Get-AdUser in Multi Domain Forest

In an organization where it has multiple domains and child domains configured in an active directory, it becomes very difficult to list all users in a large active directory forest.

Get-AdUser cmdlet returns only users from the current domain where the user is currently logged on. The solution to get-aduser in the multi-domain forest or entire forest can be done using the Get-AdDomainController cmdlet.

In this article, I will explain how to get aduser in multi domain forest or get a list of users in the entire forest and export the user list to a CSV file.

To get a list of active directory users from different domains or the multi-domain forests, we will need Get-Domain, Get-AdUser, and Get-AdDomainController cmdlets.

Let’s understand to get-aduser in the entire forest using PowerShell in the below examples.

Get-AdUser in Multi-Domain Forest

To get users in a multi-domain forest, find the total domains in the active directory forest. Using domain, find a list of domain controllers in the active directory forest.

Once you have a list of domain controllers, find get aduser using the Get-AdUser cmdlet.

Run the below script to get aduser in the entire forest

# Get Domain in Active Directory Forest
$Domains = (Get-ADForest).Domains

#Get Domain Controller list
$DClist = ForEach ($Domain in $Domains) 
Get-ADDomainController -DomainName $Domain -Discover -Service PrimaryDC | Select -ExpandProperty hostname

# Get AdUser from each domain controller.

$ADUsersList = ForEach ($DC in $DClist) 
    Get-ADUser -server $DC -Filter * -Properties *

$ADUsersList | Export-Csv -Path C:\ADUserList.csv -NoTypeInformation

In the above PowerShell script,

  1. Get a domain name list using Get-AdForest cmdlet in the active directory
  2. Using ForEach, iterate over $Domain to get the Hostname of each domain controller using Get-AdDomainController cmdlet in the active directory
  3. Using ForEach, iterate over $DCList to get aduser in the domain using Get-AdUser cmdlet
  4. Using Export-Csv cmdlet, export list aduser in the entire forest to CSV file.

The output of the above command will export a list of aduser in the entire forest into the CSV file.

Important Note:

If you try to get aduser in the multi-domain environment using Get-AdUser cmdlet like below

Get-ADUser -Filter {SamAccountName -eq "Toms"}

You will receive an error below

Get-ADUser : Cannot find an object with identity: 'Toms' under: 'DC=Sales,DC=SHELL,DC=com'.

Hence to get adusers in multi-domain or users in different domains, you need to query the global catalog. First, check if the domain controller is a global catalog or not using the below command

Get-ADDomainController -Discover -Service GlobalCatalog

It will return domains which are having GlobalCatalog attributes as True.

Once you have a global catalog domain controller, you can get the domain controller name and use it Get-ADUser to get a list of users from different domains or multiple domains in the active directory.

In the above example script, Get-AdUser Server global catalog domain controller gets a list of aduser in the domain as below

Get-ADUser -server $DC -Filter * -Properties *

I hope the above article on how to aduser in the multi-domain forest using PowerShell is helpful to you.

