如何使用 PowerShell 在 Active Directory 中查找孤立的计算机对象？

这将为您提供过去 365 天内没有活动的所有计算机帐户。

Search-ADAccount -AccountInactive -ComputersOnly -TimeSpan 365.00:00:00

这将按照上次登录日期为您排序。

Search-ADAccount -AccountInactive -ComputersOnly -TimeSpan 365.00:00:00 | Sort-Object lastlogondate | Ft name,lastlogondate -auto

这会禁用您的计算机帐户。

Search-ADAccount -AccountDisabled -ComputersOnly 

计算机默认每 30 天更改一次账户密码。如果计算机长时间没有更改密码，则意味着它不再连接到网络。

此 PowerShell 脚本将输出 2 个文本文件。一个用于已禁用的计算机，一个用于孤立的计算机帐户对象。您必须安装 Active Directory PowerShell 模块。

在此示例中，我排除了“加密笔记本电脑”OU，因为它们是长时间断开连接的移动笔记本电脑。如果您没有类似的设置，可以删除该部分

Import-Module ActiveDirectory

$Date = [DateTime]::Today

#Sets the deadline for when computers should have last changed their password by.
$Deadline = $Date.AddDays(-365)   

#Makes the date string for file naming
$FileName = [string]$Date.month + [string]$Date.day + [string]$Date.year 


#Generates a list of computer accounts that are enabled and aren't in the Encrypted Computers OU, but haven't set their password since $Deadline
$OldList = Get-ADComputer -Filter {(PasswordLastSet -le $Deadline) -and (Enabled -eq $TRUE)} -Properties PasswordLastSet -ResultSetSize $NULL |
Where {$_.DistinguishedName -notlike "*Encrypted Laptops*"} | 
Sort-Object -property Name | FT Name,PasswordLastSet,Enabled -auto 

#Generates a list of computer accounts that are disabled and sorts by name.
$DisabledList = Get-ADComputer -Filter {(Enabled -eq $FALSE)} -Properties PasswordLastSet -ResultSetSize $null | 
Sort-Object -property Name | FT Name,PasswordLastSet,Enabled -auto

#Creates the two files, assuming they are not $NULL. If they are $NULL, the file will not be created.
if ($OldList -ne $NULL) {
    Out-File "C:\users\marra\desktop\Old$Filename.txt" -InputObject $OldList
}

if ($DisabledList -ne $NULL) {
    Out-File "C:\users\marra\desktop\Disabled$Filename.txt" -InputObject $DisabledList
}

万分感谢！我想对此进行一些调整。我需要仅查找已禁用或未禁用且未投入生产的服务器。这就是我想出的办法，而且似乎有效。

Import-Module ActiveDirectory

$Date = [DateTime]::Today

#Sets the deadline for when computers should have last changed their password by.
$Deadline = $Date.AddDays(-365)   

#Makes the date string for file naming
$FileName = [string]$Date.month + [string]$Date.day + [string]$Date.year 

#Generates a list of computer server accounts that are enabled, but haven't set their password since $Deadline
$OldList = Get-ADComputer -Filter {(PasswordLastSet -le $Deadline) -and (Enabled -eq $TRUE) -and (OperatingSystem -Like "Windows *Server*")} -Properties PasswordLastSet -ResultSetSize $NULL |
Sort-Object -property Name | FT Name,PasswordLastSet,Enabled -auto 

#Generates a list of computer server accounts that are disabled and sorts by name.
$DisabledList = Get-ADComputer -Filter {(Enabled -eq $FALSE) -and (OperatingSystem -Like "Windows *Server*")} -Properties PasswordLastSet -ResultSetSize $null | 
Sort-Object -property Name | FT Name,PasswordLastSet,Enabled -auto

#Creates the two files, assuming they are not $NULL. If they are $NULL, the file will not be created.
if ($OldList -ne $NULL) {
    Out-File "C:\temp\Old$Filename.txt" -InputObject $OldList
}

if ($DisabledList -ne $NULL) {
    Out-File "C:\temp\Disabled$Filename.txt" -InputObject $DisabledList
} 

我知道 OP 明确要求使用 PowerShell，但如果您不喜欢它、没有它并且不想学习另一种 Microsoft 语法，那么以下 Python 代码片段将为您提供正确格式的日期以用于 LDAP 查询。

import datetime, time
def w32todatetime(w32):
    return datetime.fromtimestamp((w32/10000000) - 11644473600)
def datetimetow32(dt):
    return int((time.mktime(dt.timetuple()) + 11644473600) * 10000000)

90daysago = datetime.datetime.now() - datetime.timedelta(days=90)
print datetimetow32(90daysago)

然后可以按如下方式使用它来查找过去 90 天内未更改密码的所有 Windows 计算机。

(&(objectCategory=computer)(objectClass=computer)(operatingSystem=Windows*)(pwdLastSet<=130604356890000000))

您可能只需要 30 天，因为 Windows 机器更改密码的默认期限为 30 天，但如果您忘记了放在 Bob 的桌子下面且从未打开过的那台 PC，90 天似乎更安全。

编辑：哦，另外，我省略了时区支持，这在这种用例中可能并不重要，但在其他用例中可能很重要。