To get only machines with LastLogonTimeStamp of 90 days plus:
Create this variable:
$date = [DateTime]::Today.AddDays(-90)
Then for the filter, instead of (*), use:
{ (LastLogonTimeStamp -ge $date) }
*From:* [email protected] [mailto:
[email protected]] *On Behalf Of *Webster
*Sent:* Thursday, May 12, 2016 10:26 AM
*To:* [email protected]
*Subject:* [NTSysADM] RE: New script: Microsoft Active Directory Health
Check PowerShell Script V2.0
This is FAR more efficient.
get-adcomputer -filter * -properties CN, Description, DistinguishedName,
IPv4Address, LastLogonDate, LogonCount, OperatingSystem, PasswordLastSet |
Export-csv c:\tmp\scripts\computers.csv
Webster
*From:* [email protected] [
mailto:[email protected] <[email protected]>] *On
Behalf Of *David McSpadden
*Sent:* Thursday, May 12, 2016 9:14 AM
*To:* [email protected]
*Subject:* [NTSysADM] RE: New script: Microsoft Active Directory Health
Check PowerShell Script V2.0
Ok, I have this:
get-adcomputer -filter * -properties * | Select CN, Description,
DistinguishedName, IPv4Address, LastLogonDate, LogonCount, OperatingSystem,
PasswordLastSet | Export-csv c:\tmp\scripts\computers.csv
And I don’t know how to make it an LDAP query where LastLogonDate or
PasswordLastSet Greater than 90 days.
This will get me all the computer accounts that basically have been missed
by admins that have taken them off the network and not removed them from
Active Directory.
Anyone have any help for this semi Old scripter?
*From:* [email protected] [
mailto:[email protected] <[email protected]>] *On
Behalf Of *Michael B. Smith
*Sent:* Thursday, May 12, 2016 9:56 AM
*To:* [email protected]
*Subject:* [NTSysADM] RE: New script: Microsoft Active Directory Health
Check PowerShell Script V2.0
My great-grandpa made a toy of a notched stick with a propeller on the end
and then would run another stick up and down the notched part to make the
propeller turn. Left, right, switch directions, fast, slow, etc.
He called it a “gee haw whimmy diddle”. I sure wish I still had one of
those that he hand made.
I’m old enough to have yelled “gee” and “haw” at the back-end of a mule.
*From:* [email protected] [
mailto:[email protected] <[email protected]>] *On
Behalf Of *Melvin Backus
*Sent:* Thursday, May 12, 2016 8:28 AM
*To:* [email protected]
*Subject:* [NTSysADM] RE: New script: Microsoft Active Directory Health
Check PowerShell Script V2.0
When I was a kid we played with a stick with a propeller on the end. You
spin it between your hands and it flys like a helicopter. Now kids play
with remote control drones that fly like helicopters. Same result, except
that now the toy does all the work and the kid gets no exercise. L
OK, yes, I am that old. J
--
There are 10 kinds of people in the world...
those who understand binary and those who don't.
*From:* [email protected] [
mailto:[email protected] <[email protected]>] *On
Behalf Of *Kennedy, Jim
*Sent:* Thursday, May 12, 2016 8:15 AM
*To:* [email protected]
*Subject:* [NTSysADM] RE: New script: Microsoft Active Directory Health
Check PowerShell Script V2.0
You kids with your newfangled toys. J
*From:* [email protected] [
mailto:[email protected] <[email protected]>] *On
Behalf Of *Michael B. Smith
*Sent:* Wednesday, May 11, 2016 5:10 PM
*To:* [email protected]
*Subject:* [NTSysADM] RE: New script: Microsoft Active Directory Health
Check PowerShell Script V2.0
Pre-PowerShell. J
This comment is the most important: At the end of the day, you need to know
what is right for your environment, understand what the attributes mean,
how they behave etc. and develop the process to manage them accordingly.
Completely agree with you.
*From:* [email protected] [
mailto:[email protected] <[email protected]>] *On
Behalf Of *Free Jr., Bob
*Sent:* Wednesday, May 11, 2016 4:55 PM
*To:* [email protected]
*Subject:* [NTSysADM] RE: New script: Microsoft Active Directory Health
Check PowerShell Script V2.0
Oldcmp is awesome (I helped joe with the initial testing cycle and even got
my name in the credits <G>)
We use it as part of our process to delete thousands of computers a year.
That said...
Keep in mind that pwdset isn’t a panacea. Computer password changes are
initiated by the client. [1]
There is a GPO that can disable that behavior so they are never reset.
A critical computer that has been off the network for quite some time can
be booted up and authenticate.
Yada Yada Yada
At the end of the day, you need to know what is right for your environment,
understand what the attributes mean, how they behave etc. and develop the
process to manage them accordingly.
Asset management should be based on more than just attributes in AD but you
can certainly infer a lot from them. Maybe everything in your environment,
I can’t say for sure.
[1] Machine account passwords as such do not expire in Active Directory.
They are exempted from the domain’s password policy. It is important to
remember that machine account password changes are driven by the CLIENT
(computer), and not the AD. As long as no one has disabled or deleted the
computer account, nor tried to add a computer with the same name to the
domain, (or some other destructive action), the computer will continue to
work no matter how long it has been since its machine account password was
initiated and changed.
So if a computer is turned off for three months nothing expires. When the
computer starts up, it will notice that its password is older than 30 days
and will initiate action to change it. The Netlogon service on the client
computer is responsible for doing this. This is only applicable if the
machine is turned off for such a long time.
*From:* [email protected] [
mailto:[email protected] <[email protected]>] *On
Behalf Of *Kennedy, Jim
*Sent:* Tuesday, May 10, 2016 6:30 AM
*To:* [email protected]
*Subject:* [NTSysADM] RE: New script: Microsoft Active Directory Health
Check PowerShell Script V2.0
Sorry, just saw this.
Oldcmp from Joeware might help you. Just schedule task it up with the right
parameters. And as mentioned, password last set is what is uses as it is
the only reliable method. So you have to adjust your disable period to
account for that.
http://www.joeware.net/freetools/tools/oldcmp/
<https://urldefense.proofpoint.com/v2/url?u=http-3A__www.joeware.net_freetools_tools_oldcmp_&d=CwMFAg&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=YyjivSHSCFAcOOtThQ30Aj3Z9jBitc-NMWxJmechd_Q&s=NrG_DBkDN5K80smTmrWIiwoHj3xE0xxwxgICOenKPyU&e=>
*From:* [email protected] [
mailto:[email protected] <[email protected]>] *On
Behalf Of *David McSpadden
*Sent:* Monday, May 9, 2016 8:15 AM
*To:* [email protected]
*Subject:* [NTSysADM] RE: New script: Microsoft Active Directory Health
Check PowerShell Script V2.0
Are computers something that will be considered later or in another script?
We constantly have stale computer records because my admins are afraid to
delete anything from AD.
We find computer accounts in buried OU’s that have been stale for 120 days
sometimes.
A report of those month would clean out AD and all the applications that
rely on AD information for their own reporting and management.
Right now I use TrendMicro Management interface (Because it has realtime
results) and reconcile with AD when I can.
A report would make it so I could give the work away.
So what I am asking is a list of computers by OU and last seen or login
date?
Not sure if it AD Health or what but it is needed I think.
*From:* [email protected] [
mailto:[email protected] <[email protected]>] *On
Behalf Of *Webster
*Sent:* Monday, May 9, 2016 6:14 AM
*To:* [email protected]
*Subject:* [NTSysADM] New script: Microsoft Active Directory Health Check
PowerShell Script V2.0
After a lot of work by Michael B. Smith, a group of dedicated testers and
myself, we have taken Jeff Wouters’ original script to V2.0.
http://carlwebster.com/microsoft-active-directory-health-check-powershell-script-v2-0/
<https://urldefense.proofpoint.com/v2/url?u=http-3A__carlwebster.com_microsoft-2Dactive-2Ddirectory-2Dhealth-2Dcheck-2Dpowershell-2Dscript-2Dv2-2D0_&d=CwMFAg&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=YyjivSHSCFAcOOtThQ30Aj3Z9jBitc-NMWxJmechd_Q&s=1etaGEbz1iqCYSP6GRh9fkHcDsGNxe86XClcCChwTuA&e=>
Thanks
Carl Webster
Citrix Technology Professional
http://www.CarlWebster.com
<https://urldefense.proofpoint.com/v2/url?u=http-3A__t.sidekickopen01.com_e1t_c_5_f18dQhb0S7lC8dDMPbW2n0x6l2B9nMJN7t5XYgdV8QRW2zWLDn4XrdjzW7fK3rs56dwxZf67wwsR02-3Ft-3Dhttp-253A-252F-252Fwww.carlwebster.com-252F-26si-3D6012126861197312-26pi-3D4311b7b1-2D332d-2D4242-2D8585-2D36954b184dc7&d=CwMFAg&c=hLS_V_MyRCwXDjNCFvC1XhVzdhW2dOtrP9xQj43rEYI&r=TA_mjBT8bS0r8rLrnubGjA&m=YyjivSHSCFAcOOtThQ30Aj3Z9jBitc-NMWxJmechd_Q&s=CLbBig-FPcFXcfvQF1_qgqsPxsq8o3mGoo6z_w7jJoA&e=>
The Accidental Citrix Admin
This e-mail and any files transmitted with it are property of Indiana
Members Credit Union, are confidential, and are intended solely for the use
of the individual or entity to whom this e-mail is addressed. If you are
not one of the named recipient(s) or otherwise have reason to believe that
you have received this message in error, please notify the sender and
delete this message immediately from your computer. Any other use,
retention, dissemination, forwarding, printing, or copying of this email is
strictly prohibited.
Please consider the environment before printing this email.
This e-mail and any files transmitted with it are property of Indiana
Members Credit Union, are confidential, and are intended solely for the use
of the individual or entity to whom this e-mail is addressed. If you are
not one of the named recipient(s) or otherwise have reason to believe that
you have received this message in error, please notify the sender and
delete this message immediately from your computer. Any other use,
retention, dissemination, forwarding, printing, or copying of this email is
strictly prohibited.
Please consider the environment before printing this email.
