter ).depend
Calculate the variety of Windows Server situations in the AD area:
(Get-ADComputer -Filter ).depend
Get an inventory of computer systems in a particular OU whose names start with LonPC:
Get-ADComputer -Filter -SearchBase ‘OU=London,DC=woshub,DC=com’ -Properties IPv4Address | Format-table Name,DNSHostName,IPv4Address | ft -Wrap –Auto
When looking in the OU, you should utilize the extra parameter -SearchScope 1, which implies that it’s essential to search solely in the OU root. The -SearchScope 2 choice signifies a recursive seek for computer systems in all nested OUs.
To discover all workstation computer systems working Windows 10:
Get the checklist of servers in the area with the OS model, Service Pack put in and IP deal with:
Get-ADComputer -Filter 'operatingsystem -like "*Windows server*" -and enabled -eq "true"' -Properties Name,Operatingsystem, OperatingSystemVersion, OperatingSystemServicePack,IPv4Address | Sort-Object -Property Operatingsystem | Select-Object -Property Name,Operatingsystem, OperatingSystemVersion, OperatingSystemServicePack, IPv4Address| ft -Wrap –Auto
The output was such a lovely desk with an inventory of Windows Server in the AD:
The -LDAPFilter attribute means that you can use numerous LDAP queries as a parameter of the Get-ADComputer cmdlet, for instance:
Get-ADComputer -LDAPFilter "(identify=*db*)"|ft
Find all disabled computer systems in a particular Active Directory OU:
Get-ADComputer -filter * -SearchBase ‘OU=Computers,OU=London,DC=woshub,dc=com’ | Where-Object
To delete all laptop accounts that haven’t been logged into the area for greater than 6 months, you should utilize the command:
Get-ADComputer -properties lastLogonDate -filter * | the place | Remove-ADComputer
The results of the Get-ADComputer command might be exported to a plain textual content file:
Get-ADComputer -Filter -Properties OperatingSystem | Select DNSHostName, OperatingSystem | Format-Table -AutoDimension C:Scriptserver_system.txt
You can even get an inventory of computer systems and export it to a CSV file:
Get-ADComputer -Filter * -Property * | Select-Object Name,OperatingSystem,OperatingSystemServicePack | Export-CSV All-Windows.csv -NoTypeInformation -Encoding UTF8
Or get an HTML report file with an inventory of computer systems and obligatory properties:
Get-ADComputer -Filter -Properties * | Select-Object Name,OperatingSystem | ConvertTo-Html | Out-File C:psad_computers_list.html
To carry out a particular motion with all of the computer systems in the ensuing checklist, you will need to use the Foreach loop. In this instance, we wish to create an inventory of servers in the area and request particular data from every server (the consequence file ought to include the server identify, producer and server mannequin).
$Computers = Get-ADComputer -Filter
Foreach ($Computer in $Computers)
You can use a shorter loop syntax. Suppose it’s essential to run a particular command on all computer systems in a particular OU (in this instance, I wish to run a bunch coverage replace command on all servers):
get-adcomputer -SearchBase "OU=Servers,DC=woshub,DC=com" -Filter * | %
Using Get-AdvertComputer and the , you possibly can management numerous laptop settings. For instance, I monitor the standing of the SCCM agent (service) on customers’ computer systems. A small logon script is executed on every laptop throughout startup, which saves the ccmexec service standing to a unused laptop attribute – extensionAttribute10.
Then, utilizing the next command, I can discover computer systems on which the CCMExec service is lacking or not working.
get-adcomputer -filter -SearchBase “OU=Compters,OU=London,DC=woshub,DC=com” -properties dNSHostName,extensionAttribute10,LastLogonDate |select-object dNSHostName,extensionAttribute10,LastLogonDate