I’ve written about Get-ADUser several times already to find out Active Directory user information, but in this post we’ll be using Get-ADComputer to find out the last logon date for the computers in Active Directory.
As computers are retired or fail and are replaced how often do admins remember to remove the computer accounts from Active Directory?
You can use the command we are going to create below to enumerate the last login date for all the computer accounts in your domain, so that you can safely disable and remove them after they have been inactive for a period of time.
Firstly on SBS 2011 we’ll need to either run the PowerShell as Administrator by right clicking the PowerShell icon and selecting Run as Administrator.
Then, we’ll need to import the Active Directory Module with the command:
For Windows Server 2012 this isn’t necessary as the module will be imported automatically.
We’ll start by confirming the PowerShell Cmdlet to use. We know we want to look at computer properties so lets see what PoweShell Cmdlets contain the word computer.
The Get-ADComputer command looks like the one we’re interested in so let’s take a look at it in more detail.
Next let’s look at a computer account and see what properties are returned.
Get-ADComputer -Identity SBS2K11
Get-ADComputer -Identity SBS2K11 -Properties *
Next let’s just output the fields that we are interested in using Format-Table, so Name and LastLogonDate.
[EDIT May 2017] On a single computer using -Properties * is ok, but for a large domain this can cause quite a slow down in processing the cmdlet. Specify the required properties in the cmdlet, so in this example the cmdlet would be -Properties LastLogonDate.
Get-ADComputer -identity SBS2K11 -Properties * | FT Name, LastLogonDate
Get-ADComputer -identity SBS2K11 -Properties * | FT Name, LastLogonDate -Autosize
So far we have just been looking at one computer, my SBS2K11 server, now let’s modify the command to look at all computers. To do this we will change the -Identity switch for the -Filter switch. So the command looks like this:
Get-ADComputer -Filter * -Properties * | FT Name, LastLogonDate -Autosize
As you can see in my test lab I have two computers so it is easy to see the computer which has the oldest logon, but again in a larger environment it can be tricky to determine this with a large output.
Below is an example of a larger environment with the same command. The computers with no LastLogonDate indicate that there is no LastLogon data (another ADComputer property), which is converted to LastLogonDate.
Get-ADComputer -Filter * -Properties * | Sort LastLogonDate | FT Name, LastLogonDate -Autosize
Finally I’d like to output this to a file so I can confirm with colleagues the machines to be disabled or removed from Active Directory so we’ll pipe the output into the Out-File Cmdlet.
Get-ADComputer -Filter * -Properties * | Sort LastLogonDate | FT Name, LastLogonDate -Autosize | Out-File C:\Temp\ComputerLastLogonDate.txt
So far all we’ve done is list computers according to their last logon date which is useful, but do you really then want to go and manually disable or delete all of the computers which haven’t logged on in xx number of days?
PowerShell is all about automation, so in PowerShell: Get-ADComputer to retrieve computer last logon date (and disable them) – part 2 I’ll show you how to retrieve accounts over xx days old and automatically disable them.
Below are some links to Microsoft Technet references.
Get-ADComputer can be found here: http://technet.microsoft.com/en-us/library/ee617192.aspx
Sort-Object cmdlet can be found here: http://technet.microsoft.com/en-us/library/ee176968.aspx