Get-AdComputer PasswordLastSet – Find Stale Computers

PasswordLastSet attribute stores information about the password last set for the computer. In the active directory, you can check the last password set date in the Get-ADComputer PasswordLastSet attribute.

In the active directory, it is very important for administrators to keep track of stale computers or inactive computers in the active directory. You can find inactive computers in the active directory using the PasswordLastSet or LastLogonTimeStamp attributes.

In this article, we will discuss how to check password last set date time for active directory computer and how to use PasswordLastSet and LastLogonTimeStamp attributes to find stale computers in the active directory.

Get-AdComputer PasswordLastSet

Get-AdComputer cmdlet in PowerShell has PasswordLastSet attribute which stores the information about password last set date time.

You can run the below command to get the Get-AdComputer PasswordLastSet date for computers in the active directory

Get-ADComputer -Filter * -Properties * | Select Name, PasswordLastSet

In the above PowerShell script,

Get-AdComputer Filter * return the list of adcomputers name and password last change date time as given below

Get-AdComputer PasswordLastSet
Get-AdComputer PasswordLastSet

Find Inactive Computers in Active Directory using PasswordLastSet

You can use the Get-AdComputer PasswordLastSet attribute to find inactive computers in the active directory.

PasswordLastSet attribute stores last time password reset datetime if you want to find inactive computers using PasswordLastSet, run below command

$daysInactive = [DateTime]::Today.AddDays(-90)
Get-ADComputer -Filter  `PasswordLastSet -le $daysInactive' -SearchBase "OU=Sales,DC=SHELLPRO,DC=LOCAL" -properties PasswordLastSet

In the above PowerShell script,

The first command, $daysInactive variable stores the date before 90 days in it.

The second command uses Get-AdComputer Filter PasswordLastSet to compare with $daysInactive date within the given Searchbase.

It checks for computers where the password last was not reset over 90 days and returns the list of adcomputers.

The list contains computer names that have not reset passwords for over 90 days. It means that these computers are inactive state or stale state if you have a password reset policy of 90 days.

Find Stale Computers in Active Directory using LastLogonTimeStamp

You can find stale adcomputers in the active directory using the LastLogonTimeStamp attribute. LastLogonTimeStamp attribute updates the information about the last logon timestamp every time the user login to the computer.

Use the given below PowerShell script to find stale accounts in the active directory using lastlogontimestamp

$daysInactive = [DateTime]::Today.AddDays(-90)

Get-ADComputer -Filter {lastlogontimestamp -lt $daysInactive}  -Properties Name,OperatingSystem , lastlogontimestamp| Select Name,OperatingSystem ,@{N='lastlogontimestamp'; E={[DateTime]::FromFileTime($_.lastlogontimestamp)}}

In the above PowerShell script,

$daysInactive variable stores the inactive days period date, in our case it is 90 days old date.

In the second command, it uses Get-AdComputer Filter to compare the lastlogontimestamp attribute value with $daysInactive period. If the last logon timestamp of the computer is over than specified days, it will return the computer name.

The output of the above command is given below

PS C:\Windows\system32> Get-ADComputer -Filter {lastlogontimestamp -lt $date}  -Properties Name,OperatingSystem , lastlogontimestamp| Select Name,OperatingSystem ,@{N='lastlogontimestamp'; E={[DateTime]::FromFileTime($_.lastlogontimestamp)}}

Name     OperatingSystem                lastlogontimestamp
----     ---------------                ------------------
OPER-PRO Windows Server 2019 Datacenter 06/23/2021 4:02:05 AM

In the above output, we have found one adcomputer that has the last logon timestamp of over 90 days.

Conclusion

I hope the above article on how to use Get-AdComputer PasswordLastSet attribute and using Lastlognontimestamp to find inactive adcomputers in the active directory.

You can use Export-CSV cmdlet to export list of inactive computers in the active directory to csv file.

You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.

Leave a Comment