Get-AdUser - Get Active Directory Users using PowerShell

The Get-AdUser cmdlet in PowerShell is used to get one or more active directory users. An Active Directory Get-AdUser retrieves a default set of user properties. Using the Identity parameter, you can specify the active directory user to get its properties.

Get-AdUser is a powerful cmdlet to get-aduser all properties, get user using samaccountname and use the get-aduser filter parameter to get specific user object.

Using the Get-AdUser Identity parameter, you can perform a search to get specific ad users.

Get-AdUser - Get Active Directory Users using PowerShell - ShellGeek (1)

In this article, I will explain the Get-ADUser cmdlet to get active directory user objects with different examples.

Note: To use PowerShell Get-ADUser cmdlet, requires the Active Directory add-on module to be installed.

Let’s understand the PowerShell Get-AdUser cmdlet with syntax and examples.

Let’s practice!

Table of Contents hide

1Get-AdUser Syntax

2Get-AdUser Examples

3Get-AdUser All Properties

4Get AdUser Default and Extended Properties

5Get-AdUser using SAMAccountName

6Get-AdUser in Specific OU (Organizational Unit)

7Export Ad users to CSV file

8Get-AdUser Password Last Set Older than X Days

9Get AdUser Manager Name

10Get-Aduser AccountExpirationDate

11Get AdUser BadPwdCount

12Get AdUser Manager SamAccountName

13Conclusion

14Recommended Content

Get-AdUser Syntax

Active Directory Get-AdUser syntax

Get-ADUser [-AuthType <ADAuthType>] [-Credential <PSCredential>] -Filter <String> [-Properties <String[]>] [-ResultPageSize <Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope <ADSearchScope>] [-Server <String>] [<CommonParameters>]Get-ADUser [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Identity] <ADUser> [-Partition <String>] [-Properties <String[]>] [-Server <String>] [<CommonParameters>]Get-ADUser [-AuthType <ADAuthType>] [-Credential <PSCredential>] -LDAPFilter <String> [-Properties <String[]>] [-ResultPageSize <Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope <ADSearchScope>] [-Server <String>] [<CommonParameters>]

Description

Get-AdUser is used to get one or more active directory objects or perform a search to get specific users.

–AuthType– authentication method to use based on either Basic (or 1) or Negotiate (or 0).

SSL (Secure Socket Layer) connection is required to use the Basic Authentication method.

–CredentialPSCredential – It specifies user credentials required to perform the get-aduser cmdlet. It default accepts the credentials of logged-on users.

To use the Credential parameter, use username as User1 or domain\User1 or you can create and usePSCredentialobject by usingGet-Credentialcmdlet.

-Identity– It specifies ad user by using property value

Distinguished Name
SAMAccountName
Security Identifier
GUID

The identifier specified in parenthesis is the LDAP display name.

-Partition– It specifies the distinguished name of an active directory partition.

–Filter– It specifies a query string (PowerShell Expression Language Syntax) to retrieve Active Directory objects. PowerShell wildcards other than * are not supported byfiltersyntax.

-LDAPFilter– LDAPFilter query string is used to filter Active Directory objects.

Get-AdUser cmdlet returns the default set of properties. However, if you want to get all properties, use the Properties parameter.

Let’s understand using the PowerShell Get-AdUser with different examples.

Get-AdUser Examples

Get-AdUser cmdlet gets active directory user information. This cmdlet is used to get aduser all properties, get-aduser using userprincipalname, get active directory login details report, and so on.

Get-AdUser All Properties

Using the Properties parameter, you can get all properties.

Get-ADUser -Identity Toms -Properties *

In the above get aduser example, Get-AdUser gets all properties of SAMAccountName user specified by the Identity parameter.

It prints user properties on the console.

Get-AdUser - Get Active Directory Users using PowerShell - ShellGeek (2)

Get AdUser Default and Extended Properties

Get-AdUser cmdlet retrieves a default set of user account properties.

Using the Get-Member cmdlet, you can get a list of the default sets of properties for a Get-AdUser object.

Get-AdUser <user> | Get-Member

Get-Member cmdlet gets the members, properties, and methods of an ad user account object.

You can get the most commonly used Get-AdUser properties.

Get-AdUser <user> -Properties Extended | Get-Member

Using the Extended parameter, you can get aduser extended properties.

You can get a list of all aduser object properties.

Get-AdUser <user> -Properties * | Get-Member

Get-AdUser using SAMAccountName

Using the Get-Aduser Filter parameter, you can get ad user using SAMAccountName.

Get-ADUser -Filter "samaccountname -like 'Toms'"

In the above PowerShell get aduser script, Get-AdUser cmdlet gets aduser samaccountname like Toms using the filter parameter

It returns the user properties like Name, SID, and UserPrincipalName.

DistinguishedName : CN=Tom Smith,OU=SALES,DC=SHELLPRO,DC=LOCALEnabled : TrueGivenName : TomName : Tom SmithObjectClass : userObjectGUID : 1f3a2572-2621-4e47-9bdf-81d1f8172f69SamAccountName : tomsSID : S-1-5-21-1326752099-4012446882-462961959-1103Surname : SmithUserPrincipalName : [emailprotected]

Get-AdUser in Specific OU (Organizational Unit)

You can get a list all adusers in specific OU (OrganizationalUnit) using the PowerShell Get-AdUser SearchBase parameter.

 Get-ADUser -SearchBase "OU=HR,DC=SHELLPRO,DC=LOCAL" -Filter * -Properties Name

In the above PowerShell get-aduser searchbase script, it gets a list of all users in specific OU specified by the Get-AdUser SearchBase parameter and filter parameter.

The output of the above adusers in specific OU.

DistinguishedName : CN=Erick Jones,OU=HR,DC=SHELLPRO,DC=LOCALEnabled : TrueGivenName : ErickName : Erick JonesObjectClass : userObjectGUID : 43551543-0214-4656-bd18-9f2dec5f8076SamAccountName : ErickJSID : S-1-5-21-1326752099-4012446882-462961959-1105Surname : JonesUserPrincipalName : [emailprotected]DistinguishedName : CN=Gary Willy,OU=HR,DC=SHELLPRO,DC=LOCALEnabled : TrueGivenName : GaryName : Gary WillyObjectClass : userObjectGUID : a65bc140-d8dc-43b9-988d-2c0afa163be1SamAccountName : garywSID : S-1-5-21-1326752099-4012446882-462961959-2601Surname : WillyUserPrincipalName : [emailprotected]

Export Ad users to CSV file

To export ad users to a CSV file, use Get-AdUser to list all user properties, and use the Export-CSV cmdlet to export ad users to a CSV file on the path specified.

 Get-ADUser -SearchBase "OU=HR,DC=SHELLPRO,DC=LOCAL" -Filter * -Properties Name | Select-Object Name, DistinguishedName,Enabled,UserPrincipalName,SamAccountName| Export-Csv -Path C:\get-adusers.csv -NoTypeInformation

In the above PowerShell get ad user script,

Get-AdUser gets list of all users in specified OU using the Get-AdUser SearchBase parameter and passes the output to the second command.

The second command use Select-Object to get name, distinguishedname, enabled, userprincipalname, and samaccountname and pass output to the third command.

The third command uses PowerShell Export-Csv cmdlet to export a list of adusers to a CSV file on the path specified.

the output of export ad users to CSV file as below in CSV

"Name","DistinguishedName","Enabled","UserPrincipalName","SamAccountName""Erick Jones","CN=Erick Jones,OU=HR,DC=SHELLPRO,DC=LOCAL","True","[emailprotected]","ErickJ""Gary Willy","CN=Gary Willy,OU=HR,DC=SHELLPRO,DC=LOCAL","True","[emailprotected]","garyw"

Get-AdUser Password Last Set Older than X Days

You can get list of adusers passwords last set older than specified days.

Get-ADUser -Filter 'Enabled -eq $True' -Properties PasswordLastSet | Where-Object {$_.PasswordLastSet -lt (Get-Date).adddays(-90)} | select Name,SamAccountName,PasswordLastSet

In the above PowerShell script, the Get-AdUser cmdlet gets a list of ad users who are active using Enabled Property.

Enabled property used to get aduser is active or disabled in active directory.

The second command use Where-Object to check the PassWordLastSet attribute less than 90 days using the Get-Date cmdlet and passes the output to the third command.

Third command select name, samaccountname, and passwordlastset properties to console.

The output of the above PowerShell script to get aduser password last set older than 90 days are as below

Name SamAccountName PasswordLastSet---- -------------- ---------------Gary Willy garyw 4/25/2021 6:55:50 PMJohn Smith johns 4/20/2021 1:08:57 PM

Get AdUser Manager Name

To get aduser manager name in an active directory, run the following command

 get-aduser -Identity chrisd -Properties * | select SAMAccountname, @{Name='Manager';Expression={(Get-ADUser ($_.Manager)).SAMAccountname}}

In the above PowerShell script, Get-AdUser gets user properties for the user using the identity parameter and passes the output to the second command.

Second command select SAMAccountName of given active directory user and use the expression to get manager name using Manager attribute.

The output of the above Get-AdUser Manager name as below

SAMAccountname Manager-------------- -------chrisd toms

Get-Aduser AccountExpirationDate

You can use AccountExpirationDate to get aduser account expiration date.

Get-ADUser -filter * -properties AccountExpirationDate | sort Name | ft Name,AccountExpirationDate

In the above PowerShell script, Get-AdUser gets a list of all users.

It retrieves the AccountExpirationDate property and passes the output to the second command.

Second command sort user by Name and print it on the console.

Name AccountExpirationDate---- ---------------------Chris Dore 8/1/2021 12:00:00 AMErick JonesGary Willy

Other aduser doesn’t have an account expiration set hence they have an empty value.

Cool Tip: How to use remove-aduser to delete aduser in PowerShell!

Get AdUser BadPwdCount

Often aduser tried login into the system using the old password, which results in the account being locked out.

Active Directory user account has badpwdcount attribute which stores bad password attempts count.

By default, it has a 0 value. badpwdcount attribute increment value when a user attempts a bad password.

badpwdcount value reset to 0 on successful login.

To get aduser badpwdcount, use PowerShell script

 Get-ADUser -Identity Toms -Properties * | Select-Object badpwdcount

It gets the user specified using the identity parameter and returns the user account badpwdcount

Get AdUser Manager SamAccountName

Using the Get-AdUser, you can get aduser manager samaccountname.

The user has a manager attribute which contains a manager distinguished name.

To get aduser manager samaccountname for the user, run the following script

$user = "garyw"$Manager = get-aduser $user -properties * | Select -ExpandProperty Managerget-aduser $Manager -properties * | Select SamAccountName,DisplayName

In the above PowerShell script to get aduser garyw manager samaccountname,

$user variable stores user name.

The second command uses the Get-AdUser command to get aduser all properties. It selects a manager and stores them in $Manager variable.

The third command again uses the Get-AdUser to get aduser manager samaccountname and manager display name.

Conclusion

I hope the above guide on PowerShell Get-ADUser cmdlet in an active directory is helpful to you while using it in your daily task to get active directory users, get-aduser all properties, and many more.

You can get the default set of aduser properties. To get additional properties, use the Property parameter.

You can use filter or Ldapfilter parameter to search for one or more ad users from the active directory using PowerShell expression language.

You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.

Get-AdUser - Get Active Directory Users using PowerShell - ShellGeek (2023)