Technocrat

PowerShell is all the hype these days, and rightfully so - you can do just about anything with it; but, call me old-fashioned I still like to use ds commands every now and then, it's quick and dirty. Here are a few samples that query AD and to get some basic counts and other information: # Get a count of enabled and disabled user accounts in the domain dsquery user -limit 0 domainroot | dsget user -dn -disabled | find /c /i " no" dsquery user -limit 0 domainroot | dsget user -dn -disabled | find /c /i " yes" # Get a count of enabled and disabled computer accounts in the domain dsquery computer -limit 0 domainroot | dsget computer -dn -disabled | find /c /i " no" dsquery computer -limit 0 domainroot | dsget computer -dn -disabled | find /c /i " yes" # Get a count of enabled, but inactive (at least 24 weeks) user and computer accounts in the domain dsquery user -inactive 24 -limit 0 domainroot | dsget user -dn -disabled | find /c /i

WMI Filters and GPOs are powerful when used in combination (though evaluating MWI filters may slow down policy processing). Just a few quick examples: For settings that may need to be applied to workstations, but not servers one could go with something like this - WMI queries for workstations vs. servers   ​SELECT * FROM Win32_OperatingSystem WHERE (ProductType <> "2") AND (ProductType <> "3")     ​ - workstations ​SELECT * FROM Win32_OperatingSystem WHERE ProductType = "1"      ​- workstations ProductType 1 = Desktop OS ProductType 2 = Server OS – Domain Controller ProductType 3 = Server OS – Not a Domain Controller For things like Bitlocker policy that needs to be applied to laptops only one could go with something like this - WMI queries for laptops vs. desktops ​SELECT * FROM Win32_Battery WHERE (BatteryStatus <> 0)      ​- presence of a battery indicates laptop ​SELECT * FROM Win32_PhysicalMemory WHERE (FormFactor = 12)      ​-