Let’s start by using the Save Queries feature in Active Directory Users and Computers.
I will do a different example then I did in the article. New Query, and we will just call this one “users that have not logged on in some time”. Click to Find Query and then because we are going to be accessing one of the more difficult-to-work-with attributes, rather than selecting Users, Contacts, and Groups from the find drop down, select Common Queries. This is what gives you easier access to things like disabled accounts, non-expiring passwords, and the one we are after, days since last logon. Let’s grab everyone who has not logged on in 120 days.
You can also do similar Common Query queries for groups and computers.
Although you will notice for computers you do not get the option to select things like passwords that have not been set or computers that have not logged on in a certain period of time. You can always create that sort of query on your own by flipping the find drop down over to Computers. That would give you raw access to everything that you need. For right now let’s just click OK a couple of times and it creates a new report. We can see that I do have a computer with users that have not logged on in some time. It did pull up this computer account.
This is not really a report, these are live accounts. Meaning I can double click them and get the same property box that I would get if I were browsing the domain normally. You can add information to this. If you get into the View menu, you can Add/Remove Columns. You can always export this list, either to a tab delineated file or a CSV file. If those are your only reporting needs and you do not have to do this too often, this is not a bad technique. If you have to do it frequently though, it becomes a pain in the neck to have to come and manually do this all the time.
Another approach would be to use PowerShell.
I could use the Quest AD cmdlets if I wanted to talk to a domain as old as Windows 2000 Server, but I am using the Microsoft AD cmdlets which will work with domains back to Windows Server 2003, and these cmdlets come with Windows Server 2008 R2. They are also available in the Windows 7 Remote Server Administration Tool Kit or RSAT. I am going to retrieve all the computers, that is the -filter * part all of their properties including the properties that the command would not normally show me because I need to access their PasswordLastSet property to see if it is null. I need to access the created property to see if it is less than whatever today’s date is, minus 30 days, 30 days ago. I am going to select just the CanonicalName and Created properties from those results, convert it to HTML, and pump that HTML out to a file.
Here is the result. I am going to get a list of computers. It is not beautiful HTML, but at least it is HTML. These are computers that were created at least 30 days ago who have never set their password. I might want to look into why they have never set their password. Perhaps they were not turned on or whatever else. The neat thing is, you can take a command like this and schedule it, either by popping it into a PowerShell script file or by scheduling it directly. What you would do is simply schedule PowerShell.exe, use its -Command perimeter to specify the command you came up with or the -File perimeter to specify the script file that you put your command into. You can schedule that and as long as it is scheduled to run as a user account that has permission to query that information, you should be good to go. Then you can regularly, on a scheduled basis, produce that report, email off to people, or, in this case, perhaps drop it on an Intranet Web Server where people could look at it as they need to.
Next Steps: Modernize Your Active Directory