Get-ADUser: Getting Active Directory Users Data via Powershell

Get-ADUser is likely one of the fundamental PowerShell cmdlets that can be utilized to get details about Active Directory area customers and their properties. You can use the Get-ADUser to view the worth of any AD consumer object attribute, show a listing of customers within the area with the mandatory attributes and export them to CSV, and use numerous standards and filters to pick area customers.

The Get-ADUser cmdlet has been obtainable since PowerShell and is a part of the particular module Active Directory for Windows PowerShell (launched in Windows Server 2008 R2). RSAT-AD-PowerShell cmdlets let you carry out numerous operations on AD objects.

Note. Earlier to get details about the attributes of AD consumer accounts, you had to make use of completely different instruments: ADUC console (together with ), vbs scripts, dsquery, and many others. All of those instruments can simply get replaced with the Get-ADUser cmdlet.

In this instance we’ll present get data on the final time when consumer’s password was modified and the password’s expiration date by utilizing Get-ADUser PowerShell cmdlet.

How to Find AD User and List Properties with Get-ADUser?

To use the RSAT-AD-PowerShell module, you might want to run the elevated PowerShell console and import the module with the command:

Import-Module activedirectory

The RSAT-AD-PowerShell module is put in by default on Windows Server 2012 (and newer) if you deployed the Active Directory Domain Services (AD DS) position. To set up the module on a site member server, run the command:

Install-WindowsFunction -Name "RSAT-AD-PowerShell" –IncludeAllSubFeature

install RSAT-AD-PowerShell on Windows Server

In the desktop Windows 10 model with the intention to use the Get-ADUser cmdlet you might want to set up the suitable model of and allow the Active Directory Module for Windows PowerShell function thought the Control Panel (Programs -> Turn Windows options on or off-> Remote Server Administration Tools -> Role Administration Tools -> AD DS and AD LDS Tools -> AD DS Tools).

You can set up the RSAT AD module in Windows 10 1809 and newer from PowerShell:

Add-WindowsFunctionality –on-line –Name ""

There can be a means to make use of the AD-PowerShell module with out RSAT putting in in your laptop. It is sufficient to copy the principle module recordsdata and import the module into the PoSh session:

Import-Module "C:PSADMicrosoft.ActiveDirectory.Management.dll"
Import-Module "C:PSADMicrosoft.ActiveDirectory.Management.assets.dll"

An entire record of all of the arguments of the Get-ADUser cmdlet will be obtained as follows:

assist Get-ADUser

To use the Get-ADUser cmdlet, you do not want to run it beneath an account with a site administrator or permissions. Any approved AD area consumer can run PowerShell instructions to get the values of most AD object attributes (apart from confidential ones, see the instance within the article ). If you might want to run the Get-ADUser command from a unique account, use the Credential parameter.

To show the record of all area accounts, run this command:

Get-ADUser -filter *

Important. It shouldn’t be advisable to run this command within the domains wwith a lot of accounts, for the reason that area controller offering the data will be overloaded.

To execute an AD question on a particular area controller, use the -Server parameter:

Get-ADUser –Server –Identity tuser

Get-ADUser -filter * - gel all users in domain

To change consumer attributes, use the Set-ADUser cmdlet.

By default the Get-ADUser cmdlet returns solely 10 fundamental consumer attributes (out of greater than 120 consumer account properties): DistinguishedName, SamAccountName, Name, , UserPrincipalName, ObjectClass, account standing (Enabled: True/False based on the ), and many others. In this case the cmdlet’s output doesn’t comprise details about the time of the .

To show the detailed details about all obtainable consumer attributes, run this command:

Get-ADUser -identity tuser -properties *

get-aduser list all user object properties

The Get-ADUser cmdlet with the Properties * parameter displayed a listing of all AD consumer attributes and their values.

Then we’ll go to the formatting of Get-ADUser output in order that the mandatory consumer attributes are displayed. You can show a number of consumer attributes directly::

  • PasswordExpired
  • PasswordLastSet
  • PasswordNeverExpires
  • LastLogonTimestamp

Run the command:

Get-ADUser tuser -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires, lastlogontimestamp

get-aduser - properties PasswordExpired, PasswordLastSet, PasswordNeverExpires, lastlogontimestamp

Now within the consumer information there’s the details about the account standing (Expired: True/False), the date of the final password change and the time of the final consumer logon to the area (lastlogontimestamp). Display this data in a extra handy desk view and take away all pointless attributes use the Select-Object –Property or Format-Table:

Get-ADUser -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires | ft Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires

Get-ADUser get password info for all users with format-table

Get-ADUser: Multiple OU’s Search with SearchBase

To show customers solely from a particular area container (Organizational Unit), use the SearchBase parameter:

Get-ADUser -SearchBase 'OU=London,DC=woshub,DC=loc' -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires | ft Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires

If you might want to choose customers from a number of OUs directly, use the next PowerShell script:

$OUs = "OU=NY,DC=woshub,DC=com","OU=LA,DC=woshub,DC=com","OU=MA,DC=woshub,DC=com"
$OUs | foreach choose Name, Enabled

How to Get Emails From Active Directory Using PowerShell?

User e mail tackle is likely one of the consumer object attributes in Active Directory. To record the e-mail addresses of customers, you need to add the EmailAddress discipline to the properties of the Get-ADUser cmdlet.

Get-ADUser -filter * -properties EmailAddress -SearchBase 'OU=Paris,OU-Fr,DC=woshub,DC=com'| select-object Name, EmailAddress

Get-ADUser EmailAddress

The record of lively consumer accounts with e-mail addresses:

Get-ADUser -Filter -Properties Surname,GivenName,mail | Select-Object Name,Surname,GivenName,mail | Format-Table

To get the record of Active Directory customers with no Email tackle:

Get-ADUser -Filter * -Properties EmailAddress | the place -Property EmailAddress -eq $null

The subsequent instance permits to export the e-mail tackle e-book of the corporate from the AD to a CSV file, which might later be imported into e mail purchasers comparable to Outlook or Mozilla Thunderbird:

Get-ADUser -Filter -Properties Surname,GivenName,mail | Select-Object Name,Surname,GivenName,mail | Export-Csv -NoTypeInformation -Encoding utf8 -delimiter "," $env:tempadress_list.csv

Get-ADUser: Export AD Users to CSV/TXT

The ensuing record of area customers with attributes will be exported to a textual content file:

Get-ADUser -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires | ft Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires > C:tempusers.txt

Or you possibly can export AD customers record to a CSV file (which can later be conveniently imported to Excel):

Get-ADUser -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires | the place | sort-object PasswordLastSet | select-object Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires | Export-csv -path c:tmpuser-passwords-expires.csv -Append -Encoding UTF8

Using Get-ADUser with Filter Items

Using the –Filter parameter, you possibly can filter the record of consumer accounts by a number of attributes. As arguments of this parameter, you possibly can specify the worth of sure attributes of Active Directory customers. If you utilize the –Filter parameter, the Get-ADUser cmdlet will solely record customers that match the filter standards.

For instance, I wish to record lively (Enabled) consumer accounts whose title incorporates “Dmitry” (within the instance beneath, a a number of filter is used; you possibly can mix circumstances utilizing the usual logical PowerShell comparability operators):

Get-AdvertUser -Filter "(Name -like '*Dmitry*') -and (Enabled -eq 'True')" -Properties * |choose title,enabled

Get-AdUser with filter

Additionally, you possibly can type the ensuing record of customers by a particular consumer attribute (column) with the Sort-Object cmdlet. You may also use the Where-Object cmdlet to specify a number of filtering standards directly.

Get-ADUser -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires -SearchBase 'OU=NY,DC=woshub,DC=com'| the place | sort-object PasswordLastSet | select-object Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires

Get-ADUser - filtering with Where-Object and Sort-Object

So you may make a desk with any vital attributes of Active Directory customers.

Get-ADUser Usage Examples

Let’s present some extra helpful command examples for querying Active Directory customers with numerous filters. You can mix them to get the mandatory record of AD consumer objects:

Display AD customers, whose title begins with Joe:

Get-ADUser -filter

You can use PowerShell to depend the full variety of consumer account within the Active Directory:

Get-ADUser -Filter | Measure-Object

Find disabled Active Directory consumer accounts:

Get-ADUser -Filter | Select-Object SamAccountName,Name,Surname,GivenName | Format-Table

You can test Active Directory consumer account creation date with the command:

get-aduser -Filter * -Properties Name, WhenCreated | Select title, whenCreated

You can get the record of newly added Active Directory :

$lastday = ((Get-Date).AddDays(-1))
Get-ADUser -filter

List of the accounts with an expired password (you possibly can configure password expiration choices within the ):

Get-ADUser -filter -properties title,passwordExpired| the place |choose title,passwordexpired

Task: for the record of accounts which might be saved in a textual content file (one account per line), you might want to get the consumer’s firm title from AD and put it aside to a CSV file (you possibly can simply import this file into Excel).

Import-Csv c:psusers_list.csv | ForEvery
Export-CSV c:psusers_ad_list.csv -Append -Encoding UTF8

The customers who haven’t modified their passwords within the final 90 days:

$90_Days = (Get-Date).adddays(-90)
Get-ADUser -filter

To get a and put it aside to a jpg file, run the next instructions:

$usr = Get-ADUser sjoe -Properties thumbnailPhoto
$usr.thumbnailPhoto | Set-Content sjoe.jpg -Encoding byte

To get a listing of AD teams which the consumer account is a member of:

Get-AdvertUser sjoe -Properties memberof | Select memberof -expandproperty memberof

List the customers from the OU which might be members of a particular area safety group:

Get-ADUser -SearchBase 'OU=Rome,OU=Italy,DC=woshub,DC=com' -Filter * -properties memberof | Where-Object

List the area computer systems consumer is allowed to logon (logon restriction by the AD attribute ).

Get-ADUser jbrown -Properties LogonWorkstations | Format-List Name, LogonWorkstations

To get a pc or carry out a seek for a number of computer systems from Active Directory you need to use one other cmdlet – .

Check Also

Configuring L2TP/IPSec VPN Connection Behind a NAT, VPN Error Code 809

Due to disabling PPTP VPN help in iOS, one in all my shoppers determined to …

Leave a Reply

Your email address will not be published. Required fields are marked *