In the 11 Essential AD Tools replaced with PowerShell post earlier this week I have not really provided PowerShell code for detecting outdated computer records - OldCmp replacement - computers which are registered in AD but have not actually logged in to the network for a long time.
To do this you need to check the pwdLastSet attribute. Computers reset their AD password every 30 days, so if this date is too old (say, 90 or more days away) this computer might no longer exist. So here’s the PowerShell code using this attribute to find the obsolete computer records:
# set the date to be used as a limit - in this example: 90 days earlier than the current date
$old = (Get-Date).AddDays(-90)
# get the list of computers with the date earlier than this date
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old }
A few variations to this depending on how you want to use the data:
# get a csv report
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old } | select-object Name, ParentContainer, Description, pwdLastSet | export-csv c:\temp\outdated.csv
# move such computers to another OU
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old } | Move-QADObject -to quest.corp/obsolete
# remove the computer records from AD (caution: this actually deletes the records, run the command with -whatif switch before running without it)
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old } | Remove-QADObject -to quest.corp/obsolete
A few comments on the parameters I use:
- I use
-IncludedProperties pwdLastSetbecause by default PowerShelldoes not retrieve the attribute, - I use
-SizeLimit 0to remove the default 1000 object retrieval limitation - we have significantly more computers in our network. - In the reporting sample I select the columns I need in the report with the
Select-Objectcmdlet.
OK. Now we’ve done and have the ultimate AD management tool to satisfy all our needs, right?
Tags: AD cmdlets, PowerShell, Active Directory, AD
Subscribe by email
Sweet!!! I could have used this the other day as a matter of fact. Can’t wait to try this when I get back to work.
Looks good but I think I’ll stick with oldcmp. Tons of safeties built-in there, the html reports are nice and not every command line tool needs replacing if it works well.
Mike, I hear what you are saying and agree that OldCmp is a great tool. See my comment in the original 11 Essential AD Tools post: http://dmitrysotnikov.wordpress.com/2007/09/03/11-essential-ad-tools-replaced-with-powershell/
At the same time I think PowerShell can be a good alternative because it provides a unified way to do multiple administrative tasks. Thus you can reuse your experience gained in doing one administrative task, when involved in another. This unification is a great advantage when comparing to add-hoc solutions however useful they might be.