For today’s cmdlet, we’re going to focus on Get-AdComputer
. This cmdlet is the brother of Get-AdUser. Instead of getting users from Active Directory (AD), this cmdlet finds computers in OUs.
You’ll find the Get-AdComputer
cmdlet in the ActiveDirectory PowerShell module. If you don’t already have that installed, find out how here.
The Basics
If you’ve never used the Get-AdComputer
cmdlet before, ensure you understand the basics. You’ll search for and retrieve computers using the Identity
and Filter
parameters.
The Identity Parameter
At it’s most basic, Get-Adcomputer gets a single computer object from AD using the Identity
parameter. If you had a computer called FOO, then you’d provide that value as shown below.
Get-AdComputer -Identity FOO
By default, the cmdlet will only return a few AD attributes. If you’d like to see all AD attributes for a computer, use the Properties
parameter.
By using an asterisk with the Properties
parameter below, PowerShell will return all AD attributes. But if you only want to see a few of them, you can specify them, comma-delimited.
Get-AdComputer -Identity FOO -Properties *
Like all other Active Directory PowerShell cmdlet Identity parameters, you can also specify a distinguished name (DN), GUID, or a SID.
The Filter Parameter
If you need to find more than one computer account, use the Filter
parameter. The Filter
parameter is a common parameter amongst many ActiveDirectory commands. It allows you to specify conditions an account must meet to be returned.
If not using the Identity
parameter, you must use the Filter
parameter. If, for example, you’d like to find all computer accounts in AD, you can specify an asterisk. The asterisk is a wildcard that matches all computer accounts.
Get-AdComputer -Filter *
Perhaps you need to find all computers starting with the letter “F”. In that case, you’d craft the filter syntax as shown below.
Get-ADComputer -Filter "Name -like 'F*'"
The LDAPFilter Parameter
If you’re good at LDAP filters, you can also use the LDAPFilter
parameter. The LDAP filter allows you to use LDAP syntax to hone in on exactly the computer you’re looking for. LDAPFilter
can be used with the SearchBase
parameter or by itself.
Below, I’m using the LDAP filter to find all computers that start with F.
Get-ADComputer -LDAPFilter "(name=f*)"
For more information on building filters, check out Learning Active Directory and LDAP Filters in PowerShell.
Finding Computers in an OU
Finding computers by name with the Identity
parameter or by various AD attributes with the Filter
parameter is only one option. You can also find computer accounts by the OU they’re located in.
Get-Adcomputer has a SearchBase
parameter you can use to limit the search only to an OU and/or all of its child OUs.
Perhaps you need to find all domain controllers in the Domain Controllers OU. You could limit the scope of computer accounts returned to only these machines using the SearchBase
parameter.
The SearchBase
parameter defines a “start” to searching. Rather than starting a search at the root of the domain, it tells PowerShell to start at an OU.
To use the SearchBase
parameter, you specify an OU’s distinguished name (DN). Below is an example of finding all computer accounts in a Domain Controllers OU in a company.pri domain.
Get-ADComputer -Filter * -SearchBase 'OU=Domain Controllers, DC=company, DC=pri'
Getting Accounts in Child OUs
When you use the SearchBase
parameter, PowerShell only returns computer accounts in that specific OU. It will not return computer accounts in any child OUs. To do that, you can use the SearchScope
parameter.
The SearchScope
parameter allows you to define how deep to look from the parent OU. This parameter has three possible values – 0
, 1
and 2
. By default, it is set to 0
and will only return computers in the base OU.
If you need to recursively search in the base OU and the immediate child OU, you can use the 1
value. The most common value here though is 2
meaning to recursively search through all child, grandchildren and deeper OUs.
Get-ADComputer -Filter * -SearchBase 'OU=Domain Controllers, DC=company, DC=pri' -SearchScope 2
Summary
Get-AdComputer
is a handy cmdlet to find information about AD computer accounts. You’ll have the biggest challenge not learning how to use Get-AdComputer
but figuring out the filtering syntax. If you read the linked filter article above, you’ll see it can get complicated.
Once you master the filter, you’ll then easily be able to pull as much information as you need from AD computer accounts!
These are some of the most common use cases for this cmdlet of the day. For a full breakdown, check out the Microsoft documentation.