{"id":4583,"date":"2025-09-15T20:03:00","date_gmt":"2025-09-16T00:03:00","guid":{"rendered":"https:\/\/adsecurity.org\/?p=4583"},"modified":"2025-09-15T11:09:46","modified_gmt":"2025-09-15T15:09:46","slug":"active-directory-security-tip-3-computer-accounts","status":"publish","type":"post","link":"https:\/\/adsecurity.org\/?p=4583","title":{"rendered":"Active Directory Security Tip #3: Computer Accounts"},"content":{"rendered":"\n

Active Directory computers should be reviewed about once a year. Old operating systems can hold back security progress like keeping SMBv1 and NTLMv1 active. Inactive computers should be discovered and disabled when no longer in use (and eventually removed).

The OperatingSystem & PasswordLastSet attributes are self-explanatory, though we can use the LastLogonDate which represents the last reboot of the computer. The computer password should change every ~30 days by default. We can correlate the PasswordLastSet & LastLogonDate attribute values to determine if a computer is active or not. A blank LastLogonDate value means the computer object is just that and not associated with an actual system.
Computer Password Information<\/a><\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n


PowerShell code (using the Active Directory PowerShell module): <\/strong><\/p>\n\n\n\n

$Domain = $env:userdnsdomain\n$DomainDC = (Get-ADDomainController -Discover -DomainName $Domain).Name\nGet-ADComputer -filter * -Prop name,OperatingSystem,LastLogonDate,PasswordLastSet -Server $DomainDC | sort OperatingSystem | select name,OperatingSystem,LastLogonDate,PasswordLastSet<\/code><\/pre>\n","protected":false},"excerpt":{"rendered":"
Active Directory computers should be reviewed about once a year. Old operating systems can hold back security progress like keeping SMBv1 and NTLMv1 active. Inactive computers should be discovered and disabled when no longer in use (and eventually removed). The OperatingSystem & PasswordLastSet attributes are self-explanatory, though we can use the LastLogonDate which represents the … <\/p>\n
Continue reading<\/a><\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[565,7,2],"tags":[1469,1472],"class_list":["post-4583","post","type-post","status-publish","format-standard","hentry","category-activedirectorysecurity","category-powershell","category-technical-reference","tag-activedirectorysecuritytip","tag-computeraccounts","item-wrap"],"_links":{"self":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4583","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4583"}],"version-history":[{"count":3,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4583\/revisions"}],"predecessor-version":[{"id":4642,"href":"https:\/\/adsecurity.org\/index.php?rest_route=\/wp\/v2\/posts\/4583\/revisions\/4642"}],"wp:attachment":[{"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4583"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4583"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/adsecurity.org\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4583"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}