Get-AdUser – Get Active Directory Users using PowerShell

PowerShell Get-ADUser cmdlet gets one or multiple active directory users objects. You can perform a search to get specific active directory users. Get-AdUser is a powerful cmdlet to get-aduser all properties, get user using samaccountname, use get-aduser filter parameter to get specific user object.

Get-AdUser in Active Directory
Get-AdUser in Active Directory

In this article, I will explain about Active Directory Get-ADUser cmdlet to get active directory users objects with different examples.

Note: To use PowerShell Get-ADUser cmdlet, requires the Active Directory add-on module to be installed.

Let’s understand PowerShell Get-AdUser cmdlet with syntax and examples as below:

Get-AdUser Syntax

Active Directory Get-AdUser syntax as given below

Get-ADUser   [-AuthType <ADAuthType>]   [-Credential <PSCredential>]   -Filter <String>   [-Properties <String[]>]
   [-ResultPageSize <Int32>]   [-ResultSetSize <Int32>]   [-SearchBase <String>]   [-SearchScope <ADSearchScope>]
   [-Server <String>]   [<CommonParameters>]

Get-ADUser   [-AuthType <ADAuthType>]   [-Credential <PSCredential>]   [-Identity] <ADUser>   [-Partition <String>]
   [-Properties <String[]>]   [-Server <String>]   [<CommonParameters>]

Get-ADUser   [-AuthType <ADAuthType>]   [-Credential <PSCredential>]   -LDAPFilter <String>   [-Properties <String[]>]
   [-ResultPageSize <Int32>]   [-ResultSetSize <Int32>]   [-SearchBase <String>]   [-SearchScope <ADSearchScope>]
   [-Server <String>]   [<CommonParameters>]

Description

Get-AdUser is used to get one or more active directory objects or perform a search to get specific users.

AuthType – authentication method to use based on either Basic (or 1) or Negotiate (or 0). It has Negotiate default authentication method.

SSL (Secure Socket Layer) connection is required to use the Basic Authentication method.

Credential PSCredential – It specifies user credentials required to perform the get-aduser cmdlet. It default accepts the credentials of logged-on users.

To use the Credential parameter, use username as User1 or domain\User1 or you can create and use PSCredential object by using Get-Credential cmdlet.

-Identity – It specifies Active Directory user by using below property value

  • Distinguished Name
  • SAMAccountName
  • Security Identifier
  • GUID

The identifier specified in parenthesis is the LDAP display name.

-Partition – It specifies the distinguished name of an active directory partition.

Filter – It specifies a query string (PowerShell Expression Language Syntax) to retrieves Active Directory objects. PowerShell wildcards other than * are not supported by filter syntax.

-LDAPFilter – LDAPFilter query string is used to filter Active Directory objects.

Get-AdUser cmdlet returns the default set of properties. However, if you want to get all properties, use the Properties parameter.

Let’s understand using PowerShell Get-AdUser with different examples.

Get-AdUser Examples

Get-AdUser cmdlet gets active directory user’s information. This cmdlet is used to get aduser all properties, get-aduser using userprincipalname, get active directory login details report, and so on.

Get-AdUser All Properties

If you want to get aduser all properties, run the below command

Get-ADUser -Identity Toms -Properties *

In the above PowerShell script, Get-AdUser get all properties of SAMAccountName user specified by Identify parameter and print user properties on console as below

Get-AdUser SAmAccountName all properties
Get-AdUser SAMAccountName all properties

Get-AdUser using SAMAccountName

If you want to find active directory user using SAMAccountName, run the below command

Get-ADUser -Filter "samaccountname -like 'Toms'"

In the above PowerShell script, Get-AdUser cmdlet gets aduser samaccountname like Toms and returns the user properties like Name, SID, UserPrincipalName as below

DistinguishedName : CN=Tom Smith,OU=SALES,DC=SHELLPRO,DC=LOCAL
Enabled           : True
GivenName         : Tom
Name              : Tom Smith
ObjectClass       : user
ObjectGUID        : 1f3a2572-2621-4e47-9bdf-81d1f8172f69
SamAccountName    : toms
SID               : S-1-5-21-1326752099-4012446882-462961959-1103
Surname           : Smith
UserPrincipalName : [email protected]

Get-AdUser in Specific OU (Organizational Unit)

If you want to get a list all adusers in specific OU (OrganizationalUnit) using the Get-AdUser SearchBase parameter, run the below command

 Get-ADUser -SearchBase "OU=HR,DC=SHELLPRO,DC=LOCAL" -Filter * -Properties Name

In the above PowerShell script, this cmdlet get a list of all users in specific OU specified by the Get-AdUser SearchBase parameter.

The output of the above adusers in specific OU as below

DistinguishedName : CN=Erick Jones,OU=HR,DC=SHELLPRO,DC=LOCAL
Enabled           : True
GivenName         : Erick
Name              : Erick Jones
ObjectClass       : user
ObjectGUID        : 43551543-0214-4656-bd18-9f2dec5f8076
SamAccountName    : ErickJ
SID               : S-1-5-21-1326752099-4012446882-462961959-1105
Surname           : Jones
UserPrincipalName : [email protected]

DistinguishedName : CN=Gary Willy,OU=HR,DC=SHELLPRO,DC=LOCAL
Enabled           : True
GivenName         : Gary
Name              : Gary Willy
ObjectClass       : user
ObjectGUID        : a65bc140-d8dc-43b9-988d-2c0afa163be1
SamAccountName    : garyw
SID               : S-1-5-21-1326752099-4012446882-462961959-2601
Surname           : Willy
UserPrincipalName : [email protected]

Export Ad users to CSV file

To export ad users to CSV file, use Get-AdUser to list all user properties and using Export-Csv cmdlet it export ad users to CSV file on the path specified, run below command

 Get-ADUser -SearchBase "OU=HR,DC=SHELLPRO,DC=LOCAL" -Filter * -Properties Name | Select-Object Name, DistinguishedName,Enabled,UserPrincipalName,SamAccountName| Export-Csv -Path C:\get-adusers.csv -NoTypeInformation

In the above PowerShell script,

Get-AdUser cmdlet get list of all users in specified OU using the Get-AdUser SearchBase parameter and passes the output to the second command.

Second command use Select-Object to get name, distinguishedname, enabled, userprincipalname and samaccountname and pass output to the third command.

The third command uses PowerShell Export-Csv cmdlet to export a list of adusers to a CSV file on the path specified.

the output of export ad users to CSV file as below in CSV

"Name","DistinguishedName","Enabled","UserPrincipalName","SamAccountName"
"Erick Jones","CN=Erick Jones,OU=HR,DC=SHELLPRO,DC=LOCAL","True","[email protected]","ErickJ"
"Gary Willy","CN=Gary Willy,OU=HR,DC=SHELLPRO,DC=LOCAL","True","[email protected]","garyw"

Get-AdUser Password Last Set Older than X Days

If you want to get list of adusers password last set older than specified days, run the below command,

Get-ADUser -Filter 'Enabled -eq $True' -Properties PasswordLastSet | Where-Object {$_.PasswordLastSet -lt (Get-Date).adddays(-90)} | select Name,SamAccountName,PasswordLastSet

In the above PowerShell script, Get-AdUser cmdlet get list of ad user which are active in active directory using Enabled Property. Enabled property used to get aduser is active or disabled in active directory.

Second command use Where-Object to check PassWordLastSet attribute less than 90 days and pass output to the third command.

Third command select name, samaccountname, and passwordlastset properties to console.

The output of the above PowerShell script to get aduser password last set older than 90 days are as below

Name        SamAccountName PasswordLastSet
----        -------------- ---------------
Gary Willy  garyw          4/25/2021 6:55:50 PM
John Smith  johns          4/20/2021 1:08:57 PM

Get AdUser Manager Name

To get aduser manager name in an active directory, run the below command

 get-aduser -Identity chrisd -Properties * | select SAMAccountname, @{Name='Manager';Expression={(Get-ADUser ($_.Manager)).SAMAccountname}}

In the above PowerShell script, Get-AdUser gets user properties for user-specified by samaccountname and pass output to the second command.

Second command select SAMAccountName of given active directory user and use the expression to get manager name using Manager attribute.

The output of the above Get-AdUser Manager name as below

SAMAccountname Manager
-------------- -------
chrisd         toms

Get-Aduser AccountExpirationDate

If you want to get aduser account expiration date, run the below command

Get-ADUser -filter * -properties AccountExpirationDate  | sort Name | ft Name,AccountExpirationDate

In the above PowerShell script, Get-AdUser gets a list of all users and retrieves the AccountExpirationDate property, and passes the output to the second command.

Second command sort user by Name and print it on console as below

Name        AccountExpirationDate
----        ---------------------
Chris Dore  8/1/2021 12:00:00 AM
Erick Jones
Gary Willy

Other aduser doesn’t have an account expiration set hence they have an empty value.

Cool Tip: How to use remove-aduser cmdlet to delete aduser in PowerShell!

Get AdUser BadPwdCount

Often aduser tried login into the system using the old password, which results in the account being locked out.

Active Directory user account has badpwdcount attribute which stores bad password attempts count. By default, it has a 0 value. badpwdcount attribute increment value when a user attempts a bad password.

badpwdcount value reset to 0 on successful login.

To get aduser badpwdcount, use below PowerShell script

 Get-ADUser -Identity Toms -Properties *  | Select-Object badpwdcount

Get AdUser Manager SamAccountName

You can get aduser manager samaccountname using the Get-AdUser cmdlet. Ad user has manager attribute which contains manager distinguished name.

To get aduser manager samaccountname for the user, run the below script

$user = "garyw"
$Manager = get-aduser $user -properties * | Select -ExpandProperty Manager

get-aduser $Manager -properties * | Select SamAccountName,DisplayName

In the above PowerShell script to get aduser garyw manager samaccountname,

$user variable stores user name.

The second command uses the Get-AdUser command to get aduser all properties and select manager and stored them in $Manager variable.

The third command again uses the Get-AdUser cmdlet to get aduser manager samaccountname and manager display name.

Conclusion

I hope the above guide on PowerShell Get-ADUser cmdlet in an active directory is helpful to you while using it in your daily task to get active directory users, get-aduser all properties, and many more.

You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.

Leave a Comment