Here’s a great question that someone just posted today on the PowerGUI forums:
I have the latest verions of the Quest AD cmdlets, PowerGUI and the Active Directory PowerPack. Can I use PowerGUI to search for old computer accounts? For example: computer accounts that haven’t had their machine account password reset for over three months?
The timing of this question is perfect because the update of the Active Directory PowerPack that I posted two weeks ago allows you to do this without having to write any scripts yourself. For those of you who want to try this but don’t have the most recent versions of PowerGUI, the Quest AD cmdlets and the Active Directory PowerPack installed, follow those links and download and install those before continuing. Installation instructions are on the appropriate web pages where necessary.
Once you all of the necessary software installed, here’s what you need to do.
Step 1: Add the attributes you need to the list of attributes retrieved from Active Directory.
There are In the PowerGUI Admin Console, expand the “Active Directory” node and click on “Configuration”. This will show you the current domain that PowerGUI will gather data from. You can change this if you like, however you don’t need to unless you want to use alternate credentials or connect to another domain. With the configuration showing in the grid, click on the “Manage default attributes” link. That will present you with a view something like this:
This shows you the current list of attributes that are retrieved for each individual Active Directory object. This will be initially configured with the default attributes as defined by the Quest AD cmdlets plus a few attributes that are required for the Active Directory PowerPack. You can add whatever attributes you want to gather here for any of the object types. To help solve our immediate problem and be able to get a list of computer accounts that have not had their machine account password reset for over three months, we need to add the pwdLastSet attribute for computer objects. To do this, simply click on the “Add attribute…” action, provide the name of the pwdLastSet attribute in the “Attribute name” field and set the “Retrieve attribute for computer objects” value to True. When you click on OK, that attribute configuration will be saved and any computer objects retrieved using the Quest AD cmdlets will have that attribute retrieved with them.
Step 2: Retrieve the objects you want from Active Directory and optionally show the attributes you want to filter on.
Once you have configured PowerGUI so that it will retrieve the pwdLastSet attribute for computer objects, you need to get your computers. You can do this by simply clicking on the “Computers” child node under the “Active Directory” node. This will present you with a list of computer accounts, showing their Name, Type and DN by default.
With the list of computer objects showing, you can optionally add the pwdLastSet attribute to the view by right-clicking in the column headers and selecting “More…” from the menu that appears. With the list of all attributes that can be added showing, scroll down until you find the pwdLastSet attribute and check the checkbox beside it. Then click on OK to save that change and your pwdLastSet attribute will be retrieved with your computer objects from the Computers node.
Step 3: Create a client-side filter to filter out the objects you don’t care about.
With the list of all of your computer objects showing, you can create a filter to reduce the number of objects to those that you need to see. To do this, click on the Filters button above the column headers. This will make the filter panel visible.
You can use this panel to filter any collection based on the properties of the objects in that collection. For our particular problem, we want to see computer objects whose password has not been changed in the last 3 months. We can get that by selecting “pwdLastSet” in the “Property” field, “Less or equal” in the “Operator” field, and selecting the calendar date three months ago in the “Value” field using the calendar control. Once that is set, click on the “Apply” button to apply the filter and your list of computer objects will be filtered to only show those whose machine passwords haven’t changed in the last 3 months.
Step 4: Make the newly filtered data set available in its own node.
Now that you have the data you’re looking after, your “Computers” node is now configured to always show you the filtered list because PowerGUI remembers the filters you apply to nodes. You might not like this configuration, preferring to have a separate node to view the data that you want. Fortunately, PowerGUI lets you do create that easily too, and you still don’t have to do any scripting. To create a separate node that lets you get the same data set, simply click on the “Save As…” button in the filter panel. This will allow you to save the script from the Computers node with the filter you have created automatically applied as a client-side filter for that script. Simply give the new script node a name (something intuitive like “Computers with old passwords” will do), and click on OK to save the new child node. Then you can click on the “Clear All” button in the filter panel for your “Computers” node because that filter will no longer be needed. Now click on your new node and you’ll get the list of computers you are after, and it will look something like the screenshot below.
Step 5: Make your work reusable at any time by taking it one step further.
At this point you have successfully created a new node that gets specifically the data you were looking for and you didn’t have to do any scripting to get it, which is great! You can make it a little better still though. For our specific problem that we’re trying to solve, we created a new node that reports any computer object with a machine account password that hasn’t been changed within 3 months from today. But tomorrow that will be come 3 months and 1 day. The next day that will become 3 months and 2 days. What if you want to customize the node so that it reports computers whose machine accounts have not had their passwords changed in the last 3 months, no matter what day you click on it? For that to work you will have to do a minor script modification.
Right-click on your new “Computers with old passwords” node and select properties. This will show you the script used to retrieve your computers and filter the list. At the very end of that script, you will see something like the following:
func_Computers | Where-Object { $_.'pwdlastset' -le [System.DateTime]"2009-02-08" }
The Where-Object cmdlet contains the filter that is excluding any computers whose pwdLastSet attribute is greater than 3 months from the day we did this (for me that that’s February 8, 2009 since I created the node on May 8, 2009). To change that filter so that it always works using a date 3 months earlier than now, you simply need to replace [System.DateTime]”2009-02-08” with (Get-Date).AddMonths(-3). That changes the end of our script to this:
func_Computers | Where-Object { $_.'pwdlastset' -le (Get-Date).AddMonths(-3) }
That’s it! A simple replacement of the filter condition and you’re off and running with a brand new node designed to meet your specific needs with PowerGUI, the Quest AD cmdlets and the Active Directory PowerPack!
In a future article I’ll show you just how simple it is for you to take a collection of extensions to PowerPacks that you have created like this and package them up in a PowerPack so that you can share them with other users in the Community as well!
Enjoy!
Kirk out.
| Share this post: |  |
 |
 |
 |
 |
 |
 |
 |
 |
Poshoholic 