Answers:
这将为您提供最近365天没有任何活动的所有计算机帐户。
Search-ADAccount -AccountInactive -ComputersOnly -TimeSpan 365.00:00:00这将按lastlogondate为您排序。
Search-ADAccount -AccountInactive -ComputersOnly -TimeSpan 365.00:00:00 | Sort-Object lastlogondate | Ft name,lastlogondate -auto这将使您禁用计算机帐户。
Search-ADAccount -AccountDisabled -ComputersOnly 默认情况下,计算机每30天更改一次其帐户密码。如果计算机长时间未更改密码,则意味着它们不再连接到网络。
该PowerShell脚本将输出2个文本文件。一种用于禁用的计算机,一种用于孤立的计算机帐户对象。您必须安装Active Directory PowerShell模块。
在此示例中,我排除了“加密笔记本电脑” OU,因为它们是长时间断开连接的移动笔记本电脑。如果您没有类似的设置,则可以删除该部分
Import-Module ActiveDirectory
$Date = [DateTime]::Today
#Sets the deadline for when computers should have last changed their password by.
$Deadline = $Date.AddDays(-365)
#Makes the date string for file naming
$FileName = [string]$Date.month + [string]$Date.day + [string]$Date.year
#Generates a list of computer accounts that are enabled and aren't in the Encrypted Computers OU, but haven't set their password since $Deadline
$OldList = Get-ADComputer -Filter {(PasswordLastSet -le $Deadline) -and (Enabled -eq $TRUE)} -Properties PasswordLastSet -ResultSetSize $NULL |
Where {$_.DistinguishedName -notlike "*Encrypted Laptops*"} |
Sort-Object -property Name | FT Name,PasswordLastSet,Enabled -auto
#Generates a list of computer accounts that are disabled and sorts by name.
$DisabledList = Get-ADComputer -Filter {(Enabled -eq $FALSE)} -Properties PasswordLastSet -ResultSetSize $null |
Sort-Object -property Name | FT Name,PasswordLastSet,Enabled -auto
#Creates the two files, assuming they are not $NULL. If they are $NULL, the file will not be created.
if ($OldList -ne $NULL) {
Out-File "C:\users\marra\desktop\Old$Filename.txt" -InputObject $OldList
}
if ($DisabledList -ne $NULL) {
Out-File "C:\users\marra\desktop\Disabled$Filename.txt" -InputObject $DisabledList
}一百万谢谢!我想对此做些调整。我只需要查找已禁用或未禁用且不在生产中的服务器。这是我想出的,它似乎起作用了。
Import-Module ActiveDirectory
$Date = [DateTime]::Today
#Sets the deadline for when computers should have last changed their password by.
$Deadline = $Date.AddDays(-365)
#Makes the date string for file naming
$FileName = [string]$Date.month + [string]$Date.day + [string]$Date.year
#Generates a list of computer server accounts that are enabled, but haven't set their password since $Deadline
$OldList = Get-ADComputer -Filter {(PasswordLastSet -le $Deadline) -and (Enabled -eq $TRUE) -and (OperatingSystem -Like "Windows *Server*")} -Properties PasswordLastSet -ResultSetSize $NULL |
Sort-Object -property Name | FT Name,PasswordLastSet,Enabled -auto
#Generates a list of computer server accounts that are disabled and sorts by name.
$DisabledList = Get-ADComputer -Filter {(Enabled -eq $FALSE) -and (OperatingSystem -Like "Windows *Server*")} -Properties PasswordLastSet -ResultSetSize $null |
Sort-Object -property Name | FT Name,PasswordLastSet,Enabled -auto
#Creates the two files, assuming they are not $NULL. If they are $NULL, the file will not be created.
if ($OldList -ne $NULL) {
Out-File "C:\temp\Old$Filename.txt" -InputObject $OldList
}
if ($DisabledList -ne $NULL) {
Out-File "C:\temp\Disabled$Filename.txt" -InputObject $DisabledList
} 我知道OP明确要求使用PowerShell,但如果您不喜欢它,就不要使用它,并且又不想学习另一种Microsoft语法,那么以下Python代码段将为您提供使用正确格式的日期LDAP查询。
import datetime, time
def w32todatetime(w32):
return datetime.fromtimestamp((w32/10000000) - 11644473600)
def datetimetow32(dt):
return int((time.mktime(dt.timetuple()) + 11644473600) * 10000000)
90daysago = datetime.datetime.now() - datetime.timedelta(days=90)
print datetimetow32(90daysago)然后可以按以下方式使用它来查找在过去90天内未更改其密码的所有Windows计算机。
(&(objectCategory=computer)(objectClass=computer)(operatingSystem=Windows*)(pwdLastSet<=130604356890000000))您可能只需要30天,因为Windows机器更改密码的默认期限是30天,但90天似乎更安全,以防您忘记了坐在Bob办公桌下却永远无法开机的PC。
编辑:哦,我也省略了时区支持,在这种情况下这可能无关紧要,但在其他情况下则可能如此。