The Get-ADComputer cmdlet retrieves a single computer or several computers using a search.
The Identity parameter is used to specify the Active Directory computers to retrieve.
- A computer’s distinguished name, GUID, security identifier (SID), or Security Accounts Manager (SAM) account name can all be used as value for the Identity parameter to locate the computer object.
- You can also provide a computer object through the pipeline to the Identity parameter.
- Or assign the Identity parameter to a computer object variable, such as $Computerobject.
Use the Filter or LDAPFilter parameter to look for and retrieve multiple computer objects.
- With the Filter option, you can write query strings for Active Directory using the PowerShell Expression Language. Value types obtained by the Filter parameter are supported for rich type conversion in the PowerShell Expression Language syntax.
- The LDAPFilter parameter can be used if your Lightweight Directory Access Protocol (LDAP) query strings already exist.
The Get-ADComputer cmdlet retrieves the default set of computer object properties. Use the Properties parameter to retrieve more properties.
In this blog, we’ll examine the PowerShell command, Get-ADComputer, and learn how to use it. I’ll also provide you with a few helpful examples to look for and export AD computers.
Table Of Contents
-
Using the Identity Parameter
-
Using the Filter Parameter
-
Using the LDAP Filter
-
Limiting Computer Search to an OU (SearchBase)
-
Searching Computer Objects in Child OUs (SearchSvope)
-
Get ADComputer Properties
-
Export Computer Object Results to CSV
-
Export the Desired Properties
-
Export Enabled and Disabled Computers
-
Summary
Using the Identity Parameter
In its most basic form, Get-ADComputer uses the Identity parameter to retrieve a single computer object from AD. The Identity parameter can take the values in the form of:
- GUID
- Distinguished Name
- samAccountName
- ObjectSID (SID as security identifier)
For instance, if your computer is called GroupID10Corp, you would enter this value as:
Get-ADComputer -Identity GroupID10Corp
If a distinguished name is given as an identifier, then it is used to compute the partition to be searched. A non-terminating error is returned by the command if two or more objects are discovered.
Alternatively, you can set this parameter to a computer object instance to pass the object through the pipeline.
Filter Parameter in Get-ADComputer Cmdlet
Use the Filter parameter to find multiple computer accounts. There are several PowerShell commands that share the Filter parameter. You can specify the requirements that an account must meet in order to be returned.
You must use the Filter option if the Identity parameter is not being used. You can enter an asterisk to locate all computer accounts in AD, for instance. The asterisk is a wildcard character that matches all computer accounts in the directory.
Get-ADComputer -Filter *
For example, you might need to locate all the computers that begin with “GID”. The filter syntax would then be created as:
Get-ADComputer -Filter "Name -like 'GID*'"
Get Computer Objects based on Operating System
It is crucial for system administrators in large organizations to have access to Active Directory data about users, computers, and other objects. They frequently require information to determine the operating system version of a computer in order to upgrade the OS or apply a policy.
In this section, I’ll describe how to use PowerShell to get ADComputer operating systems in Active Directory and then export the list of ADComputer operating systems to a CSV file.
Using search criteria, the PowerShell Get-ADComputer cmdlet retrieves one or more Active Directory computer accounts with their OS name and version.
Get-ADComputer -filter * -Properties * | Select Name, OperatingSystem
Use the following command if you need to search for a specific operating system computer in Active Directory:
Get-ADComputer -Filter {OperatingSystem -like '*Windows Server 2016*'}
The PowerShell script mentioned above filters the computer objects by operating system, such as Windows Server 2016.
Using the command below, you can obtain information on the operating systems of computer objects residing in a specific OU:
Get-ADComputer -filter * -SearchBase "CN=Computers,DC=Knox,DC=lab" -Properties OperatingSystem | Sort Name | Format-Table Name,Enabled,OperatingSystem -AutoSize
Get-AdComputer in the PowerShell script above retrieves the computer account in the OU defined by the SearchBase criteria and passes the output to the second command.
The second command reveals the computer operating system, name, and sorts by computer name.
To export the results of a cmdlet, use the Export-CSV cmdlet with the location you want to save the output to, as shown below:
Get-ADComputer -filter * -Properties * | Select Name, OperatingSystem | Export-CSV C:\Computers.csv
Get all Inactive Computers via Get-ADComputer
Do you wish to know the number of non-used PCs you have?
The Get-ADComputer can be filtered based on the lastlogondate to show any computers that have been idle for more than X days, say 90 days.
To do this, we must first create a date variable by taking the current date and deducting 90 days. The Get-ADComputer can then be filtered based on the lastlogondate:
$date = (Get-Date) - (New-TimeSpan -Days 90) Get-ADcomputer -Filter 'lastLogondate -lt $date' | ft # Select the canonicalName,lastlogondate and name for a more readable list of computers Get-ADcomputer -Filter 'lastLogondate -lt $date' -properties canonicalName,lastlogondate | select name,canonicalname,lastlogondate | ft -AutoSize
In the above example, I have used Windows PowerShell ISE (Integrated Scripting Environment) for better running of the selected line(s) or the whole script. You can select a line number to run that line of script separately or choose to run the whole script at once.
Get all Disabled or Enabled Computers in Active Directory
If you want to get a list of all the disabled or enabled computers in Active directory, use the following cmdlets respectively:
Get-ADComputer -Filter "Enabled -eq 'False'" | ft Get-ADComputer -Filter "Enabled -eq 'True'" | ft
Using the LDAP Filter
Use the LDAPFilter parameter if you are skilled with LDAP filters. Using LDAP syntax, the LDAP filter enables you to zero in on the precise computer you’re looking for. The SearchBase option can be used alone or in conjunction with LDAPFilter.
The LDAP filter is used in the example below to locate all computers that begin with the letter ‘Q’.
Get-ADComputer -LDAPFilter "(name=Q*)"
Limiting Computer Search to an OU (SearchBase)
There are different approaches to locate computers in AD.
- You can locate a computer by name using the Identity parameter.
- You can locate a computer by specific AD properties using the Filter parameter.
- Additionally, you can locate computer accounts by the OU they are housed in. You can use the SearchBase option of Get-AdComputer to restrict the search to just one OU and/or all of its child OUs.
The Domain Controllers OU may contain all domain controllers that you need to locate.
The distinguished name (DN) of an OU must be specified in the SearchBase parameter. Here is an example of how to find every computer account in a “Knox.lab” domain’s ‘computers’ OU.
Get-ADComputer -Filter * -SearchBase "CN=computers,DC=knox,DC=lab"
Searching Computer Objects in Child OUs (SearchSvope)
With the SearchBase parameter, PowerShell returns computer accounts only from the particular OU. Computer accounts in any child OUs won’t be returned. Use the SearchScope parameter to achieve that.
You can specify how far back to search from the parent OU using the SearchScope parameter. There are three possible values for this parameter: 0, 1, and 2.
- Only computers in the base OU will be returned by default, when the value is set to 0.
- Use the 1 value to recursively scan both the base OU and the immediate child OU.
- Supply value 2 to recursively search over all child, grandchildren, and deeper OUs. This is the most frequent value used.
Get-ADComputer -Filter * -SearchBase " OU=Computers OU,DC=Knox,DC=lab" -SearchScope OneLevel
The above cmdlet uses the SearchScope parameter with one level value, which means that PowerShell will look into only the OU defined in the SearchBase parameter. To look for the computer objects in all the child OUs, use the SearchScope parameter with “SubTree” value, as shown below:
Get-ADComputer -Filter * -SearchBase " OU=Computers OU,DC=Knox,DC=lab" -SearchScope SubTree
Get-ADComputer Properties
The computer object does not have many helpful properties (as compared to user and group objects). However, the computer object still has some valuable information that might be useful.
You only receive the computer name and distinguished name without defining the -properties parameter. Yet there are additional properties that are advantageous, for instance:
- BadLogonCount
- BadPwdCount
- IPv4Address
- Enabled
- LastLogOff
- LastLogonDate
- LogonCount
- OperatingSystem
- OperatingSystemVersion
- WhenCreated
Use the -properties parameter to obtain the above information. It is as shown below:
Get-ADComputer -identity EXCHKNOX -Properties LastLogonDate,IPv4Address,OperatingSystemVersion,OperatingSystem,WhenCreated
Export Computer Object Results to CSV
PowerShell results can easily be exported to a CSV file. We all frequently utilize PowerShell to retrieve data so that Excel may further handle it.
The following command can be used to quickly export every AD computer object to a CSV file:
Get-ADComputer -filter * | Export-CSV c:\computersdetail.csv -NoTypeInformation
Here is the result shown in a CSV file.
Export the Desired Properties
When you use the filter parameter with wildcard, the system retrieves a couple of properties only, by default. If you want to specify the fields you really want to export, such as name, canonicalname, lastlogondate, use the properties parameter and then export the results to a CSV file for further analysis.
Get-ADComputer -filter * -properties operatingsystem,LastLogonDate,canonicalname | select name,canonicalname,operatingsystem,LastLogonDate | Export-CSV c:\computers.csv -NoTypeInformation
Export Enabled and Disabled Computers
Earlier we have used filters to search for enabled and disabled accounts. Now we will use the same filters to search for those computer accounts and then we will use the switch Export-CSV to export them separately in two different CSV files.
To export enabled computers, use the following command:
Get-ADComputer -filter "Enabled -eq 'true'" -properties operatingsystem,canonicalname,LastLogonDate | select name,operatingsystem,canonicalname,LastLogonDate | Export-CSV c:\computers.csv -NoTypeInformation
Following are the results for all enabled computers in Active Directory:
To export enabled computers, use the following command:
Get-ADComputer -filter "Enabled -eq 'false'" -properties operatingsystem,canonicalname,LastLogonDate | select name,operatingsystem,canonicalname,LastLogonDate | Export-CSV c:\computers.csv -NoTypeInformation
Following is a list of inactive computers in Active Directory. If you look closely at the LastLogonDate column, you will notice the date when they were last used for login.
Summary
In this blog, we have used the Get-ADComputer cmdlet and its parameters. We have covered different scenarios using the Identity parameter, Filter parameter, and LDAPFilter parameter. We have seen how you can get the computer objects by operating systems, get all inactive computes, and get disabled and enabled computers. We have limited the search by OU using the SearchScope parameter, and also expanded the search to further child OUs. Then we have discussed the most commonly searched properties of a computer object. We have also used examples for exporting the results of computer objects as well as the mostly commonly known properties of AD computer objects.
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.