Active Directory Administration
This page is dedicated to any and all Active Directory administration

USER / HOST ENUMERATION

Get All Users

Get-ADUser -Filter * -Properties DisplayName, sAMAccountName, EmailAddress | Select DisplayName, sAMAccountName, EmailAddress | Export-CSV "C:\users.csv"

Get Active Win10 Machine Patch Level (Last Logon in 60 Days)

$LastLogon = (Get-Date).Adddays( -(60) ); $Workstations = Get-ADComputer -Filter { LastLogonTimeStamp -gt $LastLogon -and OperatingSystem -like 'Windows 10'} -Properties *; $Workstations = $Workstations | Select-Object -Property DNSHostname,OperatingSystem,OperatingSystemVersion,IPv4Address,LastLogonDate,DistinguishedName,SID; Export-Results -Output $Workstations -Path "C:\Users\burmat\Desktop\Workstations.csv"

Get Hosts Last Logon

Iterate all computer objects in a given domain and get the date/time for the last time they were logged into:
Import-Module ActiveDirectory
function Get-ADHostsLastLogon() {
$hnames = Get-ADComputer -Filter 'ObjectClass -eq "Computer"' | Select -Expand Name
foreach ($hname in $hnames) {
$dcs = Get-ADDomainController -Filter {Name -like "*"}
$time = 0
foreach($dc in $dcs) {
$computer = Get-ADComputer $hname | Get-ADObject -Properties lastLogon
if($computer.LastLogon -gt $time) {
$time = $computer.LastLogon
}
}
$dt = [DateTime]::FromFileTime($time).ToString('g')
# 12/31/1600 will result if $time = 0 (never logged on before)
Write-Host $dt", " $hname
}
Write-Host "Done."
}
Get-ADHostsLastLogon
(Find my most recent copy on my GitHub)

Get Users Last Logon

To iterate all user objects in AD and get their last logon time, use:
Import-Module ActiveDirectory
function Get-ADUserLastLogon([string]$userName) {
$dcs = Get-ADDomainController -Filter {Name -like "*"}
$time = 0
foreach($dc in $dcs) {
$hostname = $dc.HostName
$user = Get-ADUser $userName | Get-ADObject -Properties lastLogon
if($user.LastLogon -gt $time) {
$time = $user.LastLogon
}
}
$dt = [DateTime]::FromFileTime($time)
Write-Host $username "last logged on at:" $dt
}
$unames = Get-ADUser -Filter 'ObjectClass -eq "User"' | Select -Expand SamAccountName
foreach ($uname in $unames) { Get-ADUserLastLogon($uname); }
(Find my most recent copy on my GitHub)

Get Stale Hosts

Use the following to generate a list of hosts that have not been logged into for the past 30 days:
Import-Module ActiveDirectory
function Get-StaleComputers() {
$time = (Get-Date).Adddays(-30)
Get-ADComputer -Filter { LastLogonTimeStamp -lt $time } -Properties LastLogonTimeStamp | Select-Object Name,@{Name="Stamp"; Expression={[DateTime]::FromFileTime($_.lastLogonTimestamp)}} # | Export-CSV C:\temp\unused_machines.csv -notypeinformation
Write-Host done.
}
Get-StaleComputers
(Find my most recent copy on my GitHub)

DOMAIN MAINTENANCE

Move Object to Retire OU

I like to use the scripts above (Get Hosts Last Logon and Get Users Last Logon) to automatically move objects into the "Retire" OU using the following command(s):
# to move a user:
Get-ADUser $uname | Move-ADObject -TargetPath 'OU=Retire,DC=burmat,DC=co'
# to move a computer:
Get-ADComputer $hname | Move-ADObject -TargetPath 'OU=Retire,DC=burmat,DC=co'

Disable Everything in OU

Every few weeks, I run the following (as Domain Admin) to ensure the OU I use for my "Recycle Bin" is filled with only disabled accounts:
Get-ADUser -Filter * -SearchBase 'OU=Retire,DC=burmat,DC=co' | Disable-ADAccount

Set Domain User Password

$uname = 'burmat'; $pass = "Password123!'; $securepass = ConvertTo-SecureString $pass -AsPlainText -Force; Set-DomainUserPassword -Identity $uname -AccountPassword $securepass;

FILE SYSTEM ADMINISTRATION

Getting Directory Sizes

I use the following command to generate a list of user profile's on a file server. It is useful to keep track of users that are exceeding our expectations when it comes to consuming space on a global server:
Get-ChildItem | Where-Object { $.PSIsContainer } | ForEach-Object { $.Name + ": " + "{0:N2}" -f ((Get-ChildItem $_ -Recurse | Measure-Object Length -Sum -ErrorAction SilentlyContinue).Sum / 1MB) + " MB" }

Tail a File

Similar to tail -f filename, you can use Get-Content to watch a file for changes:
Get-Content -Path "\\server\logs\prod.server.log" -Wait

MISC CLEANUP / MANAGEMENT

Clear Cached (mscachev2) Credentials

A domain-joined endpoint that is taken from the domain might still have cached (mscachev2) domain logins residing on it. This is why I always wipe the system or use the following to remove any cached credentials:
Run regedit and give your current local account Write access to the "SECURITY" node. After restarting regedit, navigate to: HKEY_LOCAL_MACHINE\Security\Cache
Cached credentials are stored in the binary values of NL$1 through NL$10. Zeroing out these values will clear the cached entries. Delete them if you want to remove them and disable this feature completely.
Copy link
On this page
USER / HOST ENUMERATION
Get All Users
Get Active Win10 Machine Patch Level (Last Logon in 60 Days)
Get Hosts Last Logon
Get Users Last Logon
Get Stale Hosts
DOMAIN MAINTENANCE
Move Object to Retire OU
Disable Everything in OU
Set Domain User Password
FILE SYSTEM ADMINISTRATION
Getting Directory Sizes
Tail a File
MISC CLEANUP / MANAGEMENT
Clear Cached (mscachev2) Credentials