[UPDATE] With AD cmdlets 1.4 locating obsolete user and computer records became even easier so while all the samples below still work, there is now a simpler and a faster way.
In the 11 Essential AD Tools replaced with PowerShell post earlier this week I have not really provided PowerShell code for detecting outdated computer records – OldCmp replacement – computers which are registered in AD but have not actually logged in to the network for a long time.
To do this you need to check the pwdLastSet attribute. Computers reset their AD password every 30 days, so if this date is too old (say, 90 or more days away) this computer might no longer exist. So here’s the PowerShell code using this attribute to find the obsolete computer records:
# set the date to be used as a limit - in this example: 90 days earlier than the current date
$old = (Get-Date).AddDays(-90)
# get the list of computers with the date earlier than this date
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old }
A few variations to this depending on how you want to use the data:
# get a csv report
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old } | select-object Name, ParentContainer, Description, pwdLastSet | export-csv c:\temp\outdated.csv
# move such computers to another OU
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old } | Move-QADObject -to quest.corp/obsolete
# remove the computer records from AD (caution: this actually deletes the records, run the command with -whatif switch before running without it)
Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old } | Remove-QADObject -to quest.corp/obsolete
A few comments on the parameters I use:
- I use
-IncludedProperties pwdLastSetbecause by default PowerShelldoes not retrieve the attribute, - I use
-SizeLimit 0to remove the default 1000 object retrieval limitation – we have significantly more computers in our network. - In the reporting sample I select the columns I need in the report with the
Select-Objectcmdlet.
OK. Now we’ve done and have the ultimate AD management tool to satisfy all our needs, right?
Tags: AD cmdlets, PowerShell, Active Directory, AD
Subscribe by email
