[UPDATE] With AD cmdlets 1.4 locating obsolete user and computer records became even easier so while all the samples below still work, there is now a simpler and a faster way.
In the 11 Essential AD Tools replaced with PowerShell post earlier this week I have not really provided PowerShell code for detecting outdated computer records – OldCmp replacement – computers which are registered in AD but have not actually logged in to the network for a long time.
To do this you need to check the pwdLastSet
attribute. Computers reset their AD password every 30 days, so if this date is too old (say, 90 or more days away) this computer might no longer exist. So here’s the PowerShell code using this attribute to find the obsolete computer records:
# set the date to be used as a limit - in this example: 90 days earlier than the current date
$old = (Get-Date).AddDays(-90)
# get the list of computers with the date earlier than this date
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old }
A few variations to this depending on how you want to use the data:
# get a csv report
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old } | select-object Name, ParentContainer, Description, pwdLastSet | export-csv c:\temp\outdated.csv
# move such computers to another OU
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old } | Move-QADObject -to quest.corp/obsolete
# remove the computer records from AD (caution: this actually deletes the records, run the command with -whatif switch before running without it)
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old } | Remove-QADObject -to quest.corp/obsolete
A few comments on the parameters I use:
- I use
-IncludedProperties pwdLastSet
because by default PowerShelldoes not retrieve the attribute, - I use
-SizeLimit 0
to remove the default 1000 object retrieval limitation – we have significantly more computers in our network. - In the reporting sample I select the columns I need in the report with the
Select-Object
cmdlet.
OK. Now we’ve done and have the ultimate AD management tool to satisfy all our needs, right?
Tags: AD cmdlets, PowerShell, Active Directory, AD
Sweet!!! I could have used this the other day as a matter of fact. Can’t wait to try this when I get back to work.
Looks good but I think I’ll stick with oldcmp. Tons of safeties built-in there, the html reports are nice and not every command line tool needs replacing if it works well.
Mike, I hear what you are saying and agree that OldCmp is a great tool. See my comment in the original 11 Essential AD Tools post: https://dmitrysotnikov.wordpress.com/2007/09/03/11-essential-ad-tools-replaced-with-powershell/
At the same time I think PowerShell can be a good alternative because it provides a unified way to do multiple administrative tasks. Thus you can reuse your experience gained in doing one administrative task, when involved in another. This unification is a great advantage when comparing to add-hoc solutions however useful they might be.
Is it possible to identify the last “logonname” with the AD computer account targeted to be disabled?
Hi, this command not work usefull “$_.pwdLastSet -le $old”
the value $_.pwdLastSet is in loginteger and $old is date, this not work. How can i convert $_.pwdLastSet to date?
It’s worth mentioning that the -DeleteTree option might be required for Remove-QADObject if there are child objects (typically services) associated with the computer object in AD.
“Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old } | Remove-QADObject -DeleteTree”
You will need to use it if you see the following error and you are darn certain you are targeting the right objects:
Remove-QADObject : The directory service can perform the requested operation only on a leaf object.
This is excellent point! Thanks Cameron!
Thanks, Dmitry – this is a great reference. We’re just starting to leverage ARS now, so a bit late to the party…but I agree that PS is a much more complete big-picture solution. Do you know if it’s possible to include multiple WHERE conditions? I’d think so, but haven’t hit the right syntax yet…we sometimes see clients that have a stale pwdLastSet attribute, but a current lastLogonTimesStamp attribute and are checking both of these prior to deletion to avoid user disruption.
Thanks again!
-t.
Sure, yes, Where accepts multiple conditions: you can use -and and -or between them. See Example 7 here: http://technet.microsoft.com/en-us/library/hh849715.aspx