none
Get all laptops and desktops from my AD forest RRS feed

  • Question

  • Hello,

    I was hoping someone could sanity check my Powershell code, it looks okay to me and seems to produce valid results but maybe not.

    The code gets all desktops / laptops from my forest, whilst excluding servers:

    (Get-ADForest).Domains | % { try { Get-ADComputer -Filter "OperatingSystem -notlike '*server*'" -properties Enabled,pwdLastSet,IPv4Address,OperatingSystem -Server $_ } catch { write-warning "$_" }} | select DNSHostName,Enabled,pwdLastSet,IPv4Address,OperatingSystem | Export-Csv AllComputers.csv -NoTypeInformation 
    


    Instead of reporting on pwdLastSet though I'd like to convert this to the age in days e.g. current date/timestamp - pwdLastSet = xxx days

    I think I need to construct a new property e.g. 

    select @{Name="PwdAgeDays";Expression={((Get-Date)-[datetime]::fromFileTime($_.pwdLastSet))}}


    e.g.

    (Get-ADForest).Domains | % { try { Get-ADComputer -Filter "OperatingSystem -notlike '*server*'" -properties Enabled,pwdLastSet,IPv4Address,OperatingSystem -Server $_ } catch { write-warning "$_" }} | select DNSHostName,Enabled,select @{Name="PwdAgeDays";Expression={((Get-Date)-[datetime]::fromFileTime($_.pwdLastSet))}},IPv4Address,OperatingSystem | Export-Csv AllComputers.csv -NoTypeInformation


    Does this look correct?

    Thanks

    Thursday, March 9, 2017 3:54 PM

Answers

  • Looks reasonable, but you could instead retrieve the PowerShell property PasswordLastSet, which is already converted into a datetime in the local time zone. The just do the math against the current datetime. Check the help for Get-ADComputer for details on the PasswordLastSet property.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by David4576 Tuesday, March 14, 2017 7:53 PM
    Thursday, March 9, 2017 4:32 PM
    Moderator
  • You need to be using "PasswordLastSet".

    To get days just use math:

    ([datetime]::Today - $_.PasswordLastSet).Days


    \_(ツ)_/

    • Marked as answer by David4576 Tuesday, March 14, 2017 7:53 PM
    Thursday, March 9, 2017 6:22 PM

All replies

  • Looks reasonable, but you could instead retrieve the PowerShell property PasswordLastSet, which is already converted into a datetime in the local time zone. The just do the math against the current datetime. Check the help for Get-ADComputer for details on the PasswordLastSet property.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    • Marked as answer by David4576 Tuesday, March 14, 2017 7:53 PM
    Thursday, March 9, 2017 4:32 PM
    Moderator
  • Looks reasonable, but you could instead retrieve the PowerShell property PasswordLastSet, which is already converted into a datetime in the local time zone. The just do the math against the current datetime. Check the help for Get-ADComputer for details on the PasswordLastSet property.

    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    So I'm retrieving this property: pwdLastSet

    I don't see any other properties which specify a datetime equivalent.

    Thursday, March 9, 2017 4:46 PM
  • (Get-ADForest).Domains | 
    	ForEach-Object { 
    			Get-ADComputer -Filter "OperatingSystem -notlike '*server*'" -properties Enabled, PasswordLastSet, IPv4Address, OperatingSystem -Server $_
    	} | 
    	Select-Object DNSHostName, Enabled, PasswordLastSet, IPv4Address, OperatingSystem | 
    	Export-Csv AllComputers.csv -NoTypeInformation

    I strongly recommend getting out of the habit of jamming everything on one line. It is hard to read and makesdebugging difficult.

    Also your Try/Catch will not be used in your code and is mostly unnecessary.

    Start simple - add complexity a piece at a time.


    \_(ツ)_/


    • Edited by jrv Thursday, March 9, 2017 5:15 PM
    Thursday, March 9, 2017 5:11 PM
  • Looks reasonable, but you could instead retrieve the PowerShell property PasswordLastSet, which is already converted into a datetime in the local time zone. The just do the math against the current datetime. Check the help for Get-ADComputer for details on the PasswordLastSet property.


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    So I'm retrieving this property: pwdLastSet

    I don't see any other properties which specify a datetime equivalent.

    Hmm - sorry you're right. When I do a get-computer xyz - properties * I thought these were all the attributes I can use, but you're right, PasswordLastSet is an attribute available.
    Thursday, March 9, 2017 5:31 PM
  • (Get-ADForest).Domains | 
    	ForEach-Object { 
    			Get-ADComputer -Filter "OperatingSystem -notlike '*server*'" -properties Enabled, PasswordLastSet, IPv4Address, OperatingSystem -Server $_
    	} | 
    	Select-Object DNSHostName, Enabled, PasswordLastSet, IPv4Address, OperatingSystem | 
    	Export-Csv AllComputers.csv -NoTypeInformation

    I strongly recommend getting out of the habit of jamming everything on one line. It is hard to read and makesdebugging difficult.

    Also your Try/Catch will not be used in your code and is mostly unnecessary.

    Start simple - add complexity a piece at a time.


    \_(ツ)_/


    Perfect - the only thing that looks a little off is the output of the following:

    (Get-ADForest).Domains |
    ForEach-Object {
    	Get-ADComputer -Filter "OperatingSystem -notlike '*server*'" -properties Enabled, PasswordLastSet, IPv4Address, OperatingSystem -Server $_
    } |
    Select-Object DNSHostName, Enabled, @{Name="PwdAgeDays";Expression={((Get-Date)-$_.PasswordLastSet)}}, IPv4Address, OperatingSystem |
    Export-Csv AllComputers.csv -NoTypeInformation
    
    
    

    e.g. the PwdAgeDays returns value like:

    "59.07:46:59.1549247"
    "111.02:43:08.3092435"
    "115.03:35:03.6951824"

    Ideally it'd round up/down to just the days. Not sure how I'd do this with a custom property though.

    Cheers

    Thursday, March 9, 2017 5:49 PM
  • This Wiki documents what are called the default and extended properties exposed by Get-ADComputer:

    https://social.technet.microsoft.com/wiki/contents/articles/12056.active-directory-get-adcomputer-default-and-extended-properties.aspx

    The PasswordLastSet is an extended property, meaning it is not retrieved automatically, but should be specified with the -Properties parameter. In addition, Get-ADComputer can retrieve most AD attributes of computer objects, like pwdLastSet (if specified with -Properties). The differences (my definitions, since it is not well documented), and when you get values is explained in this Wiki:

    https://social.technet.microsoft.com/wiki/contents/articles/12031.active-directory-powershell-ad-module-properties.aspx


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, March 9, 2017 6:16 PM
    Moderator
  • You need to be using "PasswordLastSet".

    To get days just use math:

    ([datetime]::Today - $_.PasswordLastSet).Days


    \_(ツ)_/

    • Marked as answer by David4576 Tuesday, March 14, 2017 7:53 PM
    Thursday, March 9, 2017 6:22 PM
  • Richard / jrv - many thanks, exactly what I was looking for.
    Tuesday, March 14, 2017 7:54 PM