top of page

PowerShell Script Cmdlet Get-ADComputer

Dynamic Resetting of Computer Account Passwords in a Windows domain, it involves the process by which domain-joined computers periodically change their machine account passwords. This process is crucial for maintaining secure communications between the computer and the domain controllers.

PowerShell Snippet Get-ADcomputer No Reset - 90 Days 

# Computers not Reported to Active Directory in over 90 days PowerShell Script Snippet

$date = [DateTime]::Today.AddDays(-90)

Get-ADComputer -Filter  ‘PasswordLastSet -le $date’-properties * | Select Name, PasswordLastSet, Enabled | Export-csv C:\temp\Old_Computers.csv 

Here’s how it works:

1. Computer Account Passwords

Each computer joined to a Windows domain has a corresponding computer account in Active Directory, which includes a password. This password is used to establish a secure channel between the computer and the domain controller.

​

2. Default Behavior

By default, domain-joined computers are configured to change their machine

account passwords every 30 days. This period can be adjusted through Group Policy.

Computer in user PowerShell Get-ADComputer

3. Automatic Password Change Process

a. Initiation

  1. Scheduled Task: Windows has a scheduled task that initiates the password change.This task runs based on the computer’s internal schedule.

  2. LSA (Local Security Authority): The Local Security Authority Subsystem Service (LSASS) is responsible for managing the security policies on the local computer. It triggers the password change process.

b. New Password Generation

  1. New Password Creation: The computer generates a new password. This password is typically complex and generated automatically by the system.

  2. API Call: The computer makes a call to the Netlogon service, specifically using the Netlogon API, to initiate the password change with the domain controller.

c. Communication with Domain Controller

  1. Secure Channel: The computer establishes a secure channel with a domain controller. This channel is protected using the existing computer account password.

  2. Password Change Request: The new password, along with the request to change the password, is sent over this secure channel to the domain controller.

d. Active Directory Update

  1. AD Update: The domain controller receives the new password and updates the computer account object in Active Directory with this new password.

  2. Replication: The password change is replicated to other domain controllers within the domain to ensure consistency.

​

4. Post-Change Activities

a. Local Storage

  1. Local Cache Update: The new password is stored in the computer’s local security database so it can be used for future secure communications with the domain.

  2. Credential Storage: This password is stored securely and is used by services and applications that require domain authentication.

b. Validation

  1. Test Secure Channel: After the password change, the computer tests the secure channel using the new password to ensure it can still communicate with the domain controller.

  2. Fallback Mechanism: If the new password fails, the computer might revert to using the old password to re-establish a secure channel and attempt the password change again.

Computer in user PowerShell Get-ADComputer

5. Group Policy Configuration

Administrators can configure the interval for computer password changes through Group Policy:

  • Policy Path: Computer Configuration > Windows Settings > Security Settings > Local Policies > Security Options

  • Policy Setting: Domain member: Maximum machine account password age

  • This policy defines the maximum age that a computer account password can reach before it is changed.

  • The default value is 30 days.

​

6. Security Considerations

  • Regularly changing machine account passwords helps mitigate risks associated with stale credentials & potential compromise.

  • Event Logging: Password changes are logged in the event logs, providing a record for audit and troubleshooting purposes.

​

By managing machine account passwords dynamically and automatically, Windows ensures secure and consistent communication between domain-joined computers and domain controllers, thereby maintaining the integrity of the domain’s security infrastructure.

PowerShell Get-ADcomputer Basic Syntax

# PowerShell Get-ADcomputer Basic Syntax 

​

Get-ADComputer -Identity "ComputerName"

PowerShell Snippet Get-ADcomputer Format-Table

# PowerShell Get-ADcomputer Format Output

​

Get-ADComputer -Filter * | Select-Object Name, OperatingSystem, OperatingSystemVersion | Format-Table -AutoSize

PowerShell Snippet Get-ADcomputer -Filter by OS 

# PowerShell Get-ADcomputer -Filter by OS

​

Get-ADComputer -Filter 'OperatingSystem -like "*Windows 10*"' | Select-Object Name, OperatingSystem
 

PowerShell Snippet Get-ADcomputer -Searchbase / OU 

# PowerShell Get-ADcomputer by OU

​

Get-ADComputer -Filter * -SearchBase "OU=Servers,DC=YourDomain,DC=com" | Select-Object Name, DNSHostName
 

PowerShell Snippet Get-ADcomputer -Searchbase & Where

# PowerShell Get-ADcomputer -Searchbase & Where

​

Get-ADComputer -SearchBase 'DC=MyNewForest,DC=LOCAL' -Filter * -Properties * | Select Name,OperatingSystem | ?{$_.OperatingSystem -Like "Windows Server 2019*"}

PowerShell Snippet Get-ADcomputer -Searchbase & -Filter

# Query using the Searchbase Parameter and -Filter PowerShell Script Snippets

​

Get-ADComputer -SearchBase 'dc=MyNewForest,dc=local' -Filter {(name -like "My*") -and (Enabled -eq $True)} | Select -ExpandProperty Name

bottom of page