PasswordLastSet attribute stores information about the password last set for the computer. In the active directory, you can check the last password set date in the Get-ADComputer PasswordLastSet attribute.
In the active directory, it is very important for administrators to keep track of stale computers or inactive computers in the active directory. You can find inactive computers in the active directory using the PasswordLastSet or LastLogonTimeStamp attributes.
In this article, we will discuss how to check the password last set date time for active directory computers and how to use PasswordLastSet and LastLogonTimeStamp attributes to find stale computers in the active directory.
Get-AdComputer PasswordLastSet
Get-AdComputer cmdlet in PowerShell has a PasswordLastSet attribute which stores the information about password’s last set date time.
You can run the below command to get the Get-AdComputer PasswordLastSet date for computers in the active directory
Get-ADComputer -Filter * -Properties * | Select Name, PasswordLastSet
In the above PowerShell script,
Get-AdComputer Filter * return the list of adcomputer names and password last change date time as given below
Find Inactive Computers in Active Directory using PasswordLastSet
You can use the Get-AdComputer PasswordLastSet attribute to find inactive computers in the active directory.
PasswordLastSet attribute stores the last time password reset datetime if you want to find inactive computers using PasswordLastSet, run the below command
$daysInactive = [DateTime]::Today.AddDays(-90) Get-ADComputer -Filter `PasswordLastSet -le $daysInactive' -SearchBase "OU=Sales,DC=SHELLPRO,DC=LOCAL" -properties PasswordLastSet
In the above PowerShell script,
The first command, the $daysInactive variable stores the date before 90 days in it.
The second command uses Get-AdComputer Filter PasswordLastSet to compare with $daysInactive date within the given Searchbase.
It checks for computers where the password last was not reset over 90 days and returns the list of adcomputers.
The list contains computer names that have not reset passwords for over 90 days. It means that these computers are inactive state or stale state if you have a password reset policy of 90 days.
Find Stale Computers in Active Directory using LastLogonTimeStamp
You can find stale adcomputers in the active directory using the LastLogonTimeStamp attribute. LastLogonTimeStamp attribute updates the information about the last logon timestamp every time the user login to the computer.
Use the given below PowerShell script to find stale accounts in the active directory using lastlogontimestamp
$daysInactive = [DateTime]::Today.AddDays(-90)
Get-ADComputer -Filter {lastlogontimestamp -lt $daysInactive} -Properties Name,OperatingSystem , lastlogontimestamp| Select Name,OperatingSystem ,@{N='lastlogontimestamp'; E={[DateTime]::FromFileTime($_.lastlogontimestamp)}}
In the above PowerShell script,
$daysInactive variable stores the inactive days period date, in our case it is 90 days old date.
In the second command, it uses Get-AdComputer Filter to compare the lastlogontimestamp attribute value with the $daysInactive period. If the last logon timestamp of the computer is over than specified days, it will return the computer name.
The output of the above command is given below
PS C:\Windows\system32> Get-ADComputer -Filter {lastlogontimestamp -lt $date} -Properties Name,OperatingSystem , lastlogontimestamp| Select Name,OperatingSystem ,@{N='lastlogontimestamp'; E={[DateTime]::FromFileTime($_.lastlogontimestamp)}}
Name OperatingSystem lastlogontimestamp
---- --------------- ------------------
OPER-PRO Windows Server 2019 Datacenter 06/23/2021 4:02:05 AMIn the above output, we have found one adcomputer that has the last logon timestamp of over 90 days.
Cool Tip: How to get all computers in the domain using PowerShell!
Conclusion
I hope the above article on how to use the Get-AdComputer PasswordLastSet attribute and using Lastlognontimestamp to find inactive adcomputers in the active directory.
You can use the Export-CSV cmdlet to export list of inactive computers in the active directory to a CSV file.
You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.