Get-ADComputer: Find Computer OUs in Active Directory

Published:17 June 2019 - 3 min. read

Today’s sponsor is n8n, the AI-native workflow automation tool built for ITOps and DevSecOps. With 100+ templates to get you started quickly and a powerful visual editor, you can automate complex workflows without giving up control. Check it out here.

 

 

 

 

 

For today’s cmdlet, we’re going to focus on Get-AdComputer. This cmdlet is the brother of Get-AdUser. Instead of getting users from Active Directory (AD), this cmdlet finds computers in OUs.

You’ll find the Get-AdComputer cmdlet in the ActiveDirectory PowerShell module. If you don’t already have that installed, find out how here.

The Basics

If you’ve never used the Get-AdComputer cmdlet before, ensure you understand the basics. You’ll search for and retrieve computers using the Identity and Filter parameters.

The Identity Parameter

At it’s most basic, Get-Adcomputer gets a single computer object from AD using the Identity parameter. If you had a computer called FOO, then you’d provide that value as shown below.

Get-AdComputer -Identity FOO

By default, the cmdlet will only return a few AD attributes. If you’d like to see all AD attributes for a computer, use the Properties parameter.

By using an asterisk with the Properties parameter below, PowerShell will return all AD attributes. But if you only want to see a few of them, you can specify them, comma-delimited.

Get-AdComputer -Identity FOO -Properties *

Like all other Active Directory PowerShell cmdlet Identity parameters, you can also specify a distinguished name (DN), GUID, or a SID.

The Filter Parameter

If you need to find more than one computer account, use the Filter parameter. The Filter parameter is a common parameter amongst many ActiveDirectory commands. It allows you to specify conditions an account must meet to be returned.

If not using the Identity parameter, you must use the Filter parameter. If, for example, you’d like to find all computer accounts in AD, you can specify an asterisk. The asterisk is a wildcard that matches all computer accounts.

Get-AdComputer -Filter *

Perhaps you need to find all computers starting with the letter “F”. In that case, you’d craft the filter syntax as shown below.

Get-ADComputer -Filter "Name -like 'F*'"

The LDAPFilter Parameter

If you’re good at LDAP filters, you can also use the LDAPFilter parameter. The LDAP filter allows you to use LDAP syntax to hone in on exactly the computer you’re looking for. LDAPFilter can be used with the SearchBase parameter or by itself.

Below, I’m using the LDAP filter to find all computers that start with F.

Get-ADComputer -LDAPFilter "(name=f*)"

For more information on building filters, check out Learning Active Directory and LDAP Filters in PowerShell.

Finding Computers in an OU

Finding computers by name with the Identity parameter or by various AD attributes with the Filter parameter is only one option. You can also find computer accounts by the OU they’re located in.

Get-Adcomputer has a SearchBase parameter you can use to limit the search only to an OU and/or all of its child OUs.

Perhaps you need to find all domain controllers in the Domain Controllers OU. You could limit the scope of computer accounts returned to only these machines using the SearchBase parameter.

The SearchBase parameter defines a “start” to searching. Rather than starting a search at the root of the domain, it tells PowerShell to start at an OU.

To use the SearchBase parameter, you specify an OU’s distinguished name (DN). Below is an example of finding all computer accounts in a Domain Controllers OU in a company.pri domain.

Get-ADComputer -Filter * -SearchBase 'OU=Domain Controllers, DC=company, DC=pri'

Getting Accounts in Child OUs

When you use the SearchBase parameter, PowerShell only returns computer accounts in that specific OU. It will not return computer accounts in any child OUs. To do that, you can use the SearchScope parameter.

The SearchScope parameter allows you to define how deep to look from the parent OU. This parameter has three possible values – 0, 1 and 2. By default, it is set to 0 and will only return computers in the base OU.

If you need to recursively search in the base OU and the immediate child OU, you can use the 1 value. The most common value here though is 2 meaning to recursively search through all child, grandchildren and deeper OUs.

Get-ADComputer -Filter * -SearchBase 'OU=Domain Controllers, DC=company, DC=pri' -SearchScope 2

Summary

Get-AdComputer is a handy cmdlet to find information about AD computer accounts. You’ll have the biggest challenge not learning how to use Get-AdComputer but figuring out the filtering syntax. If you read the linked filter article above, you’ll see it can get complicated.

Once you master the filter, you’ll then easily be able to pull as much information as you need from AD computer accounts!

These are some of the most common use cases for this cmdlet of the day. For a full breakdown, check out the Microsoft documentation.

Hate ads? Want to support the writer? Get many of our tutorials packaged as an ATA Guidebook.

Explore ATA Guidebooks

Looks like you're offline!