Home » PowerShell » Get-AdUser in Multi Domain Forest

Get-AdUser in Multi Domain Forest

In an organization where it has multiple domains and child domains configured in an active directory, it becomes very difficult to list all users in a large active directory forest.

Get-AdUser cmdlet returns only users from the current domain where the user is currently logged on. The solution to get-aduser in the multi-domain forest or entire forest can be done using the Get-AdDomainController cmdlet.

In this article, I will explain how to get aduser in multi domain forest or get a list of users in the entire forest and export the user list to a CSV file.

To get a list of active directory users from different domains or the multi-domain forests, we will need Get-Domain, Get-AdUser, and Get-AdDomainController cmdlets.

Let’s understand to get-aduser in the entire forest using PowerShell in the below examples.

Get-AdUser in Multi-Domain Forest

To get users in a multi-domain forest, find the total domains in the active directory forest. Using domain, find a list of domain controllers in the active directory forest.

Once you have a list of domain controllers, find get aduser using the Get-AdUser cmdlet.

Run the below script to get aduser in the entire forest

# Get Domain in Active Directory Forest
$Domains = (Get-ADForest).Domains

#Get Domain Controller list
$DClist = ForEach ($Domain in $Domains) 
{
Get-ADDomainController -DomainName $Domain -Discover -Service PrimaryDC | Select -ExpandProperty hostname
}

# Get AdUser from each domain controller.

$ADUsersList = ForEach ($DC in $DClist) 
{
    Get-ADUser -server $DC -Filter * -Properties *
}

$ADUsersList | Export-Csv -Path C:\ADUserList.csv -NoTypeInformation

In the above PowerShell script,

  1. Get a domain name list using Get-AdForest cmdlet in the active directory
  2. Using ForEach, iterate over $Domain to get the Hostname of each domain controller using Get-AdDomainController cmdlet in the active directory
  3. Using ForEach, iterate over $DCList to get aduser in the domain using Get-AdUser cmdlet
  4. Using Export-Csv cmdlet, export list aduser in the entire forest to CSV file.

The output of the above command will export a list of aduser in the entire forest into the CSV file.

Important Note:

If you try to get aduser in the multi-domain environment using Get-AdUser cmdlet like below

Get-ADUser -Filter {SamAccountName -eq "Toms"}

You will receive an error below

Get-ADUser : Cannot find an object with identity: 'Toms' under: 'DC=Sales,DC=SHELL,DC=com'.

Hence to get adusers in multi-domain or users in different domains, you need to query the global catalog. First, check if the domain controller is a global catalog or not using the below command

Get-ADDomainController -Discover -Service GlobalCatalog

It will return domains which are having GlobalCatalog attributes as True.

Once you have a global catalog domain controller, you can get the domain controller name and use it Get-ADUser to get a list of users from different domains or multiple domains in the active directory.

In the above example script, Get-AdUser Server global catalog domain controller gets a list of aduser in the domain as below

Get-ADUser -server $DC -Filter * -Properties *

Cool Tip: How to use search-adaccount cmdlet in PowerShell!

Conclusion

I hope the above article on how to aduser in the multi-domain forest using PowerShell is helpful to you.

Read more to export ad user to CSV file in PowerShell.

You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.