The Get-AdUser cmdlet in PowerShell is used to get one or more active directory users. An Active Directory Get-AdUser retrieves a default set of user properties including their name, email address, manager, and department.
The Get-AdUser is a powerful cmdlet to get aduser all properties, get active directory users using samaccountname, and use the get-aduser filter parameter to get specific user objects.
Using the Get-AdUser Identity parameter, you can perform a search to get specific ad users.

In this article, I will explain the Get-ADUser cmdlet to get active directory user objects with different examples.
Note: To use PowerShell Get-ADUser cmdlet, requires the Active Directory add-on module to be installed.
Let’s understand the PowerShell Get-AdUser cmdlet with syntax and examples.
Get-AdUser Syntax
Active Directory Get-AdUser syntax
Get-ADUser [-AuthType <ADAuthType>] [-Credential <PSCredential>] -Filter <String> [-Properties <String[]>] [-ResultPageSize <Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope <ADSearchScope>] [-Server <String>] [<CommonParameters>] Get-ADUser [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Identity] <ADUser> [-Partition <String>] [-Properties <String[]>] [-Server <String>] [<CommonParameters>] Get-ADUser [-AuthType <ADAuthType>] [-Credential <PSCredential>] -LDAPFilter <String> [-Properties <String[]>] [-ResultPageSize <Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope <ADSearchScope>] [-Server <String>] [<CommonParameters>]
Get-AdUser Parameters
Get-AdUser is used to get one or more active directory objects or perform a search to get specific users.
Parameters
–AuthType – authentication method to use based on either Basic (or 1) or Negotiate (or 0).
SSL (Secure Socket Layer) connection is required to use the Basic Authentication method.
–Credential PSCredential – It specifies user credentials required to perform the get-aduser cmdlet. It default accepts the credentials of logged-on users.
To use the Credential parameter, use username as User1 or domain\User1 or you can create and use PSCredential
object by using Get-Credential
cmdlet.
-Identity – It specifies ad user by using property value
- Distinguished Name
- SAMAccountName
- Security Identifier
- GUID
The identifier specified in parenthesis is the LDAP display name.
-Partition – It specifies the distinguished name of an active directory partition.
–Filter – It specifies a query string (PowerShell Expression Language Syntax) to retrieve Active Directory objects. PowerShell wildcards other than * are not supported by filter
syntax.
-LDAPFilter – LDAPFilter query string is used to filter Active Directory objects.
The Get-AdUser cmdlet returns the default set of properties. However, if you want to get all properties, use the Properties parameter.
Let’s understand using the PowerShell Get-AdUser with different examples.
Get-AdUser Examples
The Get-AdUser cmdlet gets active directory user information. This cmdlet is used to get the aduser all properties, get the aduser using userprincipalname, get active directory login details report, and so on.
How to Get All Properties of AdUser
To get all the properties of the aduser, use the Get-AdUser
cmdlet with the Properties *
parameter. This will return all of the properties that are available for the user, including both default and extended properties.
Get-ADUser -Identity Toms -Properties *
In the above PowerShell script, the Get-AdUser gets all the properties of the SAMAccountName
user “Toms” specified by the Identity
parameter.
The output of the above PowerShell script displays the active directory user properties.

Get AdUser Default and Extended Properties
The Get-AdUser
cmdlet retrieves a default set of user account properties. To get a list of the default sets of properties for a Get-AdUser object, use the Get-Member
cmdlet.
The following command will return a list of the default properties for the user “Toms”.
Get-AdUser Toms | Get-Member
To get the most commonly used Get-AdUser
properties, use the Extended
parameter. The following command will return aduser extended properties.
Get-AdUser Toms -Properties Extended | Get-Member
To get all the properties of an aduser in PowerShell, use the Get-Aduser
cmdlet with Properties *
parameter.
The following command retrieves all the properties of a user specified by the Identity parameter, in this case, “Toms“.
Get-AdUser Toms -Properties *
Get-AdUser using SAMAccountName
To get an Active Directory user using their SAMAccountName, use the Get-Aduser cmdlet with the Filter
parameter.
Get-ADUser -Filter "samaccountname -like 'Toms'"
In the above PowerShell get aduser script, the Get-AdUser
cmdlet gets aduser samaccountname like “Toms” using the Filter
parameter where it checks the condition “samaccountname -like ‘Toms'”.
It returns the user properties like Name, SID, and UserPrincipalName.
DistinguishedName : CN=Tom Smith,OU=SALES,DC=SHELLPRO,DC=LOCAL
Enabled : True
GivenName : Tom
Name : Tom Smith
ObjectClass : user
ObjectGUID : 1f3a2572-2621-4e47-9bdf-81d1f8172f69
SamAccountName : toms
SID : S-1-5-21-1326752099-4012446882-462961959-1103
Surname : Smith
UserPrincipalName : [email protected]
Get-AdUser in Specific OU (Organizational Unit)
To get a list of all adusers in a specific OU, use the Get-AdUser SearchBase parameter.
The following command will return a list of all users in the OU “OU=HR,DC=SHELLPRO,DC=LOCAL
“.
Get-ADUser -SearchBase "OU=HR,DC=SHELLPRO,DC=LOCAL" -Filter * -Properties Name
In the above PowerShell get-aduser searchbase script, it gets a list of all users in a specific OU specified by the Get-AdUser
SearchBase
parameter and Filter
parameter.
The output of the above adusers in specific OU.
DistinguishedName : CN=Erick Jones,OU=HR,DC=SHELLPRO,DC=LOCAL
Enabled : True
GivenName : Erick
Name : Erick Jones
ObjectClass : user
ObjectGUID : 43551543-0214-4656-bd18-9f2dec5f8076
SamAccountName : ErickJ
SID : S-1-5-21-1326752099-4012446882-462961959-1105
Surname : Jones
UserPrincipalName : [email protected]
DistinguishedName : CN=Gary Willy,OU=HR,DC=SHELLPRO,DC=LOCAL
Enabled : True
GivenName : Gary
Name : Gary Willy
ObjectClass : user
ObjectGUID : a65bc140-d8dc-43b9-988d-2c0afa163be1
SamAccountName : garyw
SID : S-1-5-21-1326752099-4012446882-462961959-2601
Surname : Willy
UserPrincipalName : [email protected]
How to Export Ad users to CSV file
To export Active Directory users to a CSV file, use the Get-AdUser cmdlet to list all user properties, and use the Export-CSV cmdlet to export ad users to a CSV file on the specified path.
The following command will export all of the users in the OU “OU=HR,DC=SHELLPRO,DC=LOCAL
” to a CSV file named “get-adusers.csv“.
Get-ADUser -SearchBase "OU=HR,DC=SHELLPRO,DC=LOCAL" -Filter * -Properties Name | Select-Object Name, DistinguishedName,Enabled,UserPrincipalName,SamAccountName| Export-Csv -Path C:\get-adusers.csv -NoTypeInformation
In the above PowerShell get ad user script,
Get-AdUser gets a list of all users in a specified OU using the Get-AdUser SearchBase parameter and passes the output to the second command.
The second command uses Select-Object
cmdlet to get name, distinguishedname, enabled, userprincipalname, and samaccountname and pass output to the third command.
The third command uses the PowerShell Export-Csv cmdlet to export a list of adusers to a CSV file on the path specified.
The output of export ad users to CSV file is below in CSV.
"Name","DistinguishedName","Enabled","UserPrincipalName","SamAccountName"
"Erick Jones","CN=Erick Jones,OU=HR,DC=SHELLPRO,DC=LOCAL","True","[email protected]","ErickJ"
"Gary Willy","CN=Gary Willy,OU=HR,DC=SHELLPRO,DC=LOCAL","True","[email protected]","garyw"
Get-AdUser Password Last Set Older than X Days
To get a list of adusers whose passwords have been set for more than the specified number of days, use the following command.
Get-ADUser -Filter 'Enabled -eq $True' -Properties PasswordLastSet | Where-Object {$_.PasswordLastSet -lt (Get-Date).adddays(-90)} | select Name,SamAccountName,PasswordLastSet
In the above PowerShell script, the Get-AdUser
cmdlet gets a list of ad users who are active using Enabled Property.
The Enabled
property used to get aduser is active or disabled in the active directory.
The second command uses Where-Object to check the PassWordLastSet attribute less than 90 days using the Get-Date cmdlet and passes the output to the third command.
The third command selects name, samaccountname, and passwordlastset properties to the console.
The output of the above PowerShell script to get the aduser password last set older than 90 days are as below
Name SamAccountName PasswordLastSet
---- -------------- ---------------
Gary Willy garyw 4/25/2021 6:55:50 PM
John Smith johns 4/20/2021 1:08:57 PM
How to Get AdUser Manager Name
To get the manager name for an Active Directory user, use the following command
get-aduser -Identity chrisd -Properties * | select SAMAccountname, @{Name='Manager';Expression={(Get-ADUser ($_.Manager)).SAMAccountname}}
In the above PowerShell script, Get-AdUser gets user properties for the user using the identity parameter and passes the output to the second command.
The second command selects the SAMAccountName of the given active directory user and uses the expression to get the manager name using Manager
attribute.
The output of the above command will return the SAMAccountName of the user and the aduser manager name.
SAMAccountname Manager
-------------- -------
chrisd toms
How to Get-Aduser AccountExpirationDate
To get the account expiration date for an Active Directory user, use the following command.
Get-ADUser -filter * -properties AccountExpirationDate | sort Name | ft Name,AccountExpirationDate
In the above PowerShell script, Get-AdUser gets a list of all users. It retrieves the AccountExpirationDate
property and passes the output to the second command.
The second command sorts the user by Name and prints it on the console.
Name AccountExpirationDate
---- ---------------------
Chris Dore 8/1/2021 12:00:00 AM
Erick Jones
Gary Willy
Other aduser don’t have an account expiration set hence they have an empty value.
Cool Tip: How to use remove-aduser to delete aduser in PowerShell!
How to Get AdUser BadPwdCount
Often aduser tries to log into the system using the old password, which results in the account being locked out.
Active Directory user account has badpwdcount attribute which stores bad password attempts count.
By default, it has a 0 value. badpwdcount attribute increment value when a user attempts a bad password.
badpwdcount value reset to 0 on successful login.
To get aduser badpwdcount, use the PowerShell script
Get-ADUser -Identity Toms -Properties * | Select-Object badpwdcount
It gets the user specified using the Identity
parameter and returns the user account badpwdcount.
How to Get AdUser Manager SamAccountName
Using the Get-AdUser, you can get an aduser manager samaccountname.
The user has a manager attribute which contains a distinguished name.
To get aduser manager samaccountname for the user, use the following script.
$user = "garyw" $Manager = get-aduser $user -properties * | Select -ExpandProperty Manager get-aduser $Manager -properties * | Select SamAccountName,DisplayName
In the above PowerShell script to get aduser garyw manager samaccountname,
$user
variable stores user name.
The second command uses the Get-AdUser
command to get the aduser all properties. It selects a manager and stores them in $Manager
variable.
The third command again uses the Get-AdUser
to get the aduser manager samaccountname and manager display name.
Conclusion
I hope the above guide on PowerShell Get-ADUser cmdlet in an active directory is helpful to you while using it in your daily task to get active directory users, get-aduser all properties, and many more.
You can get the default set of aduser properties. To get additional properties, use the Property parameter.
You can use filter or Ldapfilter parameter to search for one or more ad users from the active directory using PowerShell expression language.
You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.
Recommended Content
Get AdUser All Properties – Get all of the properties for the aduser in PowerShell.
Get AdUsers Enabled – Get Adusers enabled in the Active Directory.
Get AdUser LDAP FIlter – Get active directory users using LDAP Filter
Get AdUsers Exclude OU – Get AdUsers and exclude specific OU.
Get AdUser Description – Get AdUser description from the active directory.
Get AdUser DistinguishedName – Get AdUser distinguished name from the active directory.
Convert SID to UserName – Get the user name from SID using PowerShell and the Command line
Get AdUser Multiple Users – Get Multiple User Properties in Active Directory
Get AdUser Format Table – Format the list of adusers in table output.
Get AdUser Filter with Multiple Attributes – Get a list of adusers filters with multiple attributes.
Get AdUser Sort by SAMAccountname
Get AdUser pipe to Add-AdGroupMember – Get aduser and add a user to the ad group as a member.
Get AdUser Count – Get active directory user count, active user count, enabled user count