Retrieves Active Directory computer object information using efficient LDAP queries with flexible property selection and Get-ADComputer compatibility.
- Version Changes
- Overview
- Features
- Performance
- Requirements
- Quick Start
- Parameters
- Examples
- Output Properties
- Performance Optimization
- Troubleshooting
- Compatibility
- UserCertificate Fix: Enhanced certificate handling to display readable certificate information instead of binary arrays
- Certificate Parsing: Automatic parsing of X509 certificates with Subject, Thumbprint, and expiration details
- Multiple Certificate Support: Proper handling of multiple certificates per computer object
- Error Handling: Graceful fallback for certificate parsing failures with meaningful error messages
- Centralized Property Mapping: Complete architectural modernization with single comprehensive mapping table
- Eliminated Code Duplication: Replaced multiple scattered switch statements with centralized mapping system
- Enhanced Maintainability: Single source of truth for all property mappings (80+ properties)
- Improved Performance: Hashtable lookups replace switch statement processing for better performance
- Automatic Special Handling: Centralized detection and processing of special property formatting
- Reverse Lookup Optimization: Efficient LDAP-to-PowerShell property resolution with reverse mapping table
- Consistent Architecture: Unified mapping approach for easier maintenance and extensibility
- Reduced Memory Footprint: Optimized property processing with minimal object duplication
- Enhanced Error Handling: Improved support for non-domain computers and workgroup environments
- Assembly Validation: DirectoryServices availability check before function execution
- Early Connectivity Testing: Pre-flight Active Directory connectivity validation with clear error messages
- Robust Exception Handling: Generic COM exception handling for better cross-platform compatibility
- Graceful Failure: Clean error messages with actionable guidance for common issues
- Network-Aware: Better detection and handling of disconnected/non-domain scenarios
- Memory Safety: Improved null-safe operations and resource cleanup
- First version published on GitHub
- High-performance LDAP queries with Get-ADComputer compatibility
- Batch processing for large datasets
- Memory optimization and garbage collection
- Pipeline input/output support
Get-LDAPComputerObject is a high-performance PowerShell function that retrieves Active Directory computer object information using direct LDAP queries. It provides significant performance improvements over Get-ADComputer while maintaining full output compatibility.
Key Benefits:
- 3-10x faster than Get-ADComputer for large datasets
- 60-80% reduction in memory usage
- Designed for enterprise-scale environments
- Full Get-ADComputer output compatibility
- Optimized batch processing for thousands of computers
- Centralized property mapping architecture for enhanced maintainability
- Full Get-ADComputer output compatibility
- Optimized batch processing for thousands of computers
- Direct LDAP Queries: Bypasses PowerShell AD module overhead
- Batch Processing: Configurable batch sizes for large datasets
- Memory Management: Streaming operations with automatic garbage collection
- Progress Reporting: Real-time feedback for long-running operations
- Connection Efficiency: Optimized LDAP connection management
- Centralized Mapping: Hashtable-based property mapping for optimal performance
- Multi-Domain Support: Query computers across different domains
- Credential Management: Custom credentials for cross-domain operations
- Property Flexibility: Retrieve specific properties or all available properties (80+ properties supported)
- Error Handling: Comprehensive error handling and logging with early connectivity validation
- Security: LDAP injection protection and input validation
- Network-Aware: Intelligent detection of domain connectivity and DirectoryServices availability
- Centralized Property Mapping: Single comprehensive mapping table with 80+ computer properties
- Automatic Special Handling: Intelligent detection of property formatting requirements
- Reverse Lookup Optimization: Efficient LDAP-to-PowerShell property resolution
- Eliminated Code Duplication: Replaced scattered switch statements with unified mapping system
- Enhanced Maintainability: Single source of truth for all property mappings
- Future-Proof Design: Easy addition of new properties through central mapping table
- UserCertificate Parsing: Automatic X509 certificate parsing with readable output
- Certificate Details: Displays Subject, Thumbprint, and NotAfter date for each certificate
- Multiple Certificates: Handles multiple certificates with semicolon separation
- Error Resilience: Graceful fallback for unparseable certificates showing byte length
- Security Information: Easy identification of certificate expiration for security management
- Pre-flight Checks: Active Directory connectivity validation before processing
- Assembly Validation: DirectoryServices availability verification
- Graceful Degradation: Clean error messages for non-domain environments
- Resource Safety: Improved null-safe operations and memory management
- Cross-Platform Ready: Enhanced COM exception handling for better compatibility
- Get-ADComputer Compatible: Drop-in replacement with identical output format
- Pipeline Support: Full pipeline input and output compatibility
- Property Names: Identical property names and data types
- Filter Integration: Works seamlessly with Where-Object and other cmdlets
| Dataset Size | Get-ADComputer | Get-LDAPComputerObject | Improvement |
|---|---|---|---|
| 100 computers | ~2 seconds | ~0.4 seconds | 5x faster |
| 1,000 computers | ~15 seconds | ~2.5 seconds | 6x faster |
| 10,000 computers | ~180 seconds | ~20 seconds | 9x faster |
| Dataset Size | Get-ADComputer | Get-LDAPComputerObject | Reduction |
|---|---|---|---|
| 1,000 computers | ~45 MB | ~10 MB | 78% less |
| 10,000 computers | ~380 MB | ~85 MB | 78% less |
| Dataset Size | Processing Method | Features |
|---|---|---|
| 1-100 computers | Immediate | Fast processing |
| 100-1000 computers | Batch processing | Progress reporting |
| 1000+ computers | Optimized batching | Memory management + Progress |
- PowerShell 5.1 or higher
- Windows operating system (DirectoryServices assemblies)
- Network connectivity to domain controllers
- Domain-joined computer OR appropriate credentials for remote domain access
- Domain user account (minimum)
- Read access to Active Directory computer objects
- Network access to query domain controllers
- Domain-joined computers: Full functionality with current user credentials
- Workgroup computers: Requires explicit credentials and DirectoryServices components
- Remote analysis: Cross-domain operations with appropriate credentials
- Disconnected scenarios: Clear error messages with actionable guidance
- Cross-domain credentials for multi-domain operations
- Elevated privileges for accessing restricted attributes
# Load the function
. .\Microsoft\ActiveDirectory\LDAP\Get-LDAPComputerObject\Get-LDAPComputerObject.ps1
# Get help
Get-Help Get-LDAPComputerObject -Detailed# Get single computer (identical to Get-ADComputer)
Get-LDAPComputerObject -ComputerName "SERVER01"
# Get multiple computers
Get-LDAPComputerObject -ComputerName "SERVER01", "SERVER02", "WORKSTATION01"
# Get specific properties
Get-LDAPComputerObject -ComputerName "SERVER01" -Properties OperatingSystem, DescriptionType: String[]
Required: Yes
Pipeline: Yes
Description: One or more computer names to search for in Active Directory.
# Single computer
Get-LDAPComputerObject -ComputerName "SERVER01"
# Multiple computers
Get-LDAPComputerObject -ComputerName @("SERVER01", "SERVER02")
# Pipeline input
"SERVER01", "SERVER02" | Get-LDAPComputerObjectType: String[]
Required: No
Description: Additional properties to retrieve beyond the default set. Use '*' for all properties.
# Specific properties
Get-LDAPComputerObject -ComputerName "SERVER01" -Properties OperatingSystem, LastLogonDate
# All properties
Get-LDAPComputerObject -ComputerName "SERVER01" -Properties *
# Default properties only
Get-LDAPComputerObject -ComputerName "SERVER01"Type: String
Required: No
Description: The domain to search in. Defaults to current domain.
# Query specific domain
Get-LDAPComputerObject -ComputerName "SERVER01" -Domain "remote.example.com"Type: PSCredential
Required: No
Description: Alternative credentials for domain access.
# Use specific credentials
$cred = Get-Credential
Get-LDAPComputerObject -ComputerName "SERVER01" -Credential $credType: Integer
Required: No
Default: 500
Description: Number of computers to process in each batch.
# Small batches for memory-constrained environments
Get-LDAPComputerObject -ComputerName $largeList -BatchSize 100
# Large batches for high-performance environments
Get-LDAPComputerObject -ComputerName $largeList -BatchSize 1000Type: Switch
Required: No
Description: Suppress progress reporting for automated scripts.
# Suppress progress for automation
Get-LDAPComputerObject -ComputerName $computers -NoProgress# Get computer with default properties
Get-LDAPComputerObject -ComputerName "SERVER01"
# Get computer with operating system information
Get-LDAPComputerObject -ComputerName "SERVER01" -Properties OperatingSystem
# Get computer with certificates (v1.2.0.1 enhancement)
Get-LDAPComputerObject -ComputerName "SERVER01" -Properties UserCertificate
# Example output format for UserCertificate:
# UserCertificate : Subject: CN=SERVER01.domain.com, O=Company, Thumbprint: A1B2C3D4E5F6..., NotAfter: 12/31/2025; Subject: CN=SERVER01-WEB, O=Company, Thumbprint: F6E5D4C3B2A1..., NotAfter: 06/15/2026# Process large computer list efficiently
$computers = 1..1000 | ForEach-Object { "SERVER$($_.ToString('000'))" }
Get-LDAPComputerObject -ComputerName $computers -BatchSize 200
# Import from CSV and process
Import-Csv "computers.csv" |
ForEach-Object { $_.ComputerName } |
Get-LDAPComputerObject -Properties OperatingSystem, LastLogonDate# Server inventory with OS information
Get-LDAPComputerObject -Properties OperatingSystem, LastLogonDate |
Where-Object { $_.OperatingSystem -like "*Server*" } |
Select-Object Name, DNSHostName, OperatingSystem, LastLogonDate |
Export-Csv "ServerInventory.csv" -NoTypeInformation
# Find stale computer accounts
$cutoffDate = (Get-Date).AddDays(-90)
Get-LDAPComputerObject -Properties LastLogonDate |
Where-Object { $_.LastLogonDate -lt $cutoffDate -and $_.Enabled -eq $true } |
Sort-Object LastLogonDate# Query multiple domains
$domains = @("domain1.com", "domain2.com", "domain3.com")
$credential = Get-Credential
$allComputers = foreach ($domain in $domains) {
Write-Host "Querying domain: $domain"
Get-LDAPComputerObject -Domain $domain -Credential $credential -Properties OperatingSystem
}# Compare performance with Get-ADComputer
Measure-Command {
$ldapResults = Get-LDAPComputerObject -Properties OperatingSystem
}
Measure-Command {
$adResults = Get-ADComputer -Filter * -Properties OperatingSystem
}
# Test batch processing performance
Measure-Command {
Get-LDAPComputerObject -ComputerName $largeComputerList -BatchSize 500 -NoProgress
}Always included in output (same as Get-ADComputer):
| Property | Type | Description |
|---|---|---|
| Name | String | Computer name |
| DNSHostName | String | Fully qualified domain name |
| DistinguishedName | String | AD distinguished name |
| Enabled | Boolean | Account enabled status |
| ObjectClass | String | AD object class |
| ObjectGUID | Guid | Unique object identifier |
| SamAccountName | String | SAM account name |
| SID | SecurityIdentifier | Security identifier |
| UserPrincipalName | String | User principal name |
Available through -Properties parameter (80+ properties supported):
| Property | Type | Description |
|---|---|---|
| OperatingSystem | String | Operating system name |
| OperatingSystemVersion | String | OS version |
| OperatingSystemServicePack | String | Service pack information |
| OperatingSystemHotfix | String | Installed hotfixes |
| Description | String | Computer description |
| LastLogonDate | DateTime | Last logon timestamp |
| PasswordLastSet | DateTime | Password last changed |
| Created | DateTime | Object creation date |
| Modified | DateTime | Last modification date |
| Location | String | Physical location |
| ManagedBy | String | Managed by user/group |
| ServicePrincipalNames | String[] | Service principal names |
| IPv4Address | String | IPv4 address |
| IPv6Address | String | IPv6 address |
| AuthenticationPolicy | String | Authentication policy |
| TrustedForDelegation | Boolean | Trusted for delegation |
| AccountExpirationDate | DateTime | Account expiration |
Use -Properties * to retrieve all available AD properties for the computer object (80+ properties including):
- System Properties: ObjectGUID, ObjectClass, SID, DistinguishedName, SamAccountName
- Network Properties: DNSHostName, IPv4Address, IPv6Address, ServicePrincipalNames
- Operating System: OperatingSystem, OperatingSystemVersion, OperatingSystemServicePack, OperatingSystemHotfix
- Security Properties: TrustedForDelegation, AccountNotDelegated, PasswordNeverExpires, Enabled
- Management Properties: ManagedBy, Location, Description, Created, Modified
- Authentication: AuthenticationPolicy, AuthenticationPolicySilo, KerberosEncryptionType
- Advanced Properties: All LDAP attributes with automatic PowerShell-compatible naming
| Environment Size | Recommended Batch Size | Memory Usage | Performance | Architecture Benefits |
|---|---|---|---|---|
| Small (< 1000) | 100-200 | Low | Fast | Centralized mapping efficiency |
| Medium (1000-5000) | 300-500 | Medium | Optimal | Hashtable lookup optimization |
| Large (5000-20000) | 500-1000 | Medium-High | Very Fast | Reduced processing overhead |
| Enterprise (20000+) | 1000+ | High | Maximum | Minimal memory duplication |
- Centralized Mapping: Reduced memory footprint through unified property processing
- Optimized Lookups: Hashtable-based property resolution eliminates duplicate processing
- Small Batches: Use for memory-constrained environments
- Large Batches: Use for high-performance requirements with enhanced efficiency
- Very Large Datasets: Monitor memory usage and adjust batch size accordingly
- Long-Running Operations: Automatic garbage collection with improved resource management
- Use appropriate batch sizes for network conditions
- Consider domain controller proximity and performance
- Monitor network bandwidth usage during bulk operations
- Use -NoProgress for automated scripts to reduce overhead
Cause: Missing DirectoryServices assemblies (typically on non-Windows systems or minimal installations)
Solutions:
- Ensure running on Windows with DirectoryServices components
- Install Remote Server Administration Tools (RSAT) if missing
- Verify PowerShell can load System.DirectoryServices assembly
Cause: Function running on workgroup computer without domain connectivity
Solutions:
- Join computer to Active Directory domain
- Use -Domain and -Credential parameters for remote domain access
- Verify network connectivity to target domain controllers
- Ensure DNS resolution for target domain
Cause: Network connectivity or DNS resolution issues
Solutions:
- Verify domain controller accessibility with Test-NetConnection
- Check DNS configuration and domain controller resolution
- Test with specific domain parameter and credentials
- Verify firewall allows LDAP traffic (ports 389/636)
Cause: Insufficient permissions or authentication issues
Solutions:
- Verify domain user account has read access to computer objects
- Check for restrictions on computer object access in AD
- Use appropriate credentials for cross-domain queries with -Credential
- Verify account is not locked, disabled, or password expired
- Ensure account has "Log on as a service" rights if needed
Cause: Suboptimal batch size or network conditions
Solutions:
- Adjust BatchSize parameter based on environment
- Use -NoProgress for automated scripts
- Monitor memory usage during large operations
- Consider processing during off-peak hours
Cause: Large datasets or insufficient batch management
Solutions:
- Reduce BatchSize for memory-constrained environments
- Process results in smaller chunks
- Use pipeline processing instead of storing all results
- Monitor system memory during operations
# Enable verbose output for troubleshooting
Get-LDAPComputerObject -ComputerName "SERVER01" -Verbose
# Test connectivity before running function
Test-NetConnection -ComputerName "domain.com" -Port 389
# Verify DirectoryServices availability
Add-Type -AssemblyName System.DirectoryServices
# Test with minimal properties and single computer first
Get-LDAPComputerObject -ComputerName "SERVER01"
# Test cross-domain access
$cred = Get-Credential
Get-LDAPComputerObject -ComputerName "SERVER01" -Domain "remote.domain.com" -Credential $cred
# Check LDAP connectivity to domain controller
Test-NetConnection -ComputerName "dc01.domain.com" -Port 389| Error Message | Meaning | Solution |
|---|---|---|
| "System.DirectoryServices is not available" | Missing DirectoryServices assemblies | Install RSAT or ensure Windows DirectoryServices components |
| "not joined to an Active Directory domain" | Workgroup computer or no domain connectivity | Join domain or use -Domain/-Credential parameters |
| "Unable to query Active Directory" | Network/connectivity issue | Check network, DNS, and domain controller accessibility |
| "Access denied" | Permission or authentication issue | Verify credentials and AD permissions |
Perfect drop-in replacement for Get-ADComputer:
# Replace this:
Get-ADComputer -Filter * -Properties OperatingSystem
# With this:
Get-LDAPComputerObject -Properties OperatingSystemFull pipeline input and output compatibility:
# Pipeline input
"SERVER01", "SERVER02" | Get-LDAPComputerObject
# Pipeline output
Get-LDAPComputerObject -Properties OperatingSystem |
Where-Object { $_.OperatingSystem -like "*Server*" } |
Select-Object Name, OperatingSystemIdentical property names and data types as Get-ADComputer for seamless integration with existing scripts. The centralized mapping system in v1.2.0.0 ensures consistent property naming across all 80+ supported properties with automatic special handling for:
- Binary Data: ObjectGUID, SID with proper type conversion
- Date/Time: Created, Modified, LastLogonDate, PasswordLastSet with FileTime conversion
- User Account Control: Enabled, PasswordNeverExpires, TrustedForDelegation with proper flag parsing
- Multi-Value Properties: ServicePrincipalNames, MemberOf with comma-separated formatting
- Network Properties: IPv4Address, IPv6Address with proper string conversion
- Certificate Data: UserCertificate with X509 certificate parsing and readable output format