LDIFDE is an oldie-but-goodie tool for finding specific information in Active Directory. If you know the name of the attribute that contains the data you're looking for, you can construct a pretty powerful query.
For example, you can search for all computers in the Active Directory domain mydomain.com:
ldifde -f output.txt -r "(objectClass=computer)" -d "dc=mydomain,dc=com"
You can filter it down to all workstation-class computers (running Windows XP), as well:
ldifde -f output.txt -r "(&(objectClass=computer)(operatingSystem=Windows XP))" -d dc=mydomain,dc=com
Or even all workstations running Windows XP and Vista:
ldifde -f output.txt -r "(&(objectClass=computer)((operatingSystem=Windows XP)(operatingSystem=Windows Vista)))" -d dc=mydomain,dc=com
And workstations running Windows 2000, XP, and Vista:
ldifde -f output.txt -r "(&(objectClass=computer)(((operatingSystem=Windows XP*)(operatingSystem=Windows 2000 Pro*)(operatingSystem=Windows Vista))))" -l "cn,operatingSystem" -d dc=mydomain,dc=com
"But Aaron," you ask, "LDIFDE returns a lot of fields I don't need. How can I control the output?" Glad you asked.
You can use the -l switch to do just that:
ldifde -f output.txt -r "(&(objectClass=computer)(operatingSystem=Windows Server*))" -d dc=mydomain,dc=com -l "cn,operatingSystem"
Will return an output like this:
dn: CN=SERVERA,OU=Servers,DC=mydomain,DC=com
changetype: add
cn: SERVERA
operatingSystem: Windows Server 2003
You can swap out LDIFDE for the tool CSVDE to generate the output in a CSV format.
This comment has been removed by the author.
ReplyDeleteAwesome, it's very good script to view inactive computers in Active Directory. I found good information from http://www.esystool.com/cleanup-active-directory-with-powershell/ which helps to find out old computer account on windows server and remove inactive accounts that have been inactive within the 180 number of days. It generates comprehensive report which are based on your requirement like delete, disable, enable or move these accounts.
ReplyDelete