Active Directory Spring Cleaning: Unnecessary Computer Objects

Yesterday, a PowerShell script I’d written sent an email to the members of the Active Directory security groups that are delegated control of computer objects within the OUs for various sections of the University under the “Departments” OU. These messages contained a list of all the computer objects in each departmental OU which haven’t contacted the domain to change their password for 90 days (by default a computer will change its password every 30 days) – that being an indication that the computer object may be unneccesary and could possibly be deleted.

In order to generate these reports, I use Windows PowerShell and the Active Directory cmdlets from Quest Software. Once you have those installed, you’ll find a “Quest Software” folder in the Start menu, which contains the “ActiveRoles Management Shell for Active Directory” – you should run this as a member of the admin group that has permissions on the OU you want to report on. Then it’s just a case of a couple of lines of PowerShell.

[If none of this makes any sense, then I’m going to recommend that you go and read the Getting Started chapter from the TechNet Script Center’s PowerShell Owner’s Manual]

First we’ll put the OU’s distinguished name in a string variable, just to reduce the amount of wrapping we’re going to have on the next line…

$OU = "OU=ISS,OU=Departments,DC=campus,DC=ncl,DC=ac,DC=uk"

Then we find the computer objects by using Quest’s Get-QADComputer cmdlet, and filtering it to find the pwdLastSet property longer than 90 days ago…

Get-QADComputer -SearchRoot $OU -SearchScope Subtree
-IncludedProperties pwdPastSet -SizeLimit 0 | where {$_.pwdLastSet -le $((Get-Date).AddDays(-90))}

That gives you a table of computer objects using the default formatting, but we can do better than that.

If we pipe the output of the filter to the Select-Object cmdlet, we can select interesting properties to look at. I’m going to select the computer object’s name, description and parentcontainerdn so we can see how we’ve labelled it and exactly where it is in our OU structure…

Get-QADComputer -SearchRoot $OU -SearchScope Subtree
-IncludedProperties pwdPastSet -SizeLimit 0 | where {$_.pwdLastSet -le $((Get-Date).AddDays(-90))} | select name,description,parentcontainerdn

These might not be the most helpful properties for the computers you manage, so you can check the full list of properties of the computer objects by piping one into the Get-Member cmdlet.

We might have some useful data at this point, but there’s probably going to be some truncation going on, and it might be more useful if we could sort it. You could use the Sort-Object and Format-Table cmdlets to help, but I’m going to suggest that we might be better getting it out into Excel so you can order it and play with it in any way you want. To that end, we’ll pipe the whole lot into the Export-Csv cmdlet…

Get-QADComputer -SearchRoot $OU -SearchScope Subtree
-IncludedProperties pwdPastSet -SizeLimit 0 | where {$_.pwdLastSet -le $((Get-Date).AddDays(-90))} | select name,description,parentcontainerdn | Export-Csv "C:\temp\computers.csv" -noTypeInformation

I hope that helps. 🙂

This entry was posted in ActiveDirectory, PowerShell by Jonathan. Bookmark the permalink.

About Jonathan

Windows Server infrastructure administrator at Newcastle University since 1999. Microsoft MVP for Cloud and Datacenter Management (& previously for PowerShell). Member of the Microsoft Technical Community Council. Co-founder of the NEBytes user group. @jonoble on Twitter.

Leave a Reply

Your email address will not be published. Required fields are marked *