I am an auditor and I have found that two of the users in the company I work for have unlicensed Windows operating systems, which leads me to believe there might be others. I am curious to know if there is any way to get extract all of the accounts in the domain that have not activated their Windows?
Asked
Active
Viewed 1,177 times
3 Answers
1
Yes, there are multiple options. From the Scriptin Guys Blog, get the Get-ActivationStatus snippet (or function) and try something like this:
Get-ADComputer -Filter * | Get-ActivationStatus | Export-Csv C:\Activation.csv
function Get-ActivationStatus {
[CmdletBinding()]
param(
[Parameter(ValueFromPipeline = $true, ValueFromPipelineByPropertyName = $true)]
[string]$DNSHostName = $Env:COMPUTERNAME
)
process {
try {
$wpa = Get-WmiObject SoftwareLicensingProduct -ComputerName $DNSHostName `
-Filter "ApplicationID = '55c92734-d682-4d71-983e-d6ec3f16059f'" `
-Property LicenseStatus -ErrorAction Stop
} catch {
$status = New-Object ComponentModel.Win32Exception ($_.Exception.ErrorCode)
$wpa = $null
}
$out = New-Object psobject -Property @{
ComputerName = $DNSHostName;
Status = [string]::Empty;
}
if ($wpa) {
:outer foreach($item in $wpa) {
switch ($item.LicenseStatus) {
0 {$out.Status = "Unlicensed"}
1 {$out.Status = "Licensed"; break outer}
2 {$out.Status = "Out-Of-Box Grace Period"; break outer}
3 {$out.Status = "Out-Of-Tolerance Grace Period"; break outer}
4 {$out.Status = "Non-Genuine Grace Period"; break outer}
5 {$out.Status = "Notification"; break outer}
6 {$out.Status = "Extended Grace"; break outer}
default {$out.Status = "Unknown value"}
}
}
} else {$out.Status = $status.Message}
$out
}
}
bjoster
- 4,805
- 5
- 25
- 33
-
2Note, though, hat tis does not get the unlicenwed workstations FROM Active Directory. It gets all workstations and checks the activation status, which requires (a) them to be online and (b) to be run with permissions to execute this check remotely and (c) the workstations to be reachable from PowerShell (i.e. not behind NAT etc.) – TomTom Apr 04 '18 at 13:31
-
Yes, @TomTom is right. It's no possible to geht the activation state directly from the AD, as it is not stored there. – bjoster Apr 04 '18 at 13:33
1
Though to use Volume Activation Management Tool (VAMT) to get a report ?
The Volume Activation Management Tool (VAMT) enables network administrators and other IT professionals to automate and centrally manage the Windows®, Microsoft® Office, and select other Microsoft products volume and retail-activation process. VAMT can manage volume activation using Multiple Activation Keys (MAKs) or the Windows Key Management Service (KMS).
VAMT is designed to manage volume activation for: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2, Microsoft Office 2010, and Microsoft Office 2013. Computers installed with volume editions of Windows XP or Windows Server 2003 cannot be managed using VAMT. However, Office 2010 and Office 2013 products installed on these two operating systems can still be managed.
yagmoth555
- 16,758
- 4
- 29
- 50
0
I am curious to know if there is any way to get extract all of the accounts in the domain that have not activated their Windows?
No, there is no way to do this - Active Directory does not track it. There are also good reasons NOT to activate machines, particularly if you do not run a local activation server (mostly: VM's and machines that live only temporarily for development purposes).
There is a powershell script provided in another anwer which basically executes
Get-ADComputer -Filter * | Get-ActivationStatus
- but it does not get the status FROM active directory as you asked for. It queries AD for all machines, then asks them.
This has multiple problems:
- The machine must be online to be checked
- The permissions must allow the check.
- The machine must be reachable, i.e. the call not firewalled and / or behind NAT
TomTom
- 51,649
- 7
- 54
- 136