Get-ADUser is likely one of the fundamental PowerShell cmdlets that can be utilized to get details about Active Directory area customers and their properties. You can use the Get-ADUser to view the worth of any AD consumer object attribute, show a listing of customers within the area with the mandatory attributes and export them to CSV, and use numerous standards and filters to pick area customers.
The Get-ADUser cmdlet has been obtainable since PowerShell 2.zero and is a part of the particular module Active Directory for Windows PowerShell (launched in Windows Server 2008 R2). RSAT-AD-PowerShell cmdlets let you carry out numerous operations on AD objects.
In this instance we’ll present get data on the final time when consumer’s password was modified and the password’s expiration date by utilizing Get-ADUser PowerShell cmdlet.
How to Find AD User and List Properties with Get-ADUser?
To use the RSAT-AD-PowerShell module, you might want to run the elevated PowerShell console and import the module with the command:
The RSAT-AD-PowerShell module is put in by default on Windows Server 2012 (and newer) if you deployed the Active Directory Domain Services (AD DS) position. To set up the module on a site member server, run the command:
Install-WindowsFunction -Name "RSAT-AD-PowerShell" –IncludeAllSubFeature
In the desktop Windows 10 model with the intention to use the Get-ADUser cmdlet you might want to set up the suitable model of and allow the Active Directory Module for Windows PowerShell function thought the Control Panel (Programs -> Turn Windows options on or off-> Remote Server Administration Tools -> Role Administration Tools -> AD DS and AD LDS Tools -> AD DS Tools).
You can set up the RSAT AD module in Windows 10 1809 and newer from PowerShell:
Add-WindowsFunctionality –on-line –Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~zero.zero.1.zero"
An entire record of all of the arguments of the Get-ADUser cmdlet will be obtained as follows:
To show the record of all area accounts, run this command:
Get-ADUser -filter *
To execute an AD question on a particular area controller, use the -Server parameter:
Get-ADUser –Server DC01.woshub.com –Identity tuser
To change consumer attributes, use the Set-ADUser cmdlet.
By default the Get-ADUser cmdlet returns solely 10 fundamental consumer attributes (out of greater than 120 consumer account properties): DistinguishedName, SamAccountName, Name, , UserPrincipalName, ObjectClass, account standing (Enabled: True/False based on the ), and many others. In this case the cmdlet’s output doesn’t comprise details about the time of the .
To show the detailed details about all obtainable consumer attributes, run this command:
Get-ADUser -identity tuser -properties *
The Get-ADUser cmdlet with the Properties * parameter displayed a listing of all AD consumer attributes and their values.
Then we’ll go to the formatting of Get-ADUser output in order that the mandatory consumer attributes are displayed. You can show a number of consumer attributes directly::
Run the command:
Get-ADUser tuser -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires, lastlogontimestamp
Now within the consumer information there’s the details about the account standing (Expired: True/False), the date of the final password change and the time of the final consumer logon to the area (lastlogontimestamp). Display this data in a extra handy desk view and take away all pointless attributes use the Select-Object –Property or Format-Table:
Get-ADUser -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires | ft Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires
Get-ADUser: Multiple OU’s Search with SearchBase
To show customers solely from a particular area container (Organizational Unit), use the SearchBase parameter:
Get-ADUser -SearchBase 'OU=London,DC=woshub,DC=loc' -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires | ft Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires
If you might want to choose customers from a number of OUs directly, use the next PowerShell script:
$OUs = "OU=NY,DC=woshub,DC=com","OU=LA,DC=woshub,DC=com","OU=MA,DC=woshub,DC=com"
$OUs | foreach choose Name, Enabled
How to Get Emails From Active Directory Using PowerShell?
User e mail tackle is likely one of the consumer object attributes in Active Directory. To record the e-mail addresses of customers, you need to add the EmailAddress discipline to the properties of the Get-ADUser cmdlet.
Get-ADUser -filter * -properties EmailAddress -SearchBase 'OU=Paris,OU-Fr,DC=woshub,DC=com'| select-object Name, EmailAddress
The record of lively consumer accounts with e-mail addresses:
Get-ADUser -Filter -Properties Surname,GivenName,mail | Select-Object Name,Surname,GivenName,mail | Format-Table
To get the record of Active Directory customers with no Email tackle:
Get-ADUser -Filter * -Properties EmailAddress | the place -Property EmailAddress -eq $null
The subsequent instance permits to export the e-mail tackle e-book of the corporate from the AD to a CSV file, which might later be imported into e mail purchasers comparable to Outlook or Mozilla Thunderbird:
Get-ADUser -Filter -Properties Surname,GivenName,mail | Select-Object Name,Surname,GivenName,mail | Export-Csv -NoTypeInformation -Encoding utf8 -delimiter "," $env:tempadress_list.csv
Get-ADUser: Export AD Users to CSV/TXT
The ensuing record of area customers with attributes will be exported to a textual content file:
Get-ADUser -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires | ft Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires > C:tempusers.txt
Or you possibly can export AD customers record to a CSV file (which can later be conveniently imported to Excel):
Get-ADUser -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires | the place | sort-object PasswordLastSet | select-object Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires | Export-csv -path c:tmpuser-passwords-expires.csv -Append -Encoding UTF8
Using Get-ADUser with Filter Items
Using the –Filter parameter, you possibly can filter the record of consumer accounts by a number of attributes. As arguments of this parameter, you possibly can specify the worth of sure attributes of Active Directory customers. If you utilize the –Filter parameter, the Get-ADUser cmdlet will solely record customers that match the filter standards.
For instance, I wish to record lively (Enabled) consumer accounts whose title incorporates “Dmitry” (within the instance beneath, a a number of filter is used; you possibly can mix circumstances utilizing the usual logical PowerShell comparability operators):
Get-AdvertUser -Filter "(Name -like '*Dmitry*') -and (Enabled -eq 'True')" -Properties * |choose title,enabled
Additionally, you possibly can type the ensuing record of customers by a particular consumer attribute (column) with the Sort-Object cmdlet. You may also use the Where-Object cmdlet to specify a number of filtering standards directly.
Get-ADUser -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires -SearchBase 'OU=NY,DC=woshub,DC=com'| the place | sort-object PasswordLastSet | select-object Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires
So you may make a desk with any vital attributes of Active Directory customers.
Get-ADUser Usage Examples
Let’s present some extra helpful command examples for querying Active Directory customers with numerous filters. You can mix them to get the mandatory record of AD consumer objects:
Display AD customers, whose title begins with Joe:
You can use PowerShell to depend the full variety of consumer account within the Active Directory:
Get-ADUser -Filter | Measure-Object
Find disabled Active Directory consumer accounts:
Get-ADUser -Filter | Select-Object SamAccountName,Name,Surname,GivenName | Format-Table
You can test Active Directory consumer account creation date with the command:
get-aduser -Filter * -Properties Name, WhenCreated | Select title, whenCreated
You can get the record of newly added Active Directory :
$lastday = ((Get-Date).AddDays(-1))
List of the accounts with an expired password (you possibly can configure password expiration choices within the ):
Get-ADUser -filter -properties title,passwordExpired| the place |choose title,passwordexpired
Task: for the record of accounts which might be saved in a textual content file (one account per line), you might want to get the consumer’s firm title from AD and put it aside to a CSV file (you possibly can simply import this file into Excel).
Import-Csv c:psusers_list.csv | ForEvery
Export-CSV c:psusers_ad_list.csv -Append -Encoding UTF8
The customers who haven’t modified their passwords within the final 90 days:
$90_Days = (Get-Date).adddays(-90)
To get a and put it aside to a jpg file, run the next instructions:
$usr = Get-ADUser sjoe -Properties thumbnailPhoto
$usr.thumbnailPhoto | Set-Content sjoe.jpg -Encoding byte
To get a listing of AD teams which the consumer account is a member of:
Get-AdvertUser sjoe -Properties memberof | Select memberof -expandproperty memberof
List the customers from the OU which might be members of a particular area safety group:
Get-ADUser -SearchBase 'OU=Rome,OU=Italy,DC=woshub,DC=com' -Filter * -properties memberof | Where-Object
List the area computer systems consumer is allowed to logon (logon restriction by the AD attribute ).
Get-ADUser jbrown -Properties LogonWorkstations | Format-List Name, LogonWorkstations