Detecting Active Windows XP Computers with PowerShell and dsquery

Posted on March 12, 2014

active-directory,
security

With support for XP ending, the following are two ways to list currently active XP workstations.

For Server 2008 R2 and later, using the ActiveDirectory PowerShell module provides nicer output with more detail.

Import-Module ActiveDirectory

$XP = Get-ADComputer -Filter {OperatingSystem -like "*XP*"} `
    -Properties Name, DNSHostName, OperatingSystem, `
        OperatingSystemServicePack, OperatingSystemVersion, PasswordLastSet, `
        whenCreated, whenChanged, LastLogonTimestamp, nTSecurityDescriptor, `
        DistinguishedName |
    Where-Object {$_.whenChanged -gt $((Get-Date).AddDays(-65))} |
    Select-Object Name, DNSHostName, OperatingSystem, `
        OperatingSystemServicePack, OperatingSystemVersion, PasswordLastSet, `
        whenCreated, whenChanged, `
        @{name='LastLogonTimestampDT';`
          Expression={[datetime]::FromFileTimeUTC($_.LastLogonTimestamp)}}, `
        @{name='Owner';`
          Expression={$_.nTSecurityDescriptor.Owner}}, `
        DistinguishedName

Write-Output $XP

For DCs pre Server 2008 R2, similar results can be retrieved with dsquery. Firstly, we need to generate the int64 formatted timestamp

[datetime]::Now.AddDays(-65).ToFileTime()

Once we have the timestamp we can plug it into the dsquery command.

dsquery * domainRoot -filter "(&(objectCategory=computer)(operatingSystem=Windows XP*)(lastLogonTimestamp>=TIMESTAMP))"