Archive for September 7th, 2007

Locate obsolete computer records in AD

Published September 7, 2007 Active Directory , AD , AD cmdlets , PowerShell 16 Comments

[UPDATE] With AD cmdlets 1.4 locating obsolete user and computer records became even easier so while all the samples below still work, there is now a simpler and a faster way.

In the 11 Essential AD Tools replaced with PowerShell post earlier this week I have not really provided PowerShell code for detecting outdated computer records – OldCmp replacement – computers which are registered in AD but have not actually logged in to the network for a long time.

To do this you need to check the pwdLastSet attribute. Computers reset their AD password every 30 days, so if this date is too old (say, 90 or more days away) this computer might no longer exist. So here’s the PowerShell code using this attribute to find the obsolete computer records:

# set the date to be used as a limit - in this example: 90 days earlier than the current date

$old = (Get-Date).AddDays(-90)

# get the list of computers with the date earlier than this date

Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old }

A few variations to this depending on how you want to use the data:

# get a csv report

Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old } | select-object Name, ParentContainer, Description, pwdLastSet | export-csv c:\temp\outdated.csv

# move such computers to another OU

Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old } | Move-QADObject -to quest.corp/obsolete

# remove the computer records from AD (caution: this actually deletes the records, run the command with -whatif switch before running without it)

Get-QADComputer -IncludedProperties pwdLastSet -SizeLimit 0 | where { $_.pwdLastSet -le $old } | Remove-QADObject -to quest.corp/obsolete

A few comments on the parameters I use:

  • I use -IncludedProperties pwdLastSet because by default PowerShelldoes not retrieve the attribute,
  • I use -SizeLimit 0 to remove the default 1000 object retrieval limitation – we have significantly more computers in our network.
  • In the reporting sample I select the columns I need in the report with the Select-Object cmdlet.

OK. Now we’ve done and have the ultimate AD management tool to satisfy all our needs, right?

Tags: , , ,

 Subscribe in a reader

Subscribe by email

My Recent Tweets

Legal

The posts on this blog are provided “as is” with no warranties and confer no rights. The opinions expressed on this site are mine and mine alone, and do not necessarily represent those of my employer - WSO2 or anyone else for that matter. All trademarks acknowledged.

© 2007-2014 Dmitry Sotnikov

September 2007
M T W T F S S
 12
3456789
10111213141516
17181920212223
24252627282930
%d bloggers like this: