如何使用 PowerShell 查找 Active Directory 域中 x 天内处于非活动状态的所有计算机帐户?
请注意,我确实知道如何做到这一点。这是一个自问自答的问题,只是为了传播知识。如果其他人有更好的方法,请随时发布!
答案1
这将为您提供过去 365 天内没有活动的所有计算机帐户。
Search-ADAccount -AccountInactive -ComputersOnly -TimeSpan 365.00:00:00
这将按照上次登录日期为您排序。
Search-ADAccount -AccountInactive -ComputersOnly -TimeSpan 365.00:00:00 | Sort-Object lastlogondate | Ft name,lastlogondate -auto
这会禁用您的计算机帐户。
Search-ADAccount -AccountDisabled -ComputersOnly
答案2
计算机默认每 30 天更改一次账户密码。如果计算机长时间没有更改密码,则意味着它不再连接到网络。
此 PowerShell 脚本将输出 2 个文本文件。一个用于已禁用的计算机,一个用于孤立的计算机帐户对象。您必须安装 Active Directory PowerShell 模块。
在此示例中,我排除了“加密笔记本电脑”OU,因为它们是长时间断开连接的移动笔记本电脑。如果您没有类似的设置,可以删除该部分
Import-Module ActiveDirectory
$Date = [DateTime]::Today
#Sets the deadline for when computers should have last changed their password by.
$Deadline = $Date.AddDays(-365)
#Makes the date string for file naming
$FileName = [string]$Date.month + [string]$Date.day + [string]$Date.year
#Generates a list of computer accounts that are enabled and aren't in the Encrypted Computers OU, but haven't set their password since $Deadline
$OldList = Get-ADComputer -Filter {(PasswordLastSet -le $Deadline) -and (Enabled -eq $TRUE)} -Properties PasswordLastSet -ResultSetSize $NULL |
Where {$_.DistinguishedName -notlike "*Encrypted Laptops*"} |
Sort-Object -property Name | FT Name,PasswordLastSet,Enabled -auto
#Generates a list of computer accounts that are disabled and sorts by name.
$DisabledList = Get-ADComputer -Filter {(Enabled -eq $FALSE)} -Properties PasswordLastSet -ResultSetSize $null |
Sort-Object -property Name | FT Name,PasswordLastSet,Enabled -auto
#Creates the two files, assuming they are not $NULL. If they are $NULL, the file will not be created.
if ($OldList -ne $NULL) {
Out-File "C:\users\marra\desktop\Old$Filename.txt" -InputObject $OldList
}
if ($DisabledList -ne $NULL) {
Out-File "C:\users\marra\desktop\Disabled$Filename.txt" -InputObject $DisabledList
}
答案3
万分感谢!我想对此进行一些调整。我需要仅查找已禁用或未禁用且未投入生产的服务器。这就是我想出的办法,而且似乎有效。
Import-Module ActiveDirectory
$Date = [DateTime]::Today
#Sets the deadline for when computers should have last changed their password by.
$Deadline = $Date.AddDays(-365)
#Makes the date string for file naming
$FileName = [string]$Date.month + [string]$Date.day + [string]$Date.year
#Generates a list of computer server accounts that are enabled, but haven't set their password since $Deadline
$OldList = Get-ADComputer -Filter {(PasswordLastSet -le $Deadline) -and (Enabled -eq $TRUE) -and (OperatingSystem -Like "Windows *Server*")} -Properties PasswordLastSet -ResultSetSize $NULL |
Sort-Object -property Name | FT Name,PasswordLastSet,Enabled -auto
#Generates a list of computer server accounts that are disabled and sorts by name.
$DisabledList = Get-ADComputer -Filter {(Enabled -eq $FALSE) -and (OperatingSystem -Like "Windows *Server*")} -Properties PasswordLastSet -ResultSetSize $null |
Sort-Object -property Name | FT Name,PasswordLastSet,Enabled -auto
#Creates the two files, assuming they are not $NULL. If they are $NULL, the file will not be created.
if ($OldList -ne $NULL) {
Out-File "C:\temp\Old$Filename.txt" -InputObject $OldList
}
if ($DisabledList -ne $NULL) {
Out-File "C:\temp\Disabled$Filename.txt" -InputObject $DisabledList
}
答案4
我知道 OP 明确要求使用 PowerShell,但如果您不喜欢它、没有它并且不想学习另一种 Microsoft 语法,那么以下 Python 代码片段将为您提供正确格式的日期以用于 LDAP 查询。
import datetime, time
def w32todatetime(w32):
return datetime.fromtimestamp((w32/10000000) - 11644473600)
def datetimetow32(dt):
return int((time.mktime(dt.timetuple()) + 11644473600) * 10000000)
90daysago = datetime.datetime.now() - datetime.timedelta(days=90)
print datetimetow32(90daysago)
然后可以按如下方式使用它来查找过去 90 天内未更改密码的所有 Windows 计算机。
(&(objectCategory=computer)(objectClass=computer)(operatingSystem=Windows*)(pwdLastSet<=130604356890000000))
您可能只需要 30 天,因为 Windows 机器更改密码的默认期限为 30 天,但如果您忘记了放在 Bob 的桌子下面且从未打开过的那台 PC,90 天似乎更安全。
编辑:哦,另外,我省略了时区支持,这在这种用例中可能并不重要,但在其他用例中可能很重要。