Home » PowerShell » Get-AdUser in Multi Domain Forest

Get-AdUser in Multi Domain Forest

In an organization where it has multiple domains and child domains configured in an active directory, it becomes very difficult to list all users in a large active directory forest. Get-AdUser cmdlet returns only users from the current domain where the user is currently logged on. The solution to get-aduser in the multi-domain forest or entire forest can be done using Get-AdDomainController cmdlet.

In this article, I will explain how to get aduser in multi domain forest or get a list of users in the entire forest and export the user list to CSV file.

To get a list of active directory users from multi domain forest or different domains, we will need Get-Domain, Get-AdUser, Get-AdDomainController cmdlet.

Let’s understand to get-aduser in the entire forest using PowerShell in the below examples.

Get-AdUser in Multi Domain Forest

To get users in a multi-domain forest, find total domains in active directory forest. Using domain, find list of domain controllers in the active directory forest.

Once you have a list of domain controllers, find get aduser using Get-AdUser cmdlet.

Run the below script to get aduser in the entire forest

# Get Domain in Active Directory Forest
$Domains = (Get-ADForest).Domains

#Get Domain Controller list
$DClist = ForEach ($Domain in $Domains) 
{
Get-ADDomainController -DomainName $Domain -Discover -Service PrimaryDC | Select -ExpandProperty hostname
}

# Get AdUser from each domain controller.

$ADUsersList = ForEach ($DC in $DClist) 
{
    Get-ADUser -server $DC -Filter * -Properties *
}

$ADUsersList | Export-Csv -Path C:\ADUserList.csv -NoTypeInformation

In the above PowerShell script,

  1. Get domain name list using Get-AdForest cmdlet in active directory
  2. Using ForEach, iterate over $Domain to get Hostname of each domain controller using Get-AdDomainController cmdlet in active directory
  3. Using ForEach, iterate over $DCList to get aduser in domain using Get-AdUser cmdlet
  4. Using Export-Csv cmdlet, export list aduser in entire forest to csv file.

The output of the above command will export a list of aduser in the entire forest into the CSV file.

Important Note:

If you try to get aduser in multi-domain environment using Get-AdUser cmdlet like below

Get-ADUser -Filter {SamAccountName -eq "Toms"}

You will receive an error as below

Get-ADUser : Cannot find an object with identity: 'Toms' under: 'DC=Sales,DC=SHELL,DC=com'.

Hence to get adusers in multi-domain or users in different domains, you need to query the global catalog. First, check if the domain controller is a global catalog or not using the below command

Get-ADDomainController -Discover -Service GlobalCatalog

It will returns domains which are having GlobalCatalog attribute is True.

Once you have a global catalog domain controller, you can get the domain controller name and use it Get-ADUser to get a list of users from different domains or multiple domains in the active directory.

In the above example script, Get-AdUser Server global catalog domain controller get a list of aduser in the domain as below

Get-ADUser -server $DC -Filter * -Properties *

Cool Tip: How to use search-adaccount cmdlet in PowerShell!

Conclusion

I hope the above article on get aduser in the multi-domain forest using PowerShell is helpful to you.

Read more to export ad user to CSV file in PowerShell.

You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.

Leave a Comment