How To Get User Attributes From Active Directory? - TheITBros

The user account object in Active Directory contains several properties (attributes), such as canonical name, first name, last name, e-mail address, phone number, job title, department, country, etc. The most common way to view and change user attribute values in AD is to use RSAT graphical snap-ins or command line tools.

Contents

Toggle

• How to View User Attributes with ADUC GUI
• Using the Get-ADUser PowerShell Cmdlet
  • Basic Get-ADUser Syntax and Examples
  • Display Custom Attributes with the Properties Parameter
  • Convert PwdLastSet to Readable Date Format
  • List All AD User Attributes with Get-ADUser *
  • Search and Filter AD Users by Attributes
• Export Active Directory User Attributes to CSV
  • How can I view a user’s advanced or hidden attributes using the Active Directory Users and Computers (ADUC) GUI?
  • What is the most important PowerShell cmdlet for retrieving Active Directory user attributes?
  • Can I export user attribute data in bulk?

How to View User Attributes with ADUC GUI

To view AD user properties, you can use the Active Directory Users and Computers (ADUC) or Active Directory Administrative Center (ADAC) graphical snap-ins.

1. To launch the ADUC console, run the command dsa.msc on your domain controller or a computer with Remote Server Administration Tools (RSAT) installed.
2. Open the properties of any AD user (you can locate the user using the search function or by manually expanding their AD OU).
3. The values of the basic attributes of the AD user object (name, email, phone, etc.) are displayed on a number of tabs in the User Properties window. But not all user attributes can be viewed from here (see the list of attributes defined in the AD schema). To view the advanced user attributes, use the Attribute Editor tab, which is not visible in the ADUC console by default.
4. Enable the Advanced Features option in the View menu.
5. Open the User Properties again and check if the Attribute Editor tab is now displayed.
6. A full list of all the AD user attributes and their values can be viewed on this tab. Here you can copy or edit any of the user attribute values that you have permissions to access.
7. You can also filter the attributes to show only those with values. Click Filter → Show only attributes that have values.

As convenient as ADUC is, you can only view the attributes of one user at a time. Use the CLI tools to view or export user attribute values from AD in bulk.

Using the Get-ADUser PowerShell Cmdlet

The most important PowerShell cmdlet for getting the properties of a user in Active Directory is Get-ADUser. It can be used to view, filter and export the attribute values of any user from AD. The PowerShell Active Directory module must be installed on a computer to use this cmdlet.

Basic Get-ADUser Syntax and Examples

To view basic information about an Active Directory user account, run the command:

Get-ADUser -Identity <user identity>

By default, the Get-ADUser cmdlet only lists the user’s primary attributes as follows:

• DistinguishedName
• Enabled
• GivenName
• Name
• ObjectClass
• ObjectGUID
• SamAccountName
• UserPrincipalName
• SID
• Surname

Display Custom Attributes with the Properties Parameter

To display the values of other user attributes (including custom user attributes), you must specify a list of them using the -Properties parameter. For example, you want to view the user’s company name, department, job title, phone number, and last password change date in Active Directory:

Get-ADUser cwilson –Properties company, department, title, telephoneNumber, PwdLastSet

Convert PwdLastSet to Readable Date Format

You can use Pipe with the Select-Object cmdlet to display only the attributes you want and transform some of them (in this example, we will convert the PwdLastSet value from LDAP timestamp format to human-readable date and time):

Get-ADUser cwilson -Properties company, department, title, telephoneNumber, PwdLastSet | Select-Object SamAccountName, Name, company, department, title, telephoneNumber, @{Name = 'PwdLastSet'; Expression = { [DateTime]::FromFileTime($_.PwdLastSet) } }

List All AD User Attributes with Get-ADUser *

To list all user attributes, add an asterisk (*) in the Properties parameter:

Get-ADUser cwilson -Properties *

Search and Filter AD Users by Attributes

With Get-ADUser, you can search for users with specific attribute values in Active Directory. For example, the following command will list all enabled user accounts whose name is Christopher:

Get-ADUser -Filter {( Name -like "*Christopher*") -and (Enabled -eq "true")} -Properties *

Export Active Directory User Attributes to CSV

From the PowerShell console, you can flexibly export the required Active Directory user property values to a CSV or TXT file. For example, to export a list of names, phone numbers and job titles of all enabled user accounts from a specified OU to a CSV file:

Get-ADUser -Filter {Enabled -eq $true} -SearchBase "OU=Users,OU=CA, DC=theitbros,DC=loc" -Properties title, telephoneNumber| Select displayName, title, telephoneNumber| Export-csv -path C:\PS\export-ad-user-properties.csv -Encoding UTF8

Note. The DSGET USER command line tool was used to list the attributes of AD users in versions prior to Windows Server 2008. The DSGET command is currently rarely used because PowerShell is a much more convenient and powerful tool.

For example, to list basic users’ attributes, use this command:

dsquery user | dsget user -display -samid -upn -disabled -canchpwd

How can I view a user’s advanced or hidden attributes using the Active Directory Users and Computers (ADUC) GUI?

To view the full list of a user’s attributes in ADUC, you must first enable the Advanced Features option in the View menu. Once enabled, open the User Properties, and a new tab called Attribute Editor will be displayed, which lists all attributes and their values.

What is the most important PowerShell cmdlet for retrieving Active Directory user attributes?

The most important cmdlet is Get-ADUser. This command is used to view, filter, and export the attribute values for any user in Active Directory.

Can I export user attribute data in bulk?

Yes. You can use the Get-ADUser cmdlet combined with the Export-Csv cmdlet in PowerShell to export lists of users and their properties (such as display name, title, and phone number) to a CSV or TXT file.