Introduction
The Get-ADUser cmdlet in PowerShell provides many parameters for finding one or more users in an Active Directory (AD) domain.
By default, PowerShell runs using the account that is logged on to the machine. If you want to run a command using a different account, you can force PowerShell to prompt you for the credentials by using this switch before your command:
$cred =Get-Credential
Searching for a Specific User
-Identity Parameter
Use the -Identity parameter if you know which AD user you want to get:
Get-ADUser -Identity “identifier”Specify one of the following for the identifier:
- DistinguishedName (DN)
- SamAccountName
- GUID
- SID
Example
Get-ADUser -Identity "ABBEY.Crawford"
Limiting a Search to a Particular OU
-SearchBase Parameter
Use the -SearchBase parameter to limit the search to a specific OU, specified by its distinguished name (DN):
Get-ADUser -Filter "givenname -Like 'Abbey'" -SearchBase "distinguishedName of OU"Example
Get-ADUser -Filter "givenname -Like 'Abbey'" -SearchBase "OU=Versacorp,DC=milkyway,DC=local"
-SearchScope Parameter
Combine the SearchBase and SearchScope parameters to limit the search to a particular OU and a specified number of levels of sub-OUs. For example, to find user accounts in an OU and its immediate child OUs, specify a value of 1 for SearchScope. To include both child and grandchild OUs, use a value of 2.
Get-ADUser -SearchBase " distinguishedName of OU " -SearchScope "2"Example
Get-ADUser -Filter "givenname -Like 'Abbey'" -SearchBase "OU=Versacorp,DC=milkyway,DC=local" -SearchScope "2"
Filtering for Specific Sets of Users
-Filter Parameter
If you don’t know the exact value of any identifier, you can specify a property to filter on and a value for the filter, as follows:
Get-ADUser -Filter “filter value”Operators
| Operator | Meaning | Sample expression |
| -eq | Equal to | Name -like ‘Inga’ |
| -ne | Not equal to | Country -ne ‘US’ |
| -gt | Greater than | BadLogonCount -gt ‘0’ |
| -ge | Greater than or equal | Modified -ge ’06-04-2021 12:00:00? |
| -lt | Less than | LastLogonTimeStamp -lt ’01-08-2020? |
| -le | Less than or equal | Created -le ’01-08-2020? |
| -like | Wildcard search | Mail -like ‘*@xyz.com’ |
| -notlike | Wildcard search with negation | Department -notlike ‘*’ |
| -and | And | Country -eq ‘US’ -and Department -eq ‘Operations’ |
| -or | Or | Country -eq ‘US’ -or -Country -eq ‘UK’ |
Finding Users with a Certain Given Name
To search for a user with his or her first name or part of the name, use the -Filter parameter with the -like clause and a value.
The following example shows the use of the Filter parameter, that involves the AD attribute, givenName. It returns users whose givenName contains Abbey.
Get-ADUser -Filter “givenname -Like ‘Abbey’”
Finding Users with Similar Names
You can modify the previous command using the wildcard operator to get all users whose name starts with a particular string, as follows:
Get-ADUser -Filter "Name -like 'Abb*'" | Select Name,givenname,surname,samAccountName,distinguishedname | ftG
Finding All Enabled Users
If you want to see all enabled users, you can use this cmdlet:
Get-ADUser -filter {Enabled -eq "true"} | ft
Finding Disabled Users
Finding disabled users can be quite valuable to facilitate AD cleanup. Using a simple command with one filter, “-Filter “Enabled -eq ‘false’”” could return hundreds of disabled users, as some companies prefer to keep their Active Directory objects for auditing purposes. Use the -SearchBase filter with a specific OU to limit results. For example, this cmdlet will find all disabled user accounts in a particular OU:
Get-ADUser -Filter “Enabled -eq 'false'” -SearchBase "CN=Users,DC=Knox,DC=lab" -Properties * | Select Name,Enabled |ft
Finding Users Who Have Email Addresses
To find all users who have mailboxes assigned to them, use the following command:
Get-ADUser -Filter {mail -ne "null"} -Properties Name,GivenName,mail| ft Name,GivenName,mail
Finding Accounts with Password Expiry Not Set
To strengthen security, you might want to find all accounts whose ‘passwordneverexpires’ attribute is set to true, as follows:
Get-ADUser -Filter {passwordneverexpires -eq "true"} | Select Name, sAMAccountName
Finding Stale User Accounts
At times, we need to filter out the user accounts that have not been in use for some time. Here is how to find all user accounts that have not been used during the last 60 days:
$CutoffDate = (Get-Date).AddDays(-60)
Get-ADUser -Filter "LastLogonDate -lt '$CutoffDate'" -Properties LastLogonDate | Select Name, LastLogonDate
Finding Users Created on a Particular Date
To see all user accounts created on a particular date in Active Directory, you can use this command:
Get-ADUser -Filter {Created -lt '7/30/2021'} | Select Name
Combining Multiple Filters
You can combine multiple filters to define complex criteria for finding users.
Example 1
The following command will return all enabled users from the Sales department:
Get-ADUser -Filter "Enabled -eq 'true' -and Department -like 'Sales'" -Properties * | Select Name, Department |ft
Example 2
The following cmdlet will return all users whose department attribute is not null and whose name begins with the letter A:
Get-ADUser -filter {Department -ne "null"} | Where-Object Name -like 'A*'
Controlling Which Properties Are Displayed
-Properties Parameter
By default, the Get-ADUser command returns only a handful of parameters. If you want the extended list of properties of a user, use this cmdlet:
Get-ADUser -Identity “Identifier” -Properties *
Displaying a Specific Set of Properties
Alternatively, you can explicitly list the properties you want to see for a user:
Get-ADUser -Identity Abbey.Crawford -Properties * | Select Name,Enabled,mail,department,company,title,c,st,streetaddress |ft
Displaying Group Membership
To see the membership of a user, use this cmdlet:
Get-ADUser -Identity Abbey.crawford -Properties memberof | Select-Object -ExpandProperty memberof
Displaying Email Address
If you want to see a specific user’s email address, use this cmdlet:
Get-ADUser -Identity Abbey.Crawford -Properties * | Select Name,mail |ft
Displaying User Principal Name (UPN)
To retrieve a user’s UPN, use this cmdlet:
Get-ADUser -Identity Abbey.Crawford -Properties * | Select Name,userprincipalname |ft
Displaying SAM Account Name
To display a user’s SAM account name, use this cmdlet:
Get-ADUser -Identity Abbey.Crawford -Properties * | Select Name,samAccountName |ft
Displaying Display Name
If you want to see the display name of a user (for example, since it might be different in ADUC), you can use this cmdlet:
Get-ADUser -Identity Abbey.Crawford -Properties * | Select Name,displayname |ft
Displaying Distinguished Name
To see the distinguished name of a user, use this cmdlet:
Get-ADUser -Identity Abbey.Crawford -Properties * | Select Name,distinguishedname |ft
Displaying Proxy Addresses
If you want to see the proxy addresses of a user, use this cmdlet:
Get-ADUser -Identity Abbey.Crawford -Properties * | Select Name,proxyaddresses |ft
Displaying a User’s Manager
To show the SAM account name of a user’s manager, use this command:
Get-ADUser “User Identifier” -properties * | select amAccountName, @{Name=’Manager’;Expression={(Get-ADUser($_.manager)).samaccountname}}
Displaying Employee ID
To see the employee ID of a user, use this cmdlet:
Get-ADUser -Identity Abbey.Crawford -Properties * | Select Name,employeeid |ft
Displaying Telephone Numbers
To find all phone numbers of a user, use this command:
Get-ADUser -Identity “User Identifier” -Properties * | Select *Phone*
To display these values in the form of a table, use this command:
Get-ADUser -Identity “User Identifier” -Properties * | Select Name, *Phone* | ft
Displaying Password Expiry Date and Time
To see the password expiry date for an account, use this cmdlet:
Get-ADUser -Identity “User Identifier” -Properties msDS-UserPasswordExpiryTimeComputed | select Name, {[datetime]::FromFileTime($_.”msDS-UserPasswordExpiryTimeComputed”)}
Displaying Account Creation Date
To see when a user account was created in AD, use this command:
Get-ADUser -filter * -Properties Name,whencreated | ft Name,WhenCreated
Displaying Last Logon Date and Time
If you want to see the last time a user logged on to any system, use this cmdlet:
Get-ADUser -Identity Abbey.Crawford -Properties * | Select Name,lastlogondate |ft
Displaying Last Password Change Date and Time
To see when a user last changed their password, use this cmdlet:
Get-ADUser -Identity Abbey.Crawford -properties PwdLastSet,PasswordLastSet | sort Name | ft Name,PwdLastSet,PasswordLastSet
Displaying the Values of Extension Attributes
Organizations can use AD extension attributes to store additional information about users. For example, O365 license information can be stored in ExtensionAttribute1. To see this information, use this cmdlet:
Get-ADUser -Identity “Abbey.Crawford” -Properties * | Select sAMAccountName, extensionAttribute1
Sorting the Output
To sort the output of the Get-ADUser command using a particular property, use the following command:
Get-ADUser -Filter * | Select Name | Sort-Object -Property Name
Exporting Data to a CSV File
Example 1
The following command will find all user accounts created in the last 180 days, sort them by name, and export selected information about them to a CSV file:
Get-ADUser -filter * -properties * | Where-Object { $_.created -gt (get-date).AddDays(-180)} | select-object Name, Created | sort Name | export-csv C:\Accounts.csv -NoTypeInformation
Example 2
The command below finds all users in a particular OU and outputs selected details about them to a to a CSV file:
Here is the CSV file:
Conclusion
The Get-ADUser command is a versatile way to find one or more users that meet certain criteria. You can control which user properties are displayed and how the information is sorted, and export the output to a CSV file.
If you’re interested in a more comprehensive Active Directory and Azure AD management solution, take a look at Netwrix GroupID. It offers a more advanced management shell that is also fully compatible with PowerShell.
