locked
Count Child Items for AD Computer Objects RRS feed

  • Question

  • I am a PowerShell novice interested in using PowerShell to identify computers lacking the BitLocker recovery key in AD.  I have seen a number of scripts that purport to have this capability, but most of them are rather lengthy--one over 200 lines--and as a novice I don't have the PowerShell skills to understand what those scripts are doing.  For obvious reasons, I am reluctant to run any script in my environment that I do not fully understand.  As for the scripts that are fairly short, I have not had much luck modifying them to my needs.

    My first step was to develop a script that pulls a list of computer names from AD.  Unfortunately, that task is made more difficult by the fact that in my environment we have devices that are not computers (Printers, hand-held POS scanners, etc.) that are setup as computer objects, so the list of computers needs to be cleaned up.  I have a script that successfully pulls all the computer objects and filters out anything that is not an actual computer.

    Now I just need to identify which of those machines are lacking the BitLocker recovery key.  In my research on the subject, I have learned that the BitLocker recovery key is stored as a child item of the computer object and that the object class is msFVE-RecoveryInformation.

    So, if I can count the child items for each computer that are of the msFVE-RecoveryInformation object class, then the computers with no child items should be the machines that do not have the BitLocker recovery key backed up in AD.

    I did find the following command, which works to display computer names and the corresponding recovery keys, but have not been able to modify to show only the machines missing the recovery key.

    Get-AdObject -Filter "objectclass -eq 'msFVE-RecoveryInformation'" -Properties DistinguishedName, msFVE-RecoveryPassword, WhenCreated |
    Select-Object -Property @{n="ComputerName";e={$_.DistinguishedName.Split(',',2)[1]}}, msFVE-RecoveryPassword

    Can anyone help me out here?  How can I count the child items for each computer and identify the machines that have no child items?

    Thanks in advance for any help that you can offer!

    --Tom

    Friday, March 15, 2019 9:54 AM

Answers

  • This will give you a report:

    Get-ADComputer -Filter * |
        ForEach-Object{
            [pscustomobject]@{
                ComputerName = $_.Name
                ChildCount = (@(Get-ADObject -Filter * -SearchBase $_.DistinguishedName)).Count
            }
        }


    \_(ツ)_/

    Friday, March 15, 2019 10:11 PM

All replies

  • To count number of items, you can use this method

    select @{n="Count";e={($_.property).count}}


    • Edited by Mekac Friday, March 15, 2019 10:33 AM
    Friday, March 15, 2019 10:30 AM
  • Thomas, leave out the counting, just do the AD-Backup.

    Distribute an immediate scheduled task that tries to do the AD backup and "notifies" you if that is not successful:

    for /f "tokens=1,2" %%a in ('manage-bde -protectors -get C: -Type recoverypassword ^| findstr ID') do manage-bde -protectors -adbackup c: -id %%b || md \\server\share\noadbackup\%computername%.txt

    If unsuccessful, a file will be created that is named like the offending computer.

    Friday, March 15, 2019 11:58 AM
  • Ronald,

    Thanks for the suggestion.  At this point, we are just starting to wade into the PowerShell waters, and I'm not sure how receptive my management team would be to the idea of a scheduled task on every machine to help with the project. For now, I am trying to get a few wins under our belts with PowerShell to help management become more comfortable with its use in our environment.

    But I do like the idea and I can see other uses for locally run scripts that report results back. I think that I will test your solution on my own machines. Once we've got a few wins under our belt, I think management will be more receptive to the idea.

    --Tom

    Friday, March 15, 2019 4:12 PM
  • Hello

    Check the script provied in TechNet Galley, it will help you,

    https://gallery.technet.microsoft.com/scriptcenter/Count-Objects-Active-2001cb32


    Mark it as answer if your question has solved. MCT Regional Lead. x2 MCSE-MCSA Exchange Server & Windows Server

    Friday, March 15, 2019 4:57 PM
  • To count number of items, you can use this method

    select @{n="Count";e={($_.property).count}}


    Mekac,

    I am not sure how to use that.  I did produce the following command while trying to make it work:

    Get-ADComputer -SearchBase "OU=Workstations,OU=$City,DC=Fabrikam,DC=com" -Filter 'Name -like "*98765"' -Properties * | Select @{n="Count";e={($_.property).count}}

    That runs without errors, but it also produces a count of zero for machines known to have child items.  Assuming that I know the computer name that I want to look at, how do I combine that with your command to count the child objects of he machine?

    --Tom


    • Edited by thomasm516 Friday, March 15, 2019 7:36 PM Corrected a type
    Friday, March 15, 2019 7:32 PM
  • Hello

    Check the script provied in TechNet Galley, it will help you,

    https://gallery.technet.microsoft.com/scriptcenter/Count-Objects-Active-2001cb32


    Mark it as answer if your question has solved. MCT Regional Lead. x2 MCSE-MCSA Exchange Server & Windows Server

    Hamid,

    Thanks for the reply.  It looks like that script needs to be run on a domain controller.  Unfortunately, I do not have access to the domain controller.  In my organization, another agency administers AD and I only have access to our OU.

    --Tom

    Friday, March 15, 2019 9:51 PM
  • Hello

    Check the script provied in TechNet Galley, it will help you,

    https://gallery.technet.microsoft.com/scriptcenter/Count-Objects-Active-2001cb32


    Mark it as answer if your question has solved. MCT Regional Lead. x2 MCSE-MCSA Exchange Server & Windows Server

    Hamid,

    Thanks for the reply.  It looks like that script needs to be run on a domain controller.  Unfortunately, I do not have access to the domain controller.  In my organization, another agency administers AD and I only have access to our OU.

    --Tom

    What makes you think it needs to be run on a DC?


    \_(ツ)_/

    Friday, March 15, 2019 10:03 PM
  • To get child items of an object use Get-AdObject with the parent DN as the SearchBase.

    Get-ADComputer -Filter * | 
        ForEach-Object{
            (@(Get-ADObject -Filter * -SearchBase $_.DistinguishedName)).Count
        }

    The first step is to learn basic PowerShell beyond just guessing at code.  Next learn how AD works and how the AD CmdLets work.


    \_(ツ)_/


    • Edited by jrv Friday, March 15, 2019 10:08 PM
    Friday, March 15, 2019 10:07 PM
  • This will give you a report:

    Get-ADComputer -Filter * |
        ForEach-Object{
            [pscustomobject]@{
                ComputerName = $_.Name
                ChildCount = (@(Get-ADObject -Filter * -SearchBase $_.DistinguishedName)).Count
            }
        }


    \_(ツ)_/

    Friday, March 15, 2019 10:11 PM
  • Thomas, any feedback?
    Monday, April 1, 2019 6:29 AM