I’ve written about Get-ADUser several times already to find out Active Directory user information, but in this post we’ll be using Get-ADComputer to find out the last logon date for the computers in Active Directory.
As computers are retired or fail and are replaced how often do admins remember to remove the computer accounts from Active Directory?
You can use the command we are going to create below to enumerate the last login date for all the computer accounts in your domain, so that you can safely disable and remove them after they have been inactive for a period of time.
Firstly on SBS 2011 we’ll need to either run the PowerShell as Administrator by right clicking the PowerShell icon and selecting Run as Administrator.
Then, we’ll need to import the Active Directory Module with the command:
Import-Module activedirectory
Alternatively you could run the Active Directory Module for Windows PowerShell from the Start – Administrative Tools menu.
For Windows Server 2012 this isn’t necessary as the module will be imported automatically.
We’ll start by confirming the PowerShell Cmdlet to use. We know we want to look at computer properties so lets see what PoweShell Cmdlets contain the word computer.
Get-Help *computer*
The Get-ADComputer command looks like the one we’re interested in so let’s take a look at it in more detail.
Get-Help Get-ADComputer
Next let’s look at a computer account and see what properties are returned.
Get-ADComputer -Identity SBS2K11
By default it doesn’t return anything that inidcates when it last logged on, so lets look at its extended properties.
Get-ADComputer -Identity SBS2K11 -Properties *
As you can see there is far more information when you use the -Properties * switch, and the property we are interested in is listed LastLogonDate.
Next let’s just output the fields that we are interested in using Format-Table, so Name and LastLogonDate.
[EDIT May 2017] On a single computer using -Properties * is ok, but for a large domain this can cause quite a slow down in processing the cmdlet. Specify the required properties in the cmdlet, so in this example the cmdlet would be -Properties LastLogonDate.
Get-ADComputer -identity SBS2K11 -Properties * | FT Name, LastLogonDate
Now lets add the -Autosize switch to the Format-Table Cmdlet.
Get-ADComputer -identity SBS2K11 -Properties * | FT Name, LastLogonDate -Autosize
In my test lab which I am using for this example it doesn’t make it much more readable, but in a larger environment the -Autosize switch does help with the readability of the output.
So far we have just been looking at one computer, my SBS2K11 server, now let’s modify the command to look at all computers. To do this we will change the -Identity switch for the -Filter switch. So the command looks like this:
Get-ADComputer -Filter * -Properties * | FT Name, LastLogonDate -Autosize
As you can see in my test lab I have two computers so it is easy to see the computer which has the oldest logon, but again in a larger environment it can be tricky to determine this with a large output.
Below is an example of a larger environment with the same command. The computers with no LastLogonDate indicate that there is no LastLogon data (another ADComputer property), which is converted to LastLogonDate.
Now if we want to sort these in order we would use the following command.
Get-ADComputer -Filter * -Properties * | Sort LastLogonDate | FT Name, LastLogonDate -Autosize
Now you can very easily see which computers haven’t logged on recently in ascending order. To reverse the list you would use the -Descending switch with the sort command.
Finally I’d like to output this to a file so I can confirm with colleagues the machines to be disabled or removed from Active Directory so we’ll pipe the output into the Out-File Cmdlet.
Get-ADComputer -Filter * -Properties * | Sort LastLogonDate | FT Name, LastLogonDate -Autosize | Out-File C:\Temp\ComputerLastLogonDate.txt
So far all we’ve done is list computers according to their last logon date which is useful, but do you really then want to go and manually disable or delete all of the computers which haven’t logged on in xx number of days?
PowerShell is all about automation, so in PowerShell: Get-ADComputer to retrieve computer last logon date (and disable them) – part 2 I’ll show you how to retrieve accounts over xx days old and automatically disable them.
Below are some links to Microsoft Technet references.
Get-ADComputer can be found here: http://technet.microsoft.com/en-us/library/ee617192.aspx
Sort-Object cmdlet can be found here: http://technet.microsoft.com/en-us/library/ee176968.aspx
Related Articles:
1. PowerShell: Get-ADUser to retrieve logon scripts and home directories – Part 1
2. Office 365 PowerShell: How to bulk change Office 365 calendar permissions using Windows PowerShell
3. PowerShell: Get-ADUser to retrieve password last set and expiry information
4. Exchange PowerShell: How to find users hidden from the Global Address List
5. How to install Exchange 2013 (SP1) on Windows Server 2012 R2