• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

Sign in to follow this  

Get-ADComputer and Negative Comparisons

Recommended Posts

Stokkolm    329

So, I'm running into an interesting problem with the Get-ADComputer cmdlet. What I am trying to do is get a list of Computers objects that haven't logged in in more than 90 days. That part works fine, however when I attempt to filter out Cluster objects I'm running into an issue.

 

There are 219 total objects in the OU that I'm searching. Here is my basic command:

$Servers = Get-ADComputer -LDAPFilter '(name=*)' -SearchBase 'OU=Servers,DC=my,DC=domain,DC=com' -Properties * | Where-Object { $_.servicePrincipalNames -notlike '*MSClusterVirtualServer*' } | Where-Object { $_.LastLogonDate -lt (Get-Date).AddDays(-90) } | Sort-Object CN

 

The first Where-Object comparison does not evaluate correctly and all 219 objects are returned, however, if I try using -like it correctly identifies the Cluster objects and only 17 objects are returned. Does anyone know why -like evaluates correctly and -notlike doesn't?

Share this post


Link to post
Share on other sites
sc302    1,722

wow 219...man i wish...

 

Try this...

import-module activedirectory 
$DaysInactive = 120 
$time = (Get-Date).Adddays(-($DaysInactive))
$DestinationOU = "OU=Disabled Computers,DC=mydomain,DC=com"

# Get all AD computers with lastLogonTimestamp less than inactive days
Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -Properties LastLogonTimeStamp |

# Output hostname and lastLogonTimestamp into CSV
select-object Name,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}} | export-csv C:\script\OLD_Computer.csv -notypeinformation |

Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -Properties LastLogonTimeStamp |

Disable-ADAccount 


Get-ADComputer -Filter { (name -like "*") -and (enabled -eq $False)} -properties * | Move-ADObject -TargetPath $DestinationOU

Cluster objects should still check in to AD as they should be online and running, they should not show up in the 90 day filter...it is when they are offline completely for 90+ days there will be an issue, but more than what you think.  Look up the term "Microsoft Tombstoned" and see what is required to revive a tombstoned computer....this will not happen if a computer is on the network and communicating even if you never log into it.

 

Change your daysinactive to what you want, change the destinationOU to your own OU

  • Like 1

Share this post


Link to post
Share on other sites
Stokkolm    329
14 minutes ago, sc302 said:

 Cluster objects should still check in to AD as they should be online and running, they should not show up in 90 days...it is when they are offline completely for 90+ days there will be an issue, but more than what you think.

1
1

According to Technet, a cluster object only sets the LastLogonDate attribute when the Cluster comes online, therefore, if the cluster has been online for longer than 90 days the LastLogonDate attribute would reflect that. 

 

This was my source for that information: https://blogs.technet.microsoft.com/askds/2011/08/23/cluster-and-stale-computer-accounts/

 

I will check out Tombstoning as well, thanks for the suggestion. What I'm trying to do is just get a list of stale computer objects, not necessarily tombstoned ones. I was able to get the information I needed with the following code:

$Servers = Get-ADComputer -LDAPFilter '(name=*)' -SearchBase 'OU=Servers,DC=my,DC=domain,DC=com' -Properties * | Where-Object { $_.LastLogonDate -lt (Get-Date).AddDays(-90) }
$Clusters = Get-ADComputer -LDAPFilter '(name=*)' -SearchBase 'OU=Servers,DC=my,DC=domain,DC=com' -Properties * | Where-Object { $_.servicePrincipalNames -like 'MSClusterVirtualServer' }
$Array = @()

ForEach ($Server in $Servers) {
    If ($Clusters.Name -notcontains $Server.Name) {
        $Array += $Server
    }
}

 

Edited by Stokkolm

Share this post


Link to post
Share on other sites
sc302    1,722

https://technet.microsoft.com/en-us/library/2007.09.tombstones.aspx

 

Recovering a tombstoned object is a bit of a process, however it is important to know.    It is also important to know that tombstoning occurs at 180 days after it has not communicated with AD.  AD forces a password change between all devices and itself periodically (every 30 days).  I would venture to believe that clusters would fall into that as well.  You could check up on that in a week or so to see if the time stamp changed (it should).

 

Instead of lastlogontime, you could use pwdLastSet  as stated here which would more accurately identify computers/clusters that are no longer online.

 

https://blogs.msdn.microsoft.com/clustering/2011/08/17/identifying-stale-cluster-computer-objects/

 

  • Like 1

Share this post


Link to post
Share on other sites
Stokkolm    329

pwdLastSet isn't returned in Date/Time format, so it's a bit more work. You're probably right though, that would be the better attribute to use. 

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.