The Get-AdUser cmdlet is used to get one or more active directory users, use the Get-AdUser filter or LDAPFilter parameters to search effectively for Active Directory users with PowerShell.
The Get-ADUser Filter parameter uses the PowerShell expression language to write query strings that get adusers objects. Get aduser filter parameter syntax does not support PowerShell wildcards other than * and ? for active directory wildcard search operation.
In this blog, I will explain how to effectively use the Get-AdUser Filter parameter to search, and retrieve aduser objects with PowerShell and get multiple filters on get-aduser.
Get-AdUser Filter Syntax
The Get-AdUser Filter parameter uses PowerShell expression language as below
<filter> ::= "{" <FilterComponentList> "}"
Where, <FilterComponentList> is
<FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent>
Let’s understand FilterComponentList as below
<FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")"
In the above syntax,
<attr> ::= PropertyName or LDAPDisplayName of attribute
<value> ::= compare value with attr using <FilterOperator>
<FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike"
<FilterOperator> contains different types of operators like equal to, not equal to, greater than, wildcard search, etc.. to get aduser from active directory.
<JoinOperator> ::= "-and" | "-or"
<JoinOperator> has and, or to join the query to get aduser object using the filter.
<NotOperator> ::= "-not"
Let’s understand get aduser filter parameter examples as below
Get-AdUser Filter Name like
To get aduser using a filter name like the variable specified, run the below command
$UserName = "Erick Jones"
Get-AdUser -Filter {Name -like $UserName}
The first command stores the user name in a variable $UserName.
The second command gets ad user filter name like the variable $UserName specified. In the second command, to use a variable in the filter, the filter condition is wrapped in curly braces.
Get-AdUser Filter DistinguishedName
To get aduser filter by distinguishedname from the active directory, run the below command
Get-ADUser -Filter "DistinguishedName -like 'CN=Erick Jones,OU=HR,DC=SHELLPRO,DC=LOCAL'"
This command gets aduser with a distinguishedname like the specified 'CN=Erick Jones,OU=HR,DC=SHELLPRO,DC=LOCAL'
Get-AdUser Filter SamAccountName
To find an active directory user filter using SamAccountName, run the below command
Get-ADUser -Filter {SamAccountName -eq 'garyw'}
This command gets aduser with SamAccountName equal to garyw.
You can also use other <FilterOperator> like not equal to, like to get ad user using SamAccountName. To use a variable in the Get-AdUser filter, the filter condition is wrapped in curly braces.
Get-AdUser Filter Properties
The Get-AdUser cmdlet in Active Directory retrieves the default set of user properties. To get additional properties, use the Properties parameter.
To get a filtered list of users and additional properties where the name like specified, run the below command
Get-ADUser -Filter {Name -like 'Gary Willy'} -Properties *
This command gets aduser filter where the name like Gary Willy and retrieves additional properties.
Get Enabled Users from AD
To find active enabled users from an active directory, run the below command
Get-ADUser -Filter * -Property Enabled | Where-Object {$_.Enabled -like "true"} | FT Name, Enabled -Autosize
In the above PowerShell script,
Get-AdUser cmdlet in the active directory retrieves the adusers filter by Enabled property and has the value true.
Cool Tip: How to get aduser using userprincipalname in PowerShell!
Get-AdUser Multiple Filters
To get aduser from a specific OU having enabled status and passwordlastset in a specific date, use Get-AdUser multiple filters on attributes as below
Get-ADUser -Filter "Enabled -eq 'true' -and PasswordLastSet -lt '08/01/2021'" -SearchBase "OU=HR,DC=SHELLPRO,DC=LOCAL" -Properties * | Select Name,PasswordLastSet
In the above PowerShell script,
We have used multiple filters with the Get-AdUser cmdlet to get ad users having enabled status as true and passwordlastset less than the specified date in OU
In the above command, Get-AdUser Multiple Filters on attributes used are Enabled -eq 'true' and PasswordLastSet -lt '08/01/2021' and both these filters are joined using and operator.
Get-AdUser Filter Examples
Let’s understand other commonly used scripts to get aduser filters by different properties with PowerShell.
Get AdUser Filter using Created Date
To retrieve adusers filter using the created date, run the below command
Get-ADUser -Filter {Created -lt '08/02/2021'} | Select Name
This command gets ad user created before the specified date.
Get Active Directory Users in the Department
To get aduser from a specific department in an active directory, run the below command
Get-ADUser -Filter "Department -like 'HR'"
Cool Tip: How to get active directory user company name using PowerShell!
Get-AdUser Filter by Email Address
To get aduser object in an active directory by email address, run the below command
Get-ADUser -Filter "Mail -like '[email protected]'
Get-AdUser Filter by Country
To find active directory users filtered by country, run the below command
Get-ADUser -Filter "Country -eq 'US'"
Cool Tip: Using Get-ADObject to find active directory objects in PowerShell!
Conclusion
I hope the above-detailed article on using the Get-AdUser Filter parameter with examples is helpful to you. We have learned how to get multiple filters on Get-AdUser attributes.
You can retrieve active directory users effectively using the get aduser filter parameter.
You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.