dsquery computer [<startnode>] -inactive <number of weeks>to get computers that have been inactive (stale) for the number of weeks that you specify or
dsquery computer [<startnode>] -stalepwd <number of days>to find computers whose passwords have not changed for the specified number of days. This comparison requires some manual work and since we are looking for a solution that can be easily reproduced we are not satisfied. So it would be easier to just query for all computers whose password have not changed since some day:
dsquery * [<startnode>] -filter "&(objectCategory=computer)(pwdLastSet>=date/time in Integer8-format)"But since in the pwdLastSet attribute value is stored as a large integer that represents the number of 100 nanosecond intervals since January 1, 1601 (UTC) you have to know how to convert the last password reset date to same format before you can use it as a search condition. This conversion can easily be done by using vbscript for example. I'll leave that a homework for you to find out how this is done.
I figured out that the easiest way to find out which computers have changed their passwords within specified period is to use PowerShell:
$d = [DateTime]::Today.AddDays(-60); Get-ADComputer -Filter 'PasswordLastSet -ge $d' -Properties PasswordLastSetThese two commands show you all computers that have changed their passwords within last 60 days. And you can run them on one line instead of having to do any comparisons or date/time conversions.
And if we are only interested in the number of active computer objects we can just count them:
@($d = [DateTime]::Today.AddDays(-60); Get-ADComputer -Filter 'PasswordLastSet -ge $d' -Properties PasswordLastSet).Count
Pretty cool, right?
For Get-ADComputer cmdlet to work you'll need to have first imported Active Directory module by running
Import-Module ActiveDirectorywhich contains a lot of useful cmdlets to manage AD.
No comments:
Post a Comment