Get-AdUser - Get Active Directory Users Using PowerShell - ShellGeek

The Get-AdUser cmdlet in PowerShell is used to get one or more active directory users. An Active Directory Get-AdUser retrieves a default set of user properties including their name, email address, manager, and department.

Using the Get-AdUser Identity parameter, you can perform a search to get specific ad users.

The following methods show how to use the Get-AdUser cmdlet.

Method 1: Get All Properties of AdUser

Get-ADUser -Identity Toms -Properties *

This example will return all of the properties that are available for the user, including both default and extended properties.

Method 2: Get AdUser Default and Extended Properties

Get-AdUser Toms | Get-Member

This example will list the default properties for the user “Toms“.

Method 3: Find Ad Users By SAMAccountName

Get-ADUser -Filter "samaccountname -like 'Toms'"

This example will return the user properties like Name, SID, and UserPrincipalName.

Method 4: Get-AdUser in Specific OU (Organizational Unit)

Get-ADUser -SearchBase "OU=HR,DC=SHELLPRO,DC=LOCAL" -Filter * -Properties Name

This example will get a list of all users in a specific OU specified by the Get-AdUser SearchBase parameter and Filter parameter.

Method 5: Export Ad users to CSV file

Get-ADUser -SearchBase "OU=HR,DC=SHELLPRO,DC=LOCAL" -Filter * -Properties Name | Select-Object Name, DistinguishedName,Enabled,UserPrincipalName,SamAccountName| Export-Csv -Path C:\get-adusers.csv -NoTypeInformation

This example will export a list of adusers to a CSV file on the path specified.

Method 6: Get AdUser Password Last Set Older than X Days

Get-ADUser -Filter 'Enabled -eq $True' -Properties PasswordLastSet | Where-Object {$_.PasswordLastSet -lt (Get-Date).adddays(-90)} | select Name,SamAccountName,PasswordLastSet

This example will output the aduser password last set older than 90 days.

Method 7: Get AdUser Manager Name

get-aduser -Identity chrisd -Properties * | select SAMAccountname, @{Name='Manager';Expression={(Get-ADUser ($_.Manager)).SAMAccountname}}

This example will output the SAMAccountName of the user and the aduser manager name.

Method 8: Get-Aduser AccountExpirationDate

Get-ADUser -filter * -properties AccountExpirationDate | sort Name | ft Name,AccountExpirationDate

This example will retrieve the AccountExpirationDate property.

Method 9: Get AdUser BadPwdCount

Get-ADUser -Identity Toms -Properties * | Select-Object badpwdcount

This example will return the user account badpwdcount.

Method 10: Get AdUser Manager SamAccountName

$user = "garyw" $Manager = get-aduser $user -properties * | Select -ExpandProperty Manager get-aduser $Manager -properties * | Select SamAccountName,DisplayName

This example will get the aduser manager samaccountname and displayname of the manager.

The following examples show how to use these methods in practice.

Note: To use PowerShell Get-ADUser cmdlet, requires the Active Directory add-on module to be installed.

Table of Contents hide 1 Get-AdUser Properties – How to Get ADUser All Properties in PowerShell 2 How to Get AdUser Default and Extended Properties 3 Get-AdUser Filter – How to Find Ad Users By SAMAccountName 4 Get-AdUser SearchBase – How to Get-AdUser in Specific OU 5 How to Export Ad users to CSV file 6 How to Get AdUser Password Last Set Older than X Days 7 How to Get AdUser Manager Name 8 How to Get-Aduser AccountExpirationDate 9 How to Get AdUser BadPwdCount 10 How to Get AdUser Manager SamAccountName 11 Conclusion 12 Related Links

Get-AdUser Properties – How to Get ADUser All Properties in PowerShell

To get aduser all properties, use the Get-AdUser cmdlet with the Properties * parameter. This will return the active directory user properties list, including the default and extended properties.

Get-ADUser -Identity Toms -Properties *

This example gets the aduser all properties in the PowerShell script for the user “Toms” using the Get-AdUser cmdlet with its Identity parameter.

The output of the above PowerShell script displays the active directory user properties list.

How to Get AdUser Default and Extended Properties

To get the default and extended properties of an AD user, use the Get-AdUser cmdlet. This command retrieves a default set of user account properties.

To get a list of the default sets of properties for a Get-AdUser object, use the Get-Member cmdlet.

Get-AdUser Toms | Get-Member

This command lists the default properties for the user “Toms“.

For extended properties:

To get the most commonly used Get-AdUser properties, use the Extended parameter.

Get-AdUser Toms -Properties Extended | Get-Member

This command returns extended aduser properties.

Get-AdUser Filter – How to Find Ad Users By SAMAccountName

To retrieve an Active Directory user using their SAMAccountName, use the Get-Aduser cmdlet with the Filter parameter.

Get-ADUser -Filter "samaccountname -like 'Toms'"

In the above PowerShell get aduser script, the Get-AdUser cmdlet gets users whose SAMAccountName is similar to “Toms“.

It returns the user properties like Name, SID, and UserPrincipalName.

DistinguishedName : CN=Tom Smith,OU=SALES,DC=SHELLPRO,DC=LOCAL Enabled : True GivenName : Tom Name : Tom Smith ObjectClass : user ObjectGUID : 1f3a2572-2621-4e47-9bdf-81d1f8172f69 SamAccountName : toms SID : S-1-5-21-1326752099-4012446882-462961959-1103 Surname : Smith UserPrincipalName : [email protected]

Get-AdUser SearchBase – How to Get-AdUser in Specific OU

To get a list of all adusers in a specific OU (organizational unit), use the Get-AdUser command with the -SearchBase parameter.

The following command will return a list of all users in the OU “OU=HR,DC=SHELLPRO,DC=LOCAL“.

Get-ADUser -SearchBase "OU=HR,DC=SHELLPRO,DC=LOCAL" -Filter * -Properties Name

In the above PowerShell get-aduser searchbase script, it gets a list of all users in a specific OU specified by the Get-AdUser SearchBase parameter and Filter parameter.

The output of the above adusers in specific OU.

DistinguishedName : CN=Erick Jones,OU=HR,DC=SHELLPRO,DC=LOCAL Enabled : True GivenName : Erick Name : Erick Jones ObjectClass : user ObjectGUID : 43551543-0214-4656-bd18-9f2dec5f8076 SamAccountName : ErickJ SID : S-1-5-21-1326752099-4012446882-462961959-1105 Surname : Jones UserPrincipalName : [email protected] DistinguishedName : CN=Gary Willy,OU=HR,DC=SHELLPRO,DC=LOCAL Enabled : True GivenName : Gary Name : Gary Willy ObjectClass : user ObjectGUID : a65bc140-d8dc-43b9-988d-2c0afa163be1 SamAccountName : garyw SID : S-1-5-21-1326752099-4012446882-462961959-2601 Surname : Willy UserPrincipalName : [email protected]

How to Export Ad users to CSV file

To export Active Directory users to a CSV file, use the Get-AdUser cmdlet to list all user properties, and use the Export-CSV cmdlet to export ad users to a CSV file on the specified path.

The following command will export all of the users in the OU “OU=HR,DC=SHELLPRO,DC=LOCAL” to a CSV file named “get-adusers.csv“.

Get-ADUser -SearchBase "OU=HR,DC=SHELLPRO,DC=LOCAL" -Filter * -Properties Name | Select-Object Name, DistinguishedName,Enabled,UserPrincipalName,SamAccountName| Export-Csv -Path C:\get-adusers.csv -NoTypeInformation

In the above PowerShell get ad user script,

The Get-AdUser gets a list of all users in a specified OU using the Get-AdUser SearchBase parameter and passes the output to the second command.

The second command uses Select-Object cmdlet to get name, distinguishedname, enabled, userprincipalname, and samaccountname and pass output to the third command.

The third command uses the PowerShell Export-Csv cmdlet to export a list of adusers to a CSV file on the path specified.

The output of export ad users to CSV file is below in CSV.

"Name","DistinguishedName","Enabled","UserPrincipalName","SamAccountName" "Erick Jones","CN=Erick Jones,OU=HR,DC=SHELLPRO,DC=LOCAL","True","[email protected]","ErickJ" "Gary Willy","CN=Gary Willy,OU=HR,DC=SHELLPRO,DC=LOCAL","True","[email protected]","garyw"

How to Get AdUser Password Last Set Older than X Days

Use the following command to get a list of adusers whose passwords have been set for more than the specified number of days.

Get-ADUser -Filter 'Enabled -eq $True' -Properties PasswordLastSet | Where-Object {$_.PasswordLastSet -lt (Get-Date).adddays(-90)} | select Name,SamAccountName,PasswordLastSet

In the above PowerShell script, the Get-AdUser cmdlet gets a list of ad users who are active using Enabled Property.

The Enabled property used to get aduser is active or disabled in the active directory.

The second command uses Where-Object to check the PassWordLastSet attribute less than 90 days using the Get-Date cmdlet and passes the output to the third command.

The third command selects name, samaccountname, and passwordlastset properties to the console.

The output of the above PowerShell script to get the aduser password last set older than 90 days are as below

Name SamAccountName PasswordLastSet ---- -------------- --------------- Gary Willy garyw 4/25/2021 6:55:50 PM John Smith johns 4/20/2021 1:08:57 PM

How to Get AdUser Manager Name

To get the manager name for an Active Directory user, use the following command

get-aduser -Identity chrisd -Properties * | select SAMAccountname, @{Name='Manager';Expression={(Get-ADUser ($_.Manager)).SAMAccountname}}

In the above PowerShell script, Get-AdUser gets user properties for the user using the identity parameter and passes the output to the second command.

The second command selects the SAMAccountName of the given active directory user and uses the expression to get the manager name using Manager attribute.

The output of the above command will return the SAMAccountName of the user and the aduser manager name.

SAMAccountname Manager -------------- ------- chrisd toms

How to Get-Aduser AccountExpirationDate

To get the account expiration date for an Active Directory user, use the following command.

Get-ADUser -filter * -properties AccountExpirationDate | sort Name | ft Name,AccountExpirationDate

In the above PowerShell script, Get-AdUser gets a list of all users. It retrieves the AccountExpirationDate property and passes the output to the second command.

The second command sorts the user by Name and prints it on the console.

Name AccountExpirationDate ---- --------------------- Chris Dore 8/1/2021 12:00:00 AM Erick Jones Gary Willy

Other aduser don’t have an account expiration set hence they have an empty value.

Cool Tip: How to use remove-aduser to delete aduser in PowerShell!

How to Get AdUser BadPwdCount

Often aduser tries to log into the system using the old password, which results in the account being locked out.

Active Directory user account has badpwdcount attribute which stores bad password attempts count.

By default, it has a 0 value. badpwdcount attribute increment value when a user attempts a bad password.

badpwdcount value reset to 0 on successful login.

To get aduser badpwdcount, use the PowerShell script

Get-ADUser -Identity Toms -Properties * | Select-Object badpwdcount

It gets the user specified using the Identity parameter and returns the user account badpwdcount.

How to Get AdUser Manager SamAccountName

Using the Get-AdUser, you can get an aduser manager samaccountname.

The user has a manager attribute which contains a distinguished name.

To get aduser manager samaccountname for the user, use the following script.

$user = "garyw" $Manager = get-aduser $user -properties * | Select -ExpandProperty Manager get-aduser $Manager -properties * | Select SamAccountName,DisplayName

In the above PowerShell script to get aduser garyw manager samaccountname,

$user variable stores user name.

The second command uses the Get-AdUser command to get the aduser all properties. It selects a manager and stores them in $Manager variable.

The third command again uses the Get-AdUser to get the aduser manager samaccountname and manager display name.

Conclusion

I hope the above guide on PowerShell Get-ADUser cmdlet in an active directory is helpful to you while using it in your daily task to get active directory users, get-aduser all properties, and many more.

You can get the default set of aduser properties. To get additional properties, use the Property parameter.

Using PowerShell expression language, you can use filter or Ldapfilter parameter to search for one or more ad users from the active directory.

You can find more topics about PowerShell Active Directory commands and PowerShell basics on the ShellGeek home page.

Related Links

Get AdUser All Properties – Get all of the properties for the aduser in PowerShell.

Get AdUsers Enabled – Get Adusers enabled in the Active Directory.