Powershell script to find old AD computers by last login time

import-module activedirectory
$logdate = Get-Date -format yyyyMMdd
$logfile = “c:\scripts\logs\ExpiredComputers – “+$logdate+”.csv”
$mail = “yramasamy@xybion.com”
$smtpserver = “”
$emailFrom = “GlobalServiceDesk@xybion.com”
$domain = “xybioncorp.local”
$emailTo = “$mail”
$subject = “Old computers in Active Directory”
$DaysInactive = 180
$time = (Get-Date).Adddays(-($DaysInactive))
$body =
“Please find the inactive computers file. Please review


# Change this line to the specific OU that you want to search
$searchOU = “DC=xybioncorp, DC=local”

# Get all AD computers with LastLogon less than our time
Get-ADComputer -SearchBase $searchOU -Filter {LastLogon -lt $time -and enabled -eq $true} -Properties LastLogon, description,Operatingsystem|

# Output hostname and LastLogon into CSV
select-object Name,DistinguishedName, description,Operatingsystem,enabled,@{Name=”Stamp”; Expression={[DateTime]::FromFileTime($_.LastLogon)}} | export-csv $logfile -notypeinformation

Send-MailMessage -To $emailTo -From $emailFrom -Subject $subject -Body $body -Attachments $logfile -SmtpServer $smtpserver

The AD Recycle Bin: Understanding, Implementing, Best Practices, and Troubleshooting

Active Directory: How to Get User Login History using PowerShell

Management of SIDs in Active Directory

Active Directory: How to List All Computers in OU using PowerShell

$OUpath = 'ou=Managers,dc=enterprise,dc=com'
$ExportPath = 'c:\data\computers_in_ou.csv'
Get-ADComputer -Filter * -SearchBase $OUpath | Select-object
DistinguishedName,DNSHostName,Name | Export-Csv -NoType $ExportPath

To export all computers in mydomain.com’s servers OU to machines.txt :

DSQUERY COMPUTER "OU=servers,DC=mydomain,DC=com" -o rdn -limit 1000 > c:\machines.txt

Active Directory Domain Services (AD DS) Commands and Scripts



Identify OCS enabled users in Active Directory

Dsquery * -filter (msRTCSIP-UserEnabled=TRUE) -limit 0 -attr name samaccountname

Query Password Last Set (pwdlastset) value

Dsquery * -filter "&(objectClass=User)(objectCategory=Person)" -limit 0
 -attr name pwdlastset

Note: Time can be converted using the w32tm /ntte command.

Search Password Never Expires Settings

Dsquery *  -limit 0 "(&(objectCategory=person)(objectClass=user)
(userAccountControl:1.2.840.113556.1.4.803:=65536))" -attr samaccountname name

User accounts with no pwd required

Dsquery * domainroot -filter "(&(objectCategory=Person)(objectClass=User)


User accounts that are disabled

Dsquery *domainroot -filter "(&(objectCategory=Person)(objectClass=User)

Password Expiring information

dsget user 
CN=User1,DC=santhosh,DC=la -acctexpiresdsquery * -limit 0

Password Expiring in 30 Days

dsquery * -limit 0 -filter "(&(objectCategory=person)(objectClass=user)
(userAccountControl:1.2.840.113556.1.4.803:=4194304))" -attr name samaccountname

User accounts with “Do not require kerberos preauthentication” enabled

Dsquery * -limit 0 "(&(objectCategory=person)(objectClass=user)
-attr samaccountname name

List all Roaming Profile users in Active Directory

Dsquery * -filter "&(objectClass=User)(objectCategory=Person)(profilePath=*)
-limit 0 -name

Generate SIDHistory Report

Dsquery * -filter "&(objectClass=User)(objectCategory=Person)"
-attr samAccountName sidHistory

Generate SID (ObjectSID) Report

Dsquery * -filter "&(objectClass=User)(objectCategory=Person)"
-attr samAccountName Object



Identify all Security Groups

dsquery * -filter "(&(objectCategory=group)
groupType:1.2.840.113556.1.4.804:=2147483648))" -attr samAccountName name

Identify all Built-In Security Groups

dsquery * -filter "(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.803:=2147483649))" -attr samAccountName name

Identify all Universal Security Groups

dsquery * -filter "(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.803:=2147483656))" -attr samAccountName name

Identify all Global Security Groups

dsquery * -filter "(&(objectCategory=group)
(groupType:1.2.840.113556.1.4.803:=2147483650))" -attr samAccountName name



Move Computer Objects Based on OS Version

Move Windows 7 Computers

dsquery * CN=Computers,DC=santhosh,DC=lab -filter "(&(objectCategory=Computer)
(operatingSystemVersion=6.1))" | dsmove -newparent OU=Win7,OU=ComputerAccounts,DC=santhosh,DC=lab

Move Windows XP Computers

dsquery * CN=Computers,DC=santhosh,DC=lab -filter "(&(objectCategory=Computer)
(operatingSystemVersion=5.1))" | dsmove -newparent OU=WinXP,OU=ComputerAccounts,DC=santhosh,DC=lab


Site and Subnet

List all Sites in Active Directory

Dsquery site * -name

Get Site Name from Subnet IP Address in Active Directory

(For example, Site Name for Subnet

 Dsquery Subnet -Name | Dsget Subnet -Site


Active Directory

When Active Directory installed

Dsquery * "CN=Configuration,DC=Santhosh,DC=lab" -attr Whencreated -Scope Base

Find Trusts from specified Domain

 Dsquery * "CN=System,DC=Santhosh,DC=lab" -filter "(objectClass=trustedDomain)"
-attr TrustPartner FlatName


Find Servers in Active Directory with descriptions

Dsquery * DC=Santhosh,DC=lab -filter "(&(objectCategory=Computer)
-limit 0 -attr cn description

View all replicated attributes

Dsquery * CN=Schema,CN=Configuration,DC=Santhosg,DC=lab
-filter "(&(objectCategory=attributeSchema)(!systemFlags:1.2.840.113556.1.4.803:=1))" -limit 0

Find Tombstone and Garbage Collection

Dsquery *
"CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=Santhosh,DC=lab"
-attr GarbageCollPeriod TombstoneLifetime

Find Group Policy GUIDs

Dsquery * "CN=Policies,CN=System,DC=Santhosh,DC=lab"
-filter (objectCategory=groupPolicyContainer) -attr Name DisplayName

Existing GPO’s  information

Dsquery * "CN=Policies,CN=System,DC=Santhosh,DC=lab"
-filter "(objectCategory=groupPolicyContainer)"
-attr displayName cn whenCreated gPCFileSysPath

Enumerate the trusts from the specified domain

Dsquery * "CN=System,DC=Santhosh,DC=lab" -filter "(objectClass=trustedDomain)"
-attr TrustPartner FlatName

Active Directory Subnet and Site Information

Dsquery * "CN=Subnets,CN=Sites,CN=Configuration,DC=Santhosh,DC=lab"
-attr CN SiteObject Description Location

Active Directory Site Links and Cost Information

Dsquery * "CN=Sites,CN=Configuration,DC=Santhosh,DC=lab"
-attr CN Cost Description ReplInterval SiteList -filter (objectClass=siteLink)

Find Group Policy display name with the GUID

Dsquery * “CN=Policies,CN=System,DC=Santhosh,DC=lab”

-filter (objectCategory=groupPolicyContainer) -attr Name DisplayName


Refer : https://social.technet.microsoft.com/wiki/contents/articles/3537.active-directory-domain-services-ad-ds-commands-and-scripts.aspx

Account Lockout Attributes

AD Attribute PowerShell Property Group Policy Setting
lockoutThreshold LockoutThreshold Account lockout threshold
lockoutDuration LockoutDuration Account lockout duration
lockoutObservationWindow LockoutObservationWindow Reset account lockout counter after
pwdHistoryLength PasswordHistoryCount Enforce password history
lockoutTime AccountLockoutTime <none>
logonCount <none> <none>
pwdLastSet PasswordLastSet <none>
pwdProperties ComplexityEnabled Password must meet complexity requirements
badPwdCount BadLogonCount <none>
badPasswordTime LastBadPasswordAttempt <none>

Displays or modifies permissions ACL permission

dsacls CN=AdminSDHolder,CN=System,DC=<mydomain>,DC=com /G MSOL_AD_SYNC_RICHCOEXISTENCE:WP;”MSExchArchiveStatus”

Active Directory Domain Services

Active Directory runs its database with its own database engine. All querying, adding, deleting and making changes, protection, management, storage of the database; ESE (Extensible Storage Engine) is run by the database engine of Active Directory Domain Services. ESE architecture, which is used as a database for Active Directory Domain Services in Windows Server 8, is a popular product of Microsoft and used Exchange Server 5.5 years ago. It was developed based on.

The Active Directory database is kept on the local disk of the server (s) called Domain Controller and responsible for the management of the Active Directory Domain. The physical location of the database is %systemroot%\NTDS \ as the default installation result. The database filename, by default, is ntds.dit. However, the database system cannot only work with the database file. The file named edb.log, where all transactions take place temporarily, the changes are stored for various reasons before being written to the database, also plays a critical role in the operation of the Active Directory service. The component is the ebd.chk file, which works as a checkpoint and which we can call ESE checkpoint. is to check whether it can be written properly and consistently.

In addition, there are reserved log files that serve the database system, and in case there is no free space on the disk, they are found only to occupy the space, and in case of emergency (the disk is full), there are reserved log files that make use of the service. The name of these files, two of which are 10 MB in size, is edbres00001 and edbres00002.

Transaction Process

Let’s examine how the Active Directory database system works and how an ordinary transaction process takes place.

When an administrator makes a change to the database, such as when a user account is created, deleted or modified; a write request (which is called write request) occurs. This write request is captured as a transaction, that is, a transaction by its technical name. This transaction consists of the relevant exchange information and the relevant metadata. The metadata version number, the date and time of the change. It consists of the time stamp and the globally unique identifier (GUID) number of the domain controller server that records the corresponding change. For example, when an attribute of an object is changed, the exchange information and version number, the time stamp that indicates the date of the change, and the globally unique identifier of the domain controller server that registered the change. A metadata that specifies (GUID) creates the transaction for this change.

A transaction begins when a request to write to Active Directory occurs. contains the relevant change information and the related metadata, and Active Directory places this transaction in the transaction buffer in memory. After that, ESE writes this transaction in the buffer to the edb.log file. It ensures that it is recorded in a healthy way. After the transaction is safely placed in the edb.log file; ESE places this transaction from the transaction buffer in memory in ndts.dit, the Active Directory database file located on the hard disk of the Domain Controller. If unprocessed transactions remain in the log file, errors may occur. Checking with the checkpoint file, edb.chk, it checks whether there are any transactions in the log file that have not yet been transferred to the database, which should be written to the database. Active Directory compares ntds.dit with edb.log files to confirm that each transaction has been successfully imported into the database. Later, the edb.chk file is updated, indicating that the relevant transaction is written to the database. After all transactions in the old log files are written to the database; Active Directory deletes old files.

Note: ntds.dit’in (New Technology Directory Service-Directory Information Tree)

Transaction’s Impact on Performance

While writing data to the disk, the sectors on the Hard Disk are constantly written, and as the data is deleted, the free space remains on the disk.

If the data is written in scattered areas, the reading performance of the data and therefore the working performance of the database decreases. In the process called Garbage Collection; By default, Active Directory performs online defragmentation every 12 hours. During this process, the fragmentation-related performance loss of the database is eliminated and the domain controller can continue to serve during the online defragmentation process.

However, while online defragmentation resolves the performance issue, the size of the database does not decrease and the size of ntds.dit continues to grow. To reduce the database size, offline defragmentation should be done. Creates a new, regular database file (Compact) .Offline defragmentation writes to the newly created compact database in all transactions that are in the transaction log and have not been transferred to the database yet. This means that during the offline defragmentation process, the domain controller will not be able to service your system. Therefore, it should be preferred to perform this operation outside office hours. Since online defragmentation already solves the performance problem, offline defragmentation should only be used to reduce the database size and a process that should be done very often. it is not.

As we mentioned in the previous sections, the transaction log and checkpoint system ensures the consistency of the information kept under a single database (data integrity). However, if we have more than one Domain Controller server keeping the same copy, we have to consider data consistency between the replicas of the database.

Database Consistency Between Domain Controllers

When we think about it, if the change is a modification or addition; data can be synchronized between servers with copies. But what if the change is a deletion? If the object is completely deleted during the deletion process, how can other servers other than replica that save the change understand this deletion and update their copies? This is why if an object is deleted, it is not actually removed from the database (purge), but instead, they are moved to a special container, deleted items container. The purpose of this process is to create enough time to ensure that other copies can update this deletion. The time between deletion and dropping from the database is to ensure that other copies, information about the deletion are transferred from source copies to other copies.



Difference Between Forwarder and Stub Zone

Both the zones are used for name resolution but when we are used stub and when we are used forwarder. I am trying to say as small as possible.

Ex: We need a trust between domain A and domain B and am a system admin of domain A and in future any changes happen in domain B, we may not get those update , here best is stub, why? Because stub is automated process and the changes will update automatically.
Forwarder is a manual process. Assume admin of domain B has changed the DNS server but I don’t have the update, here problem comes-up.

%d bloggers like this: