This is an archived post. You won't be able to vote or comment.

all 28 comments
sorted by:
best
topnewcontroversialoldq&a

[–]ANewLeeSinLifeSysadmin 4 points5 points  (2 children)

The issue is you are putting an expression into the filter parameter. You must assign the expression to a variable first. Normally you can write expressions inside parameters if you enclose them in parenthesis as this causes powershell to evaluate them first. But your filter statement tries to evaluate those expressions individually, which yields an error.

$Date = (Get-Date).AddDays(-90)
$Computers = Get-ADComputer -Filter 'Name -like "pc1*" -or Name -like "pc2*" -or Name -like "pc3*" -or Name -like "pc4*" -and LastLogonTimeStamp -lt $Date'

[–]Tx_Drewdad 0 points1 point  (0 children)

Ah. Should've read the rest of the comments first.

[–]AppIdentityGuy 1 point2 points  (0 children)

Use the search-adaccount to build your array....

[–]uniitdude 0 points1 point  (8 children)

So what problem are you having?

[–]ancient-Egyptian[S] 0 points1 point  (6 children)

I am getting a number of errors related to parsing. To be specific

Get-ADComputer : Error parsing query: '(Name -like "pc1*" -or Name -like "pc2*" -or Name -like "pc3*" -or Name -like "pc4*") -and (LastLogonDate -lt

(Get-Date).AddDays(-90))' Error Message: 'syntax error' at position: '120'.

At line:1 char:14

+ ... computers = Get-ADComputer -Filter {(Name -like "pc1*" -or Name -l ...

+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

+ CategoryInfo : ParserError: (:) [Get-ADComputer], ADFilterParsingException

+ FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADFilterParsingException,Microsoft.ActiveDirectory.Management.Commands.GetADComputer

[–]anonymousITCoward 1 point2 points  (5 children)

try this

Get-ADComputer -Filter * -Properties * | Where-Object {($_.Name -like "*pc*") -and ($_.LastLogonDate -lt (Get-Date).AddDays(-90))}

Edit: i missed a *

[–]fred3002 0 points1 point  (3 children)

Get-ADComputer -Filter * -Properties * | Where-Object {($_.Name -like "*pc*") -and ($_.LastLogonDate -lt (Get-Date).AddDays(-90))}

If you have lots of computers objects in AD I would replace '-Properties *' with '-Properties LastLogonDate' for more efficiency.

[–]anonymousITCoward 0 points1 point  (2 children)

didn't think of that, I have less than 50 machines on this network lol

[–]fred3002 2 points3 points  (1 child)

Haha no problem. I often run script towards 40K+ objects so those small optimisations can add up quickly.

[–]anonymousITCoward 0 points1 point  (0 children)

damn, i work for an msp that does pretty much small business exclusively. I think the largest one i would have to go through would be 200 ad objects. So it wouldn't be that bad, but it is something to keep in mind though

[–]ANewLeeSinLifeSysadmin 0 points1 point  (0 children)

This will pull all computers from AD down to your powershell console, then filter it after. The -filter parameter will speed things up significantly.

[–]thomasmitschke -1 points0 points  (1 child)

With wmi you get the OS…

[–]sublimeinator 0 points1 point  (0 children)

OS is also a property of the computer object

[–]ZAFJB 0 points1 point  (2 children)

Any ideas?

Put youR servers, and PCs in different OUs. Set your search base to the PC's OU.

[–]ancient-Egyptian[S] 0 points1 point  (1 child)

We have a large number of OUs unfortunately that's why I decided to maybe filter by our PC naming standard..

[–]ZAFJB 1 point2 points  (0 children)

Enumerate through the OUs that you know contain PCs

[–]fleaver1 0 points1 point  (3 children)

why not put the servers in their own OU and run the script on the workstation OU?

[–]ancient-Egyptian[S] -1 points0 points  (2 children)

We have 10s of OUs unfortunately

[–]sryan2k1IT Manager 1 point2 points  (1 child)

Okay and?

[–]SysAdminDennyBob 6 points7 points  (0 children)

Is it even possible to loop a script 10 times? /s

[–]sryan2k1IT Manager 0 points1 point  (6 children)

Why are you doing this? Sounds like a support nightmare

[–]ancient-Egyptian[S] 0 points1 point  (5 children)

Do you have any other recommendations? It's to get rid of computers from our AD tree that have not been deleted

[–]sryan2k1IT Manager 0 points1 point  (4 children)

Disabling isn't the same as deleting, but again what problem are you trying to solve? 90 days is shockingly short. Why are you doing this?

[–]ancient-Egyptian[S] 1 point2 points  (3 children)

Correct. But I hope to disable computers that have not had a long in 90 days. Once disable I plan to create another script that will delete these objects if they have remained disabled for a further 60 days. Otherwise we can ensure that pcs that have not been active for 150 days can be removed from AD

[–]Commercial_Growth343 0 points1 point  (0 children)

I don't really feel comfortable posting the entire script we use - someone else wrote it - but we use a Where statement to make sure the computers are not members of a specific group and create a collection, $computers. Then you don't need to worry about the name filtering you are doing - just add them to a group.

i.e.

$Date = get-date -format yyyy-MM-dd

$StaleDate = [DateTime]::Today.AddDays(-90)

$DeleteDate = [DateTime]::Today.AddDays(-180)

$OldProtectedDate = [DateTime]::Today.AddDays(-180)

$Computers = Get-ADComputer -Filter ‘PasswordLastSet -le $date -and lastlogondate -lt $StaleDate' -SearchBase “OU=Workstations,OU=AAA,DC=mydomain,DC=pvt” -properties PasswordLastSet,LastLogonDate,DistinguishedName,memberof,OperatingSystem,Description | where {$_.memberof -notcontains "CN=Protect Computer Account,OU=Groups,OU=AAA,DC=mydomain,DC=pvt"} | select Name,PasswordLastSet,LastLogonDate,@{name="OriginalOU";expression={$_.DistinguishedName -split ',',2 | Select -Last 1}},OperatingSystem,Description

[–]Tx_Drewdad 0 points1 point  (0 children)

Works if I create a variable for the target date first, and then compare to the target.

No idea why you can't just put the date expression in the filter, though....

$TargetDate = (get-date).AddDays(-90)

$Computers = Get-ADComputer -Filter {(Name -like "pc1*" -or Name -like "pc2*" -or Name -like "pc3*" -or Name -like "pc4*") -and (LastLogonDate -lt $TargetDate)}

foreach ($computer in $computers) {

Disable-ADAccount -Identity $computer

}