Posted on August 21, 2015 · Posted in Active Directory, Powershell

Get-ADUser: Getting Active Directory Users Data via Powershell

It’s no secret that from the first PowerShell version, Microsoft tries to make it the main administrative tool in Windows. And it mostly succeeds! Using simple examples, we’ll demonstrate PowerShell features to get different information about Active Directory users and their attributes.

Note. Earlier to get information about the attributes of AD user accounts, you had to use different tools: ADUC console (including saved AD queries), vbs scripts, dsquery, etc.

In PowerShell 2.0, a special module appeared that allowed to work with Active Directory — Active Directory Module for Windows PowerShell (announced in Windows Server 2008 R2), able to operate the AD directory objects using special cmdlets. To get information about users and their properties, there is a cmdlet Get-ADUser.

In this example we’ll show how using Get-ADUser PowerShell cmdlet to get information on the time of the last user password change and when password expires.
Run PowerShell with the administrator privileges and import the Active Directory Module with the following command:

Import-Module activedirectory

Tip. In Windows Server 2012 this step can be skiped since the PowerShell Active Directory Module is enabled by default. 

To display the list of all domain accounts, run this command:

Get-ADUser -filter *

Important. It is not recommended to run this command in the domains with the large number of accounts, since the domain controller providing the information can be overloaded.

Get-ADUser - get AD user data via Powershell

The format of the returned list isn’t too convenient, and we also see that the information about the time of the last password change is absent.

To display the detailed information about all available user attributes, run this command:

Get-ADUser -identity tuser -properties *

get active directory user properties

So we see the full list of attributes associated with the user account. Then we’ll go to the formatting of Get-ADUser output so that the necessary fields are displayed. We are interested in the following attributes:

  • PasswordExpired
  • PasswordLastSet
  • PasswordNeverExpires

Run the command:

Get-ADUser tuser -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires

get-aduser password info

Now in the user data there is the information about the date of the last password change and the time of its expiration. Display this information in a more convenient table view:

Get-ADUser -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires | ft Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires

get-aduser table view

To display the data of the users from a certain OU, use SearchBase key:

Get-ADUser -SearchBase ‘OU=London,DC=woshub,DC=loc’ -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires | ft Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires

The result can be exported to a text file:

Get-ADUser -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires | ft Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires > C:\temp\users.txt

Or to CSV, which is convenient to import to Excel. (Also, using sort-object you can sort the table by PasswordLastSet column, and add the condition where — the user name has to contain the line “Dmitry”.)

Get-ADUser -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires | where {$ –like “*Dmitry*”} | sort-object PasswordLastSet | select-object Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires | Export-csv -path c:\tmp\user-passwords-expires.csv

get-aduser sort

So you can make a table with any attributes of Active Directory users.

Let’s show some more useful variants of Active Directory queries  :

Display AD users, whose name starts with Joe:

Get-ADUser -filter {name -like "Joe*"}

To calculate the total number of all Active directory accounts:

Get-ADUser -Filter {SamAccountName -like "*"} | Measure-Object

The list of all active (not blocked) AD accounts:

Get-ADUser -Filter {Enabled -eq "True"} | Select-Object SamAccountName,Name,Surname,GivenName | Format-Table

The list of the accounts with the expired password:

Get-ADUser -filter {Enabled -eq $True} -properties passwordExpired | where {$_.PasswordExpired}

The list of active accounts with e-mail addresses:

Get-ADUser -Filter {(mail -ne "null") -and (Enabled -eq "true")} -Properties Surname,GivenName,mail | Select-Object Name,Surname,GivenName,mail | Format-Table

The next example allows to export the address book of the company to a CSV file, which can later be imported into Outlook or Mozilla Thunderbird:

Get-ADUser -Filter {(mail -ne "null") -and (Enabled -eq "true")} -Properties Surname,GivenName,mail | Select-Object Name,Surname,GivenName,mail | Export-Csv -NoTypeInformation -Encoding utf8 -delimiter "," $env:temp\adress_list.csv

The users who haven’t changed their passwords in the last 90 days:

$90_Days = (Get-Date).adddays(-90)
Get-ADUser -filter {(passwordlastset -le $90_days)}

To obtain data about Active Directory computers you need to use a another cmdlet – Get-ADComputer.

Related Articles