Cody's Powershell Blog

I wrote a simple function using the Active Directory cmdlets to retrieve stale computer accounts. The Get-AD* cmdlets have a parameter called “Filter” The filter parameter allows you to specify a query string to narrow down your search results. I’m not going to go into too much detail on the syntax for the filter parameter, but I will show you how I used it in my function. Here is the function i wrote:

function Get-StaleComputer {
param(
[int] $days=120,
[switch] $lastReset
)
$date=$(Get-Date).AddDays(-$days)
IF ($lastReset){
Get-ADComputer -filter {(passwordLastSet -le $date) } -properties 'passwordLastSet' | Select Name, @{Name="DaysSinceLastReset";Expression={$(New-TimeSpan $_.passwordLastSet (Get-Date)).Days}}
}# End IF

ELSE{
Get-ADComputer -filter {(passwordLastSet -le $date) }
} #End IF

}

I used the filter parameter to retrieve computer accounts whose passwords haven’t been reset in at least 120 days. You can call the function and use the days parameter to change the amount of time. For example:

Get-StaleComputer –days 365

This will retrieve all computer accounts that haven’t reset their passwords in at least a year. If you don’t use the days parameter it will use the default value of 120. The parameter “lastReset” is a switch parameter that will return computer objects with a property named “DaysSinceLastReset”. The value of this property will be the number of days since each computer account reset their password.

You can also pipe the results from this command to another cmdlet, for example:

Get-StaleComputer –days 365 | Move-ADObject –TargetPath “OU=DisabledComputers,DC=codygros,DC=com”

The above example will get all computers that haven’t reset their password in at least a year and move the computers to a Disabled OU.