如何使用PowerShell在Active Directory中查找孤立的计算机对象？

这会给你在过去365天没有任何活动的所有计算机帐户。

Search-ADAccount -AccountInactive -ComputersOnly -TimeSpan 365.00:00:00 

这将通过lastlogondate为您sorting。

 Search-ADAccount -AccountInactive -ComputersOnly -TimeSpan 365.00:00:00 | Sort-Object lastlogondate | Ft name,lastlogondate -auto 

这会给你禁用电脑帐户。

 Search-ADAccount -AccountDisabled -ComputersOnly 

计算机默认每隔30天更改其帐户密码。 如果计算机长时间没有更改密码，则意味着它们不再连接到networking。

这个PowerShell脚本将输出2个文本文件。 一个是禁用电脑，一个是孤立的计算机帐户对象。 您必须安装Active Directory PowerShell模块。

在本例中，我排除了“Encrypted Laptops”OU，因为它们是长时间断开的移动笔记本电脑。 如果您没有类似的设置，您可以删除该部分

 Import-Module ActiveDirectory $Date = [DateTime]::Today #Sets the deadline for when computers should have last changed their password by. $Deadline = $Date.AddDays(-365) #Makes the date string for file naming $FileName = [string]$Date.month + [string]$Date.day + [string]$Date.year #Generates a list of computer accounts that are enabled and aren't in the Encrypted Computers OU, but haven't set their password since $Deadline $OldList = Get-ADComputer -Filter {(PasswordLastSet -le $Deadline) -and (Enabled -eq $TRUE)} -Properties PasswordLastSet -ResultSetSize $NULL | Where {$_.DistinguishedName -notlike "*Encrypted Laptops*"} | Sort-Object -property Name | FT Name,PasswordLastSet,Enabled -auto #Generates a list of computer accounts that are disabled and sorts by name. $DisabledList = Get-ADComputer -Filter {(Enabled -eq $FALSE)} -Properties PasswordLastSet -ResultSetSize $null | Sort-Object -property Name | FT Name,PasswordLastSet,Enabled -auto #Creates the two files, assuming they are not $NULL. If they are $NULL, the file will not be created. if ($OldList -ne $NULL) { Out-File "C:\users\marra\desktop\Old$Filename.txt" -InputObject $OldList } if ($DisabledList -ne $NULL) { Out-File "C:\users\marra\desktop\Disabled$Filename.txt" -InputObject $DisabledList } 

一百万谢谢你！ 我想添加我的调整。 我只需要find已被禁用或未被禁用且未投入生产的服务器。 这是我想出来的，它似乎工作。

 Import-Module ActiveDirectory $Date = [DateTime]::Today #Sets the deadline for when computers should have last changed their password by. $Deadline = $Date.AddDays(-365) #Makes the date string for file naming $FileName = [string]$Date.month + [string]$Date.day + [string]$Date.year #Generates a list of computer server accounts that are enabled, but haven't set their password since $Deadline $OldList = Get-ADComputer -Filter {(PasswordLastSet -le $Deadline) -and (Enabled -eq $TRUE) -and (OperatingSystem -Like "Windows *Server*")} -Properties PasswordLastSet -ResultSetSize $NULL | Sort-Object -property Name | FT Name,PasswordLastSet,Enabled -auto #Generates a list of computer server accounts that are disabled and sorts by name. $DisabledList = Get-ADComputer -Filter {(Enabled -eq $FALSE) -and (OperatingSystem -Like "Windows *Server*")} -Properties PasswordLastSet -ResultSetSize $null | Sort-Object -property Name | FT Name,PasswordLastSet,Enabled -auto #Creates the two files, assuming they are not $NULL. If they are $NULL, the file will not be created. if ($OldList -ne $NULL) { Out-File "C:\temp\Old$Filename.txt" -InputObject $OldList } if ($DisabledList -ne $NULL) { Out-File "C:\temp\Disabled$Filename.txt" -InputObject $DisabledList } 

我知道OP明确要求PowerShell，但如果你不喜欢它，没有它，不想学习另一个Microsoft语法，那么下面的Python片段会给你一个正确格式的date来使用与LDAP查询。

 import datetime, time def w32todatetime(w32): return datetime.fromtimestamp((w32/10000000) - 11644473600) def datetimetow32(dt): return int((time.mktime(dt.timetuple()) + 11644473600) * 10000000) 90daysago = datetime.datetime.now() - datetime.timedelta(days=90) print datetimetow32(90daysago) 

然后可以如下使用它来查找在过去90天内没有更改密码的所有Windows计算机。

 (&(objectCategory=computer)(objectClass=computer)(operatingSystem=Windows*)(pwdLastSet<=130604356890000000)) 

您可能只需要30个作为Windows机器的默认时间来更改他们的密码是30天，但90个似乎更安全的情况下，你忘记了鲍勃的桌子下面坐着电脑，永远不会打开。

编辑：哦，我也省略了时区支持，这可能在这个用例并不重要，但可能在其他地方。