For today’s cmdlet, we’re going to focus on
Get-AdComputer. This cmdlet is the brother of Get-AdUser. Instead of getting users from Active Directory (AD), this cmdlet finds computers in OUs.
You’ll find the
Get-AdComputer cmdlet in the ActiveDirectory PowerShell module. If you don’t already have that installed, find out how here.
Table of Contents
If you’ve never used the
Get-AdComputer cmdlet before, ensure you understand the basics. You’ll search for and retrieve computers using the
The Identity Parameter
At it’s most basic, Get-Adcomputer gets a single computer object from AD using the
Identity parameter. If you had a computer called FOO, then you’d provide that value as shown below.
Get-AdComputer -Identity FOO
By default, the cmdlet will only return a few AD attributes. If you’d like to see all AD attributes for a computer, use the
By using an asterisk with the
Properties parameter below, PowerShell will return all AD attributes. But if you only want to see a few of them, you can specify them, comma-delimited.
Get-AdComputer -Identity FOO -Properties *
Like all other Active Directory PowerShell cmdlet Identity parameters, you can also specify a distinguished name (DN), GUID, or a SID.
The Filter Parameter
If you need to find more than one computer account, use the
Filter parameter. The
Filter parameter is a common parameter amongst many ActiveDirectory commands. It allows you to specify conditions an account must meet to be returned.
If not using the
Identity parameter, you must use the
Filter parameter. If, for example, you’d like to find all computer accounts in AD, you can specify an asterisk. The asterisk is a wildcard that matches all computer accounts.
Get-AdComputer -Filter *
Perhaps you need to find all computers starting with the letter “F”. In that case, you’d craft the filter syntax as shown below.
Get-ADComputer -Filter "Name -like 'F*'"
The LDAPFilter Parameter
If you’re good at LDAP filters, you can also use the
LDAPFilter parameter. The LDAP filter allows you to use LDAP syntax to hone in on exactly the computer you’re looking for.
LDAPFilter can be used with the
SearchBase parameter or by itself.
Below, I’m using the LDAP filter to find all computers that start with F.
Get-ADComputer -LDAPFilter "(name=f*)"
For more information on building filters, check out Learning Active Directory and LDAP Filters in PowerShell.
Finding Computers in an OU
Finding computers by name with the
Identity parameter or by various AD attributes with the
Filter parameter is only one option. You can also find computer accounts by the OU they’re located in.
Get-Adcomputer has a
SearchBase parameter you can use to limit the search only to an OU and/or all of its child OUs.
Perhaps you need to find all domain controllers in the Domain Controllers OU. You could limit the scope of computer accounts returned to only these machines using the
SearchBase parameter defines a “start” to searching. Rather than starting a search at the root of the domain, it tells PowerShell to start at an OU.
To use the
SearchBase parameter, you specify an OU’s distinguished name (DN). Below is an example of finding all computer accounts in a Domain Controllers OU in a company.pri domain.
Get-ADComputer -Filter * -SearchBase 'OU=Domain Controllers, DC=company, DC=pri'
Getting Accounts in Child OUs
When you use the
SearchBase parameter, PowerShell only returns computer accounts in that specific OU. It will not return computer accounts in any child OUs. To do that, you can use the
SearchScope parameter allows you to define how deep to look from the parent OU. This parameter has three possible values –
2. By default, it is set to
0 and will only return computers in the base OU.
If you need to recursively search in the base OU and the immediate child OU, you can use the
1 value. The most common value here though is
2 meaning to recursively search through all child, grandchildren and deeper OUs.
Get-ADComputer -Filter * -SearchBase 'OU=Domain Controllers, DC=company, DC=pri' -SearchScope 2
Get-AdComputer is a handy cmdlet to find information about AD computer accounts. You’ll have the biggest challenge not learning how to use
Get-AdComputer but figuring out the filtering syntax. If you read the linked filter article above, you’ll see it can get complicated.
Once you master the filter, you’ll then easily be able to pull as much information as you need from AD computer accounts!
These are some of the most common use cases for this cmdlet of the day. For a full breakdown, check out the Microsoft documentation.
More from Adam The Automator & Friends
Find out how many of your Active Directory users are using leaked passwords by running a free read-only scan with Specops Password Auditor.
Do more with PowerShell and transform your Code to Self Service with au2mator Self Service Portal
Why not write on a platform with an existing audience and share your knowledge with the world?