User Management via Get-ADUser Powershell Cmdlet

User Management Guide via Get-ADUser Cmdlet

The Get-AdUser command-let in PowerShell provides many parameters to find domain users. You can use the Identity parameters to look up the user name, provided you are already aware of it. Get-ADUser cmdlet is concerned with getting a specified user object or performing a search query to get multiple users.

By default, the Get-ADUser cmdlet returns only 10 basic user attributes (out of more than 120 user account properties): DistinguishedName, SamAccountName, Name, SID, UserPrincipalName, ObjectClass, account status (Enabled: True/False according to the UserAccountControl AD attribute), etc. In this case, the cmdlet’s output doesn’t contain information about the time of the last user password change.

-Identity Parameter (Specify AD Users to Get)

Identity Parameters functions to specify AD User to get. User is identifiable via GUID, SID, samAccountName and distringuishedName.

Four Identifiers for Identity Parameters

• distinguishedName (DN)
• samAccountName
• GUID
• SID

Below are some examples of this command: –

Syntax

> Get-ADUser -Identity “identifier”

Example: –

Get-ADUser -Identity "ABBEY.Crawford"

Note that we have gotten the information in the above example using sAMAccountName as an identifier. In a similar way, you can use other parameters to identify the users. The most commonly used parameter is sAMAccountName.

-Filter Parameter (Filter Users based on Property)

If you don’t know the exact value of any identifier, you can use the Filter command with the Get command and it will filter out the users based on the filter value:-

Following example elaborates on executing the Filter parameter, that involve Active Directory (AD) attrbute :giveName and set condition accordingly. The filter only allows users to return if the giveName contains Abbey.

Syntax

Get-ADUser -Filter “filter value”

Example: –

Get-ADUser -Filter "givenname -Like 'Abbey'"

-SearchBase Parameter (Get Users from Specific OU)

Let’s say that we want to search to be limited to a specific OU in AD, then we can use the searchbase filter to limit the search inside an OU. The SearchBase parameter accepts an OU’s distinguished name (DN).

Syntax

Get-ADUser -Filter "givenname -Like 'Abbey'" -SearchBase "distinguishedName of OU"

Example: –

Get-ADUser -Filter "givenname -Like 'Abbey'" -SearchBase "OU=Versacorp,DC=milkyway,DC=local"

-SearchScope Parameter (Get Users from Specific & Sub OU)

SearchBase and SearchScope parametes are primarily used to find user accounts under a single OU alongwith excluding any child OUs.

For example, Let’s say we are looking to find all user accounts and child OUs, We’d use 1 for SearchScope, However, if we are interested in finding through child and grandchildren OW, We’d use 2

Syntax

Get-ADUser -SearchBase " distinguishedName of OU " -SearchScope "2"

Example: –

Get-ADUser -Filter "givenname -Like 'Abbey'" -SearchBase "OU=Versacorp,DC=milkyway,DC=local" -SearchScope "2"

Get-Credential (Enabling to Login via Varying Credentials)

By default, the PowerShell runs with the account that is logged on to the machine, and the permissions are set accordingly however, if you want to run this command with a different account than the logged in account, you can use the Get-credential switch before your desired command to force the PowerShell to ask you for credentials of the user.

Syntax

$cred =Get-Credential

-Properties Parameter (Display List of User Properties)

By default, the Get-ADUser command returns only a handful of parameters. If you want the extended list of properties of a user, you use Get-ADUser Properties to switch to display an extensive list of user properties.

Syntax

Get-ADUser -Identity "Identifier" -Properties *

Example: –

Get-ADUser -Identity "Abbey.Crawford" -Properties *

This switch displays an extensive list of user properties e.g. the job title, last bad password attempt, street etc.

Get-ADUser Properties Examples

Searching For a Particular Field via Get-ADUser Properties

Let’s say that we want to search for a user’s telephone numbers (all of them) that are populated in Active Directory so that we can reach out to that user. We can use wild card search for the fields that contain phone in their name and select them. You can use the below-mentioned command for this purpose: –

Get-ADUser-Identity “User Identifier” -Properties * | Select *Phone*

Sort Users with Respect to a Field

We want to search for all the users in the AD and then select one field to display for them and use that field for sorting. We can use Get-ADUser –Properties command.

Get-ADUser-Filter * | Select Name | Sort-Object -Property Name

Get Manager of a Particular User

We want to get the samAccountName of the manager of a particular user. We can use the below-mentioned command for this purpose

Get-ADUser “User Identifier” -properties * | select  amAccountName, @{Name=’Manager’;Expression={(Get-ADUser($_.manager)).samaccountname}}

Display Attributes in the Form of a Table

Similar use case to the first one however now we want to display the attributes values in the form of a table. We can use the below-mentioned command

Get-ADUser-Identity “User Identifier” -Properties * | Select Name, *Phone* | ft

Get Particular Attributes from The Complete List of Attributes

We want to get the displayname, department name, and manager of a particular user to gain insight into the hierarchy of the user. We can select the name, department, and manager of the user from his/her properties and display them in the form of a list.

Get-ADUser-Identity “User-Identifier” -Properties * | Select Name, Department, Manager | fl

Export Properties of All Accounts Created in a Specific Time Frame

For auditing purposes, it is often a requirement to get the user properties and find out the accounts that were created during a particular time frame. Let’s say that we want to pick out all the user accounts that were created in the last 180 days and export this information in a CSV file so that the data is present in a report form. We also want the name sorted as well in the CSV.

We can use the below-mentioned command for this

Get-ADUser-filter * -properties * | Where-Object { $_.created -gt  (get-date).AddDays(-180)} | select-object Name, Created | sort Name | export-csv C:\Accounts.csv -NoTypeInformation

The output depicted above will be saved in the CSV file.

Get List of Users for Last Password Set/Reset on the Account

The below example illustrates users at a time when passwords were the last set and reset, within the domain along with their names and dates/times.

Get-ADUser-filter * -Properties Name,PasswordLastSet | ft Name,PasswordLastSet

Get Account Creation Date via Get-ADUser Properties

We want to know the date on which the account of a particular user was created in AD. The following command can be used for this purpose

Get-ADUser-filter * -Properties Name,whencreated | ft Name,WhenCreated

Get the Value of Extension Attributes

At times, organizations use Extension attributes of AD to populate the value with their own information. An example of this can be the O365 license information stored inside ExtensionAttribute1. Let’s say that we want to see the o365 license owned by a user. The information can be stored inside extensionattribute1 and we can use the below-mentioned command to see the license information. We can use the below-mentioned command for this purpose

Get-ADUser-Identity “Abbey.Crawford” -Properties * | Select sAMAccountName, extensionAttribute1

Get the Password Expiry Date

We want to know the date of the password expiry of a user. For user account, the value for the next password change is saved under the attribute msDS-UserPasswordExpiryTimeComputed. We can use the following command to see the next password expiry date:

Get-ADUser-Identity “User Identifier” -Properties msDS-UserPasswordExpiryTimeComputed | select Name, {[datetime]::FromFileTime($_.”msDS-UserPasswordExpiryTimeComputed”)}

Export Ad Users to CSV file via Get-ADUser

Get-AdUser is also employed along with exports ad users to CSV file on the specified path to export all Ad users to CSV file.

In the above PowerShell get ad user script,

Get-AdUser gets list of all users in that OU by executing the Get-AdUser SearchBase parameter. It passes the output to the second command.

Second command uses Select-Object to get the following:

• Select-Object to get name
• Distinguishedname
• Enabled
• userprincipalname, 
• samaccountname

which then leads it to passing output to the third command.

The third command uses PowerShell Export-Csv cmdlet to export a list of adusers to a CSV file on the path specified.

the output of export ad users to CSV file as below in CSV

Set-ADUser In-Conjunction with Get-ADUser

As Get-ADUser, Set-ADUser is also a powerful command-let in PowerShell and you can use that command-let alone with its own parameters, but mostly it is being used in conjunction with Get-ADUser, below are two use cases and for day-to-day activities of an organization which can be achieved using both command-lets.

You can always use Set-ADUser command-let for single user using -Identity parameter and for multiple user in conjunction with Get-ADUser. Below is an example of simple Set-ADUser.

Set-ADUser -Identity “Identifier” -Manager “samAccountName”

-Manager parameter

For example, there is always need for changing managers of users as their original manger has left the company or their department has been changed and now, they fall under different manager. Using below command-let you can achieve this requirement.

This parameters is concerned with setting up Manager property of a certain user object. Setting up such parameter involves providing the following property values. Note: Paranthesis diplay the indetifiers and are the LDAP display names for property.

The acceptable values for this parameter are:

• A distinguished name
• A GUID (objectGUID)
• A security identifier (objectSid)
• A SAM account name (sAMAccountName)

Syntax

Example: –

Get-ADUser -Identity "AbbeyCrawford" | Set-ADUser -Manager “AbbeyEckels”

Changing Common Attributes with Set-ADUser and Get-ADUser

There is also a need for changing most common attributes e.g. Title, Department, Office, Address, Phone number, and city. Below are some examples of these parameters with respect to Set-ADUser in conjunction with Get-ADUser.

You can always use the Set-ADUser command-let for a single user using -Identity parameter

Set-ADUser -Identity “AbbeyCrawford"”-Title “Program Manager”

Set-ADUser -Identity "AbbeyCrawford" -Department “Engineering”

Set-ADUser -Identity "AbbeyCrawford" -Office “Huntington”

Set-ADUser -Identity "AbbeyCrawford" -City “NewYork”

All above parameters are in one command-let.

Set-ADUser -Identity “AbbeyCrawford"”-Title “Program Manager” -Department “Engineering” -Office “Huntington” -City “NewYork”

Get-ADUser -Identity "AbbeyCrawford" | Set-ADUser -Title “Program Manager”

Get-ADUser -Identity "AbbeyCrawford" | Set-ADUser -Department “Engineering”

Get-ADUser -Identity "AbbeyCrawford" | Set-ADUser -Office “Huntington”

Get-ADUser -Identity "AbbeyCrawford" | Set-ADUser -City “NewYork”

Conclusion

In summary, the Get-ADUser command is a powerful command to filter out the user’s properties and display them on a single page. You can even export the output of this command into a CSV file using the Export CSV switch to get more comprehensive information in the form of a report.

GroupID, a smarter azure ad, and active directory groups management solution, offers its own management shell that is much more advanced than the regular Powershell and this command is fully compatible with the GroupID management shell as well along with a lot of other commands to get the required information on the users.