User Management via Get-ADUser Cmdlet
The Get-AdUser command-let in PowerShell provides many parameters to find domain users. You can use the Identity parameters to look up the user name, provided you are already aware of it. Get-ADUser cmdlet is concerned with getting a specified user object or performing a search query to get multiple users.
By default, the Get-ADUser cmdlet returns only 10 basic user attributes (out of more than 120 user account properties): DistinguishedName, SamAccountName, Name, SID, UserPrincipalName, ObjectClass, account status (Enabled: True/False according to the UserAccountControl AD attribute), etc. In this case, the cmdlet’s output doesn’t contain information about the time of the last user password change.
Table Of Contents
-
Get-ADUser Parameters
- Additional Examples for Get-ADUser
-
Get ADUser Group Membership
-
Get ADUser OU
-
Get ADUser Email Address
-
Get-ADUser UPN
-
Get-ADUser Enabled
-
Get-ADUser Last Logon
-
Get-ADUser Samaccountname
-
Get-ADUser Userprincipalname
-
Get-ADUser Name Like
-
Get-ADUser Where Name Like
-
Get-ADUser Disabled
-
Get-ADUser Extended Properties
-
Get-ADUser Displayname
-
Get-ADUser Distinguishedname
-
Get Aduser Proxyaddresses
-
Get-ADUser Employeeid
-
Get-ADUser Select Object
-
Get-User Last Password Change
-
Get-ADUser Filter Examples
-
Get-ADUser Properties Examples
-
Export Active Directory Users to CSV file
-
Conclusion
-Identity Parameter (Specify AD Users to Get)
Identity Parameters functions to specify AD User to get. User is identifiable via GUID, SID, samAccountName and distringuishedName.
Four Identifiers for Identity Parameters
- distinguishedName (DN)
- samAccountName
- GUID
- SID
Below are some examples of this command: –
Syntax
> Get-ADUser -Identity “identifier”
Example: –
Get-ADUser -Identity "ABBEY.Crawford"
Note that we have gotten the information in the above example using sAMAccountName as an identifier. In a similar way, you can use other parameters to identify the users. The most commonly used parameter is sAMAccountName.
-Filter Parameter (Filter Users based on Property)
If you don’t know the exact value of any identifier, you can use the Filter command with the Get command and it will filter out the users based on the filter value:-
Following example elaborates on executing the Filter parameter, that involve Active Directory (AD) attrbute :giveName and set condition accordingly. The filter only allows users to return if the giveName contains Abbey.
Syntax
Get-ADUser -Filter “filter value”
Example: –
Get-ADUser -Filter "givenname -Like 'Abbey'"
-SearchBase Parameter (Get Users from Specific OU)
Let’s say that we want to search to be limited to a specific OU in AD, then we can use the searchbase filter to limit the search inside an OU. The SearchBase parameter accepts an OU’s distinguished name (DN).
Syntax
Get-ADUser -Filter "givenname -Like 'Abbey'" -SearchBase "distinguishedName of OU"
Example: –
Get-ADUser -Filter "givenname -Like 'Abbey'" -SearchBase "OU=Versacorp,DC=milkyway,DC=local"
-SearchScope Parameter (Get Users from Specific & Sub OU)
SearchBase and SearchScope parametes are primarily used to find user accounts under a single OU alongwith excluding any child OUs.
For example, Let’s say we are looking to find all user accounts and child OUs, We’d use 1 for SearchScope, However, if we are interested in finding through child and grandchildren OW, We’d use 2
Syntax
Get-ADUser -SearchBase " distinguishedName of OU " -SearchScope "2"
Example: –
Get-ADUser -Filter "givenname -Like 'Abbey'" -SearchBase "OU=Versacorp,DC=milkyway,DC=local" -SearchScope "2"
Get-Credential (Enabling to Login via Varying Credentials)
By default, the PowerShell runs with the account that is logged on to the machine, and the permissions are set accordingly however, if you want to run this command with a different account than the logged in account, you can use the Get-credential switch before your desired command to force the PowerShell to ask you for credentials of the user.
Syntax
$cred =Get-Credential
-Properties Parameter (Display List of User Properties)
By default, the Get-ADUser command returns only a handful of parameters. If you want the extended list of properties of a user, you use Get-ADUser Properties to switch to display an extensive list of user properties.
Syntax
Get-ADUser -Identity "Identifier" -Properties *
Example: –
Get-ADUser -Identity "Abbey.Crawford" -Properties *
This switch displays an extensive list of user properties e.g. the job title, last bad password attempt, street etc.
Get ADUser Group Membership
You can use the below command-let to see the membership of a desired user.
Get-ADUser -Identity Abbey.crawford -Properties memberof | Select-Object -ExpandProperty memberof
Get ADUser OU
If you want to search for all the users in a specific OU, you can do that using -SearchBase parameter as shown below. We have used -Filter parameter as well to limit the search for users starting with the name “Abbey”.
Get-ADUser -Filter "givenname -Like 'Abbey'" -SearchBase " OU=Versacorp,DC=Knox,DC=lab"
Get ADUser Email Address
If you want to see a specific user’s email address, you can use the below command-let.
Get-ADUser -Identity Abbey.Crawford -Properties * | Select Name,mail |ft
Get-ADUser UPN
If you want to look for a specific user’s user principal name, you can use the below command-let.
Get-ADUser -Identity Abbey.Crawford -Properties * | Select Name,userprincipalname |ft
Get-ADUser Enabled
If you want to see all the enabled users, you can use the below command-let with filter for enabled state.
Get-ADUser -Filter “Enabled -eq 'true'” -Properties * | Select Name,Department |ft
But searching for all users may result in a large output, you may want to look for a specific user for his account status, you can use the -Filter parameter with two clauses, one for the state enabled and second for the name. As shown below.
Get-ADUser -Filter "Enabled -eq 'true' -and Name -like 'Abbey.Crawford'” -Properties * | Select Name, Department |ft
Get-ADUser Last Logon
If you want to see when last time a user has logged on to any system, you can use the below command-lets, the first command will print the value of “LastLogon” attribute of user, which contains the date and time when he last logged on, but that date will be shown as a long date e.g. 132512071622067394. As shown below in screenshot.
Get-ADUser -Identity Abbey.Crawford -Properties * | Select Name,lastlogon |ft
So the long date is not understandable for the person who actually wants to see an actual date and time of the user’s last logon, we then use the value “LastLogonDate” to print the actual date and time via the below command-let, as shown below in screenshot.
Get-ADUser -Identity Abbey.Crawford -Properties * | Select Name,lastlogondate |ft
Get-ADUser Samaccountname
Same way using the properties parameter, you can find a user’s SAM (Security Account Manager) Account name. As shown below.
Get-ADUser -Identity Abbey.Crawford -Properties * | Select Name,samAccountName |ft
Get-ADUser Userprincipalname
If you want to look for a specific user’s user principal name, you can use the below command-let.
Get-ADUser -Identity Abbey.Crawford -Properties * | Select Name,userprincipalname |ft
Get-ADUser Name Like
If you want to search a user with only his first name or part of the name, you can use the -Filter with -like clause and value as the part of the name, as shown below.
Get-AdUser -Filter "Name -like 'Abbey*'"
Get-ADUser Where Name Like
If you want to search users who has their department attribute not null, and particular users starting their name with alphabet A, you can use the below command-let.
Get-ADUser -filter {Department -ne "null"} | Where-Object Name -like 'A*'
Get-ADUser Disabled
Same as you can search for enabled user by using 2 filters and specific part of the name, you can also look for the disabled users, using the same command above provided in enabled users section. But with the simple command with only one filter “-Filter “Enabled -eq ‘false’”” the output could be in hundreds of disabled users, because some companies don’t like to delete their Active Directory objects due to auditing purposes, even in my test lab, I had like 2000 disabled users, so I have decided to use -SearchBase filter with specific OU, and the results were only a handful of disabled users, as shown below.
Get-ADUser -Filter “Enabled -eq 'false'” -SearchBase "CN=Users,DC=Knox,DC=lab" -Properties * | Select Name,Enabled |ft
Get-ADUser Extended Properties
If you simply use identity parameter with a user name, by default command-let shows only handful of properties, like DN, Name, Status , Object class, samAccount name and other shown in screenshot below.
Get-ADUser -Identity Abbey.Crawford
So to see all the extended properties of a user, we can use the -Properties parameter with wild card. By default parameter with wild card shows all the available properties of a user. As shown below in screenshot.
Get-ADUser -Identity Abbey.Crawford -Properties *
but you can use the properties parameter to explicitly define and show the required properties.
Get-ADUser -Identity Abbey.Crawford -Properties * | Select Name,Enabled,mail,department,company,title,c,st,streetaddress |ft
Get-ADUser Displayname
If you want to see display name of a user, because sometimes it could be different in ADUC, so you can use the below command-let.
Get-ADUser -Identity Abbey.Crawford -Properties * | Select Name,displayname |ft
Get-ADUser Distinguishedname
Get-ADUser -Identity Abbey.Crawford -Properties * | Select Name,distinguishedname |ft
Get Aduser Proxyaddresses
If you want to see the proxy addresses of a user, use the below command-let.
Get-ADUser -Identity Abbey.Crawford -Properties * | Select Name,proxyaddresses |ft
Get-ADUser Employeeid
To see the Employee ID of a suer, use the below command-let.
Get-ADUser -Identity Abbey.Crawford -Properties * | Select Name,employeeid |ft
Get-ADUser Select Object
The Select-Object cmdlet picks a specific object or group of objects’ specified properties. Additionally, it can pick out a specific quantity, a specific number of items, or a specific location in an array of items.
Utilize the First, Last, Unique, Skip, and Index criteria to choose items from a collection. Use the Property parameter to choose an object’s properties. Select-Object returns new objects with only the chosen properties when you specify properties.
Get-ADUser -filter * -properties * | Where-Object { $_.created -gt (get-date).AddDays(-180)} | select-object Name, Created | sort Name
In the above script, the first command-let will have the criteria for any filter or any properties, but the second command-let finds the users on the bases of users created within the last 180 days, and then Select-Object command-let picks those users fit on the criteria and presents them with the properties selected, and last command-let sorts the results alphabetically.
Get-User Last Password Change
If you want to see when user has actually changed his password last time, you can use the below command-let to see the results. Actual attribute for the value is PWDLastSet, but it returns the value in a long date which is not understandable, so we have used friendly attribute “PasswordLastSet” to show the converted long date in an actual readable format.
Get-ADUser -Identity Abbey.Crawford -properties PwdLastSet,PasswordLastSet | sort Name | ft Name,PwdLastSet,PasswordLastSet
Get-ADUser Filter Examples
Referring to the -Filter parameter in the Get-ADUser cmdlet, it is used primarily to filter out the results as per your requirement.
List Of Operators for Get-ADUser Filter Parameter
There are multiple operators that you can use with the filter parameter, as follows:
Operator | Meaning | Sample expression |
---|---|---|
-eq | Equal to | Name -like ‘Inga’ |
-ne | Not equal to | Country -ne ‘US’ |
-gt | Greater than | BadLogonCount -gt ‘0’ |
-ge | Greater than or equal | Modified -ge ’06-04-2021 12:00:00′ |
-lt | Less than | LastLogonTimeStamp -lt ’01-08-2020′ |
-le | Less than or equal | Created -le ’01-08-2020′ |
-like | Wildcard search | Mail -like ‘*@xyz.com’ |
-notlike | Wildcard search with negation | Department -notlike ‘*’ |
-and | And | Country -eq ‘US’ -and Department -eq ‘Operations’ |
-or | Or | Country -eq ‘US’ -or -Country -eq ‘UK’ |
Filtering Out the Enabled Accounts
At times, there is a requirement to find out whether all the accounts are enabled or not in a disabled state. You can use the below-mentioned command for this purpose: –
Get-ADUser -filter {Enabled -eq "true"} | ft
-Filter Users With Email Addresses
Let us say that you want to find out all the users that have gotten mailboxes assigned to them. You can use the following command: –
Get-ADUser -Filter {mail -ne "null"} -Properties Name,GivenName,mail| ft Name,GivenName,mail
Get Accounts with Password Expiry Not Set via -Filter Parameter
You may also want to audit your accounts from a security perspective. You can also use the ‘-filter’ parameter to find all accounts with the ‘passwordneverexpires’ attribute. That is generally not advised unless it’s a service account with critical applications depend on it.
Get-ADUser -Filter {passwordneverexpires -eq "true"} | Select Name, sAMAccountName
Wildcard Search
You can use the like operator for doing wild card searches in the Get-ADUser Filter parameter. For example, by using Get-ADUser Filter, we want to get all the users that have their names starting from a similar first name. To do this, use the below-mentioned command: –
Get-AdUser -Filter "Name -like 'Abbey*'"
Get-ADUser Multiple Filters
You can combine multiple filters in the Get-ADUser command to pick out users based on complex criteria. For example, we want to pick out users that are enabled and have a specific department via Get-ADUser Filter. We can use the below-mentioned command:-
Get-ADUser -Filter "Enabled -eq 'true' -and Department -like 'Sales'" -Properties * | Select Name, Department |ft
Get ADUser -Filter Using Created Date
We want to pick out the user accounts that were created on a specific date to establish how many users joined the company on a date. You can use the created attribute and apply a filter on it with respect to date. Following is the command.
Get-ADUser -Filter {Created -lt '7/30/2021'} | Select Name
Get Users via -Filter Parameters Upon a Hard-Coded Criteria
At times, we need to filter out the user accounts that have not been used for some time.
Below is an example for Get-ADUser Filter command which is filtering out the user accounts that have not been used during the last 60 days:-
$CutoffDate = (Get-Date).AddDays(-60) Get-ADUser -Filter "LastLogonDate -lt '$CutoffDate'" -Properties LastLogonDate | Select Name, LastLogonDate
Get-ADUser Properties Examples
Searching For a Particular Field via Get-ADUser Properties
Let’s say that we want to search for a user’s telephone numbers (all of them) that are populated in Active Directory so that we can reach out to that user. We can use wild card search for the fields that contain phone in their name and select them. You can use the below-mentioned command for this purpose: –
Get-ADUser-Identity “User Identifier” -Properties * | Select *Phone*
Sort Users with Respect to a Field
We want to search for all the users in the AD and then select one field to display for them and use that field for sorting. We can use Get-ADUser –Properties command.
Get-ADUser-Filter * | Select Name | Sort-Object -Property Name
Get Manager of a Particular User
We want to get the samAccountName of the manager of a particular user. We can use the below-mentioned command for this purpose
Get-ADUser “User Identifier” -properties * | select amAccountName, @{Name=’Manager’;Expression={(Get-ADUser($_.manager)).samaccountname}}
Display Attributes in the Form of a Table
Similar use case to the first one however now we want to display the attributes values in the form of a table. We can use the below-mentioned command
Get-ADUser-Identity “User Identifier” -Properties * | Select Name, *Phone* | ft
Get Particular Attributes from The Complete List of Attributes
We want to get the displayname, department name, and manager of a particular user to gain insight into the hierarchy of the user. We can select the name, department, and manager of the user from his/her properties and display them in the form of a list.
Get-ADUser-Identity “User-Identifier” -Properties * | Select Name, Department, Manager | fl
Export Properties of All Accounts Created in a Specific Time Frame
For auditing purposes, it is often a requirement to get the user properties and find out the accounts that were created during a particular time frame. Let’s say that we want to pick out all the user accounts that were created in the last 180 days and export this information in a CSV file so that the data is present in a report form. We also want the name sorted as well in the CSV.
We can use the below-mentioned command for this
Get-ADUser-filter * -properties * | Where-Object { $_.created -gt (get-date).AddDays(-180)} | select-object Name, Created | sort Name | export-csv C:\Accounts.csv -NoTypeInformation
The output depicted above will be saved in the CSV file.
Get List of Users for Last Password Set/Reset on the Account
The below example illustrates users at a time when passwords were the last set and reset, within the domain along with their names and dates/times.
Get-ADUser-filter * -Properties Name,PasswordLastSet | ft Name,PasswordLastSet
Get Account Creation Date via Get-ADUser Properties
We want to know the date on which the account of a particular user was created in AD. The following command can be used for this purpose
Get-ADUser-filter * -Properties Name,whencreated | ft Name,WhenCreated
Get the Value of Extension Attributes
At times, organizations use Extension attributes of AD to populate the value with their own information. An example of this can be the O365 license information stored inside ExtensionAttribute1. Let’s say that we want to see the o365 license owned by a user. The information can be stored inside extensionattribute1 and we can use the below-mentioned command to see the license information. We can use the below-mentioned command for this purpose
Get-ADUser-Identity “Abbey.Crawford” -Properties * | Select sAMAccountName, extensionAttribute1
Get the Password Expiry Date
We want to know the date of the password expiry of a user. For user account, the value for the next password change is saved under the attribute msDS-UserPasswordExpiryTimeComputed. We can use the following command to see the next password expiry date:
Get-ADUser-Identity “User Identifier” -Properties msDS-UserPasswordExpiryTimeComputed | select Name, {[datetime]::FromFileTime($_.”msDS-UserPasswordExpiryTimeComputed”)}
Export AD Users to CSV file with Get-ADUser
Get-AdUser is also employed along with exports ad users to CSV file on the specified path to export all Ad users to CSV file.
In the above PowerShell get ad user script,
Get-AdUser gets list of all users in that OU by executing the Get-AdUser SearchBase parameter. It passes the output to the second command.
Second command uses Select-Object to get the following:
- Select-Object to get name
- Distinguishedname
- Enabled
- userprincipalname,
- samaccountname
which then leads it to passing output to the third command.
The third command uses PowerShell Export-Csv cmdlet to export a list of adusers to a CSV file on the path specified.
the output of export ad users to CSV file as below in CSV
Conclusion
In summary, the Get-ADUser command is a powerful command to filter out the user’s properties and display them on a single page. You can even export the output of this command into a CSV file using the Export CSV switch to get more comprehensive information in the form of a report.
GroupID, a smarter azure ad, and active directory groups management solution, offers its own management shell that is much more advanced than the regular Powershell and this command is fully compatible with the GroupID management shell as well along with a lot of other commands to get the required information on the users.
Jonathan Blackwell
View ProfileSince 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.