List enabled and disabled Active Directory computer objects
List enabled and disabled Active Directory computer objects

You can list the Active Directory computer accounts and check their status (enabled or disabled objects) in different ways.

  • First method with the Get-ADComputer cmdlet

    Script (with Microsoft Active Directory module loaded : import-module activedirectory) :
    Only disabled computer accounts

    get-adcomputer -ldapfilter "(userAccountControl:1.2.840.113556.1.4.803:=2)"

    Only enabled computer accounts

    get-adcomputer -ldapfilter "(!(userAccountControl:1.2.840.113556.1.4.803:=2))"
  • Second method with the Search-ADAccount cmdlet

    Script (with Microsoft Active Directory module loaded : import-module activedirectory) :
    Only disabled computer accounts

    Search-ADAccount -searchbase "CN=Computers,DC=domain,DC=local" -ComputersOnly -AccountDisabled
  • Third method with the Get-ADObject cmdlet

    Only disabled computer accounts

    Get-ADObject -searchbase "CN=Computers,DC=domain,DC=local" -ldapfilter "(&(objectclass=computer)(userAccountControl:1.2.840.113556.1.4.803:=2))"

    Only enabled computer accounts

    Get-ADObject -searchbase "CN=Computers,DC=domain,DC=local" -ldapfilter "(&(objectclass=computer)(!(userAccountControl:1.2.840.113556.1.4.803:=2)))"

<>

Reference

Get-ADComputer
Syntax

Get-ADComputer -Filter  [-ResultPageSize ] [-ResultSetSize ] [-SearchBase ] [-SearchScope { |  | }] [-AuthType { | }] [-Credential ] [-Partition ] [-Properties ] [-Server ] []
  • Filter
  • ResultPageSize
  • ResultSetSize
  • SearchBase
  • SearchScope
  • AuthType
  • Credential
  • Partition
  • Properties
  • Server
Get-ADComputer [-Identity]  [-AuthType { | }] [-Credential ] [-Partition ] [-Properties ] [-Server ] []
  • Identity
  • AuthType
  • Credential
  • Partition
  • Properties
  • Server
Get-ADComputer -LDAPFilter  [-ResultPageSize ] [-ResultSetSize ] [-SearchBase ] [-SearchScope { |  | }] [-AuthType { | }] [-Credential ] [-Partition ] [-Properties ] [-Server ] []
  • LDAPFilter
  • ResultPageSize
  • ResultSetSize
  • SearchBase
  • SearchScope
  • AuthType
  • Credential
  • Partition
  • Properties
  • Server

Detailed Description
The Get-ADComputer cmdlet gets a computer or performs a search to retrieve multiple computers.

The Identity parameter specifies the Active Directory computer to retrieve. You can identify a computer by its distinguished name (DN), GUID, security identifier (SID) or Security Accounts Manager (SAM) account name. You can also set the parameter to a computer object variable, such as $ or pass a computer object through the pipeline to the Identity parameter.

To search for and retrieve more than one computer, use the Filter or LDAPFilter parameters. The Filter parameter uses the PowerShell Expression Language to write query strings for Active Directory. PowerShell Expression Language syntax provides rich type conversion support for value types received by the Filter parameter. For more information about the Filter parameter syntax, see about_ActiveDirectory_Filter. If you have existing LDAP query strings, you can use the LDAPFilter parameter.

This cmdlet retrieves a default set of computer object properties. To retrieve additional properties use the Properties parameter. For more information about the how to determine the properties for computer objects, see the Properties parameter description.

List enabled and disabled Active Directory computer objects

Leave a Reply

Your email address will not be published.