Get-ADComputer and Negative Comparisons

[Stokkolm]

So, I'm running into an interesting problem with the Get-ADComputer cmdlet. What I am trying to do is get a list of Computers objects that haven't logged in in more than 90 days. That part works fine, however when I attempt to filter out Cluster objects I'm running into an issue.

 

There are 219 total objects in the OU that I'm searching. Here is my basic command:

$Servers = Get-ADComputer -LDAPFilter '(name=*)' -SearchBase 'OU=Servers,DC=my,DC=domain,DC=com' -Properties * | Where-Object { $_.servicePrincipalNames -notlike '*MSClusterVirtualServer*' } | Where-Object { $_.LastLogonDate -lt (Get-Date).AddDays(-90) } | Sort-Object CN

 

The first Where-Object comparison does not evaluate correctly and all 219 objects are returned, however, if I try using -like it correctly identifies the Cluster objects and only 17 objects are returned. Does anyone know why -like evaluates correctly and -notlike doesn't?

[sc302 Veteran]

wow 219...man i wish...

 

Try this...

import-module activedirectory 
$DaysInactive = 120 
$time = (Get-Date).Adddays(-($DaysInactive))
$DestinationOU = "OU=Disabled Computers,DC=mydomain,DC=com"

# Get all AD computers with lastLogonTimestamp less than inactive days
Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -Properties LastLogonTimeStamp |

# Output hostname and lastLogonTimestamp into CSV
select-object Name,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}} | export-csv C:\script\OLD_Computer.csv -notypeinformation |

Get-ADComputer -Filter {LastLogonTimeStamp -lt $time} -Properties LastLogonTimeStamp |

Disable-ADAccount 


Get-ADComputer -Filter { (name -like "*") -and (enabled -eq $False)} -properties * | Move-ADObject -TargetPath $DestinationOU

Cluster objects should still check in to AD as they should be online and running, they should not show up in the 90 day filter...it is when they are offline completely for 90+ days there will be an issue, but more than what you think.  Look up the term "Microsoft Tombstoned" and see what is required to revive a tombstoned computer....this will not happen if a computer is on the network and communicating even if you never log into it.

 

Change your daysinactive to what you want, change the destinationOU to your own OU

[Stokkolm]

  On 19/12/2017 at 15:45, sc302 said:

 Cluster objects should still check in to AD as they should be online and running, they should not show up in 90 days...it is when they are offline completely for 90+ days there will be an issue, but more than what you think.

Expand  

1

1

According to Technet, a cluster object only sets the LastLogonDate attribute when the Cluster comes online, therefore, if the cluster has been online for longer than 90 days the LastLogonDate attribute would reflect that. 

 

This was my source for that information: https://blogs.technet.microsoft.com/askds/2011/08/23/cluster-and-stale-computer-accounts/

 

I will check out Tombstoning as well, thanks for the suggestion. What I'm trying to do is just get a list of stale computer objects, not necessarily tombstoned ones. I was able to get the information I needed with the following code:

$Servers = Get-ADComputer -LDAPFilter '(name=*)' -SearchBase 'OU=Servers,DC=my,DC=domain,DC=com' -Properties * | Where-Object { $_.LastLogonDate -lt (Get-Date).AddDays(-90) }
$Clusters = Get-ADComputer -LDAPFilter '(name=*)' -SearchBase 'OU=Servers,DC=my,DC=domain,DC=com' -Properties * | Where-Object { $_.servicePrincipalNames -like 'MSClusterVirtualServer' }
$Array = @()

ForEach ($Server in $Servers) {
    If ($Clusters.Name -notcontains $Server.Name) {
        $Array += $Server
    }
}

 

Edited December 19, 2017 by Stokkolm

[sc302 Veteran]

https://technet.microsoft.com/en-us/library/2007.09.tombstones.aspx

 

Recovering a tombstoned object is a bit of a process, however it is important to know.    It is also important to know that tombstoning occurs at 180 days after it has not communicated with AD.  AD forces a password change between all devices and itself periodically (every 30 days).  I would venture to believe that clusters would fall into that as well.  You could check up on that in a week or so to see if the time stamp changed (it should).

 

Instead of lastlogontime, you could use pwdLastSet  as stated here which would more accurately identify computers/clusters that are no longer online.

 

https://blogs.msdn.microsoft.com/clustering/2011/08/17/identifying-stale-cluster-computer-objects/

 

[Stokkolm]

pwdLastSet isn't returned in Date/Time format, so it's a bit more work. You're probably right though, that would be the better attribute to use.