Windows OS Hub
  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu
  • Home
  • About

Windows OS Hub

  • Windows Server
    • Windows Server 2022
    • Windows Server 2019
    • Windows Server 2016
    • Windows Server 2012 R2
    • Windows Server 2008 R2
    • SCCM
  • Active Directory
    • Active Directory Domain Services (AD DS)
    • Group Policies
  • Windows Clients
    • Windows 11
    • Windows 10
    • Windows 8
    • Windows 7
    • Windows XP
    • MS Office
    • Outlook
  • Virtualization
    • VMWare
    • Hyper-V
    • KVM
  • PowerShell
  • Exchange
  • Cloud
    • Azure
    • Microsoft 365
    • Office 365
  • Linux
    • CentOS
    • RHEL
    • Ubuntu

 Windows OS Hub / Active Directory / Get-ADUser: Find Active Directory User Info with PowerShell

November 30, 2021 Active DirectoryPowerShellWindows Server 2019

Get-ADUser: Find Active Directory User Info with PowerShell

The Get-ADUser PowerShell cmdlet allows you to get information about an Active Directory user, its attributes, and search among domain users. It is one of the more popular PowerShell cmdlets for getting information from AD. Using the Get-ADUser cmdlet, you can get the value of any attribute of an AD user account, list domain users with attributes, export user reports to CSV files, and use various criteria to select and filter domain users.

Contents:
  • Get-ADUser Cmdlet in Active Directory PowerShell Module
  • How to Find AD User and List Properties with Get-ADUser?
  • Get-ADUser -SearchBase: Getting Users from Specific OUs
  • How to Get a User’s Email Address from AD Using PowerShell?
  • Get-ADUser: Exporting Active Directory Users to CSV with PowerShell
  • Get-ADUser Filter Examples
  • PowerShell Get-ADUser Examples

Get-ADUser Cmdlet in Active Directory PowerShell Module

The Get-ADUser cmdlet is included in a special module for interacting with Active Directory – Active Directory Module for Windows PowerShell. The RSAT-AD-PowerShell module cmdlets enable you to perform various operations on AD objects.

Note. Previously, to get information about the attributes of AD user accounts, you had to use different tools: ADUC console (including saved AD queries), VBS scripts, dsquery, etc. All of these tools can be easily replaced by the Get-ADUser cmdlet.

In this example, we’ll show how to use the Get-ADUser PowerShell cmdlet to get information about the last time a user’s password was changed, when the password expires, and other users’ properties.

To use the RSAT-AD-PowerShell module, you need to run the elevated PowerShell console and import the module with the command:

Import-Module ActiveDirectory

The RSAT-AD-PowerShell module is installed by default on Windows Server 2012 (and newer) when you deployed the Active Directory Domain Services (AD DS) role. To install the module on a domain member Windows Server host, run the command:

Install-WindowsFeature -Name "RSAT-AD-PowerShell" –IncludeAllSubFeature

install RSAT-AD-PowerShell on Windows Server

In order to use the Get-ADUser cmdlet on desktop Windows 10/11, you need to install the appropriate version of RSAT. You can enable RSAT through Settings -> Apps -> Optional Features -> Add a feature -> RSAT: Active Directory Domain Services and Lightweight Directory Services Tools.

Install RSAT Active Directory PowerShell module on Windows 10 and 11

You can install the RSAT AD module on Windows 10 and 11 with PowerShell:

Add-WindowsCapability –online –Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"

If the RSAT-AD-PowerShell module is not installed on the computer, then when you run the Get-ADUser command, an error will appear:

Get-ADUser: The term 'get-aduser' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.

Check that the module is installed, and if necessary, import it into your PowerShell session:

Import-Module ActiveDirectory

The term get-aduser is not recognized as the name of a cmdlet, function, script file

There is also a way to use the AD-PowerShell module without installing RSAT on your computer. It is enough to copy the main module files and import the module into the PowerShell session:

Import-Module "C:\PS\AD\Microsoft.ActiveDirectory.Management.dll"
Import-Module "C:\PS\AD\Microsoft.ActiveDirectory.Management.resources.dll"

A complete list of all the arguments of the Get-ADUser cmdlet can be obtained as follows:

help Get-ADUser

How to Find AD User and List Properties with Get-ADUser?

To use the Get-ADUser cmdlet, you don’t need to run it under an account with a domain administrator or delegated permissions. Any authorized AD domain user can run PowerShell commands to get the values of most AD object attributes (except for confidential ones, see the example in the article Local Administrator Password Solution – LAPS). If you need to run the Get-ADUser command under a different account, use the –Credential parameter.

To display the list of all domain user accounts, run this command:

Get-ADUser -filter *

Important. It is not recommended to run this command in the Active Directory domains with a large number of user accounts. This can place a heavy load on the domain controller providing the AD information.

Get-ADUser -filter * - gel all users in domain

Use the Set-ADUser cmdlet to change Active Directory user attributes.

To display the properties of a specific user, use the –Identity parameter. Identity can be a username, login (SAMAccountName), DN (Distinguished Name), SID, or GUID.

The following PowerShell commands will return the same result for the same AD user account:

Get-ADUser –Identity b.smith
Get-ADUser –Identity "CN=Brian Smith,OU=Users,OU=Berlin,DC=woshub,DC=loc"
Get-ADUser –Identity "Brian Smith"

get-aduser by identity

By default, the Get-ADUser cmdlet returns only 10 basic user attributes (out of more than 120 user account properties): DistinguishedName, SamAccountName, Name, SID, UserPrincipalName, ObjectClass, account status (Enabled: True/False according to the UserAccountControl AD attribute), etc. In this case, the cmdlet’s output doesn’t contain information about the time of the last user password change.

To execute an AD query on a specific domain controller, use the -Server option:

Get-ADUser –Server DC01.woshub.com –Identity tstuser

If you need to get user data from another AD domain, you need to specify the domain controller name and credentials to access it:

$ADcred = Get-Credential
Get-ADUSer tstuser -Server DC01.contoso.com -Credential $ADcred

To display the detailed information about all available user attributes, run this command:

Get-ADUser -identity tuser -properties *

get-aduser list all user object properties

The Get-ADUser cmdlet with the Properties * switch lists all the AD user’s attributes and their values (including empty ones). A similar list of user attributes is available in the Active Directory Users and Computers graphical snap-in (dsa.msc) under the attribute editor tab.

Then we’ll go to the formatting of Get-ADUser output so that the necessary user attributes are displayed. For example, you want to display the values of the following user properties:

  • PasswordExpired
  • PasswordLastSet
  • PasswordNeverExpires
  • LastLogonTimestamp

Run the command:

Get-ADUser tuser -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires, lastlogontimestamp

get-aduser - properties PasswordExpired, PasswordLastSet, PasswordNeverExpires, lastlogontimestamp

Now in the user data, there is the information about the account password status (Expired: True/False), the date of the last password changes, and the time of the last user logon to the domain (lastlogontimestamp attribute). To display this information in a more convenient table view and remove all unnecessary attributes use the Select-Object –Property and Format-Table:

Get-ADUser -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires | ft Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires

Get-ADUser get password info for all users with format-table

Get-ADUser -SearchBase: Getting Users from Specific OUs

To display users only from a specific domain container (Organizational Unit), use the –SearchBase parameter:

Get-ADUser -SearchBase 'OU=London,DC=woshub,DC=loc' -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires | ft Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires

If you need to select users from multiple OUs at once, use the following PowerShell script:

$OUs = "OU=NY,DC=woshub,DC=com","OU=LA,DC=woshub,DC=com","OU=MA,DC=woshub,DC=com"
$OUs | foreach {Get-ADUser -SearchBase $_ -Filter * |select Name, Enabled}

How to Get a User’s Email Address from AD Using PowerShell?

User email address is one of the user object attributes in Active Directory. To list the email addresses of users, you must add the EmailAddress field to the properties of the Get-ADUser cmdlet.

Get-ADUser -filter * -properties EmailAddress -SearchBase 'OU=Paris,OU-Fr,DC=woshub,DC=com'| select-object Name, EmailAddress

Get-ADUser EmailAddress

The list of enabled user accounts with e-mail addresses:

Get-ADUser -Filter {(mail -ne "null") -and (Enabled -eq "true")} -Properties Surname,GivenName,mail | Select-Object Name,Surname,GivenName,mail | Format-Table

To get the list of Active Directory users with no Email address:

Get-ADUser -Filter * -Properties EmailAddress | where -Property EmailAddress -eq $null

The following example allows you to export a company email list from AD to a CSV file. Later, you can import this CSV address list into desktop email clients such as Outlook or Mozilla Thunderbird:

Get-ADUser -Filter {(mail -ne "null") -and (Enabled -eq "true")} -Properties Surname,GivenName,mail | Select-Object Name,Surname,GivenName,mail | Export-Csv -NoTypeInformation -Encoding utf8 -delimiter "," $env:temp\adress_list.csv

Get-ADUser: Exporting Active Directory Users to CSV with PowerShell

The resulting list of domain users with attributes can be exported to a text file:

Get-ADUser -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires | ft Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires > C:\temp\users.txt

Or you can export the AD users list to a CSV file:

Get-ADUser -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires | where {$_.name –like "*Dmitry*"} | sort-object PasswordLastSet | select-object Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires | Export-csv -path c:\tmp\user-passwords-expires.csv -Append -Encoding UTF8

The AD user list can be exported directly to an Excel file using PowerShell.

Get-ADUser Filter Examples

Using the –Filter switch, you can filter the list of user accounts by one or more attributes. This is useful for searching AD users whose attributes match specified criteria. Values for specific attributes of Active Directory users can be specified as arguments to this parameter. When you use the –Filter parameter, the Get-ADUser cmdlet will only display users that match the filter criteria.

For example, I want to list active (Enabled) user accounts whose name contains “Dmitry”. The example below uses multiple filters; you can combine conditions using the logical PowerShell comparison operators. In this example, user attributes must satisfy both filter conditions (-and):

Get-AdUser -Filter "(Name -like '*Dmitry*') -and (Enabled -eq 'True')" -Properties * |select name,enabled

Get-AdUser with filter

All PowerShell logical operators can be used to select values for user attributes (-eq, -ne, -gt, -ge, -lt, -le, -like, -notlike, -and, -or, etc.)

Additionally, you can sort the resulting list of users by a specific user attribute with the Sort-Object cmdlet. You can also use the Where-Object cmdlet to specify multiple filtering criteria at once.

Get-ADUser -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires -SearchBase 'OU=NY,DC=woshub,DC=com'| where {$_.name –like "*Dmitry*" -and $_.Enabled -eq $true} | sort-object PasswordLastSet | select-object Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires

Get-ADUser - filtering with Where-Object and Sort-Object

Thus, you can get a list of users with any necessary Active Directory attributes.

To search for users by several attributes at once (legacyExchangeDN, proxyAddresses, SAMAccountName, Surname, DisplayName, SamAccountName, physicalDeliveryOfficeName, RDN, and msExchMailNickname), you can use the Ambiguous Name Resolution (ANR) feature:

Get-ADUser -Filter {anr -eq 'John'} | select Name

Hint. When looking up Active Directory users using Get-ADUser, from a performance perspective, specifying the criteria using the Filter attribute is preferable to using the pipeline to the Where-Object cmdlet. In this case, the filtering of the selection results will be performed on the domain controller, and a smaller set of data will be transferred to your computer over the network.

You can use an LDAP filter in Get-ADUser queries. An LDAP filter is specified using the –LdapFilter attribute.

Get-ADUser -LDAPFilter '(&(department=it)(title=sysops))'

PowerShell Get-ADUser Examples

Let’s show some more useful PowerShell command examples for querying Active Directory users with various filters. You can combine them to get the required list of AD user objects:

Display AD users, whose name starts with Joe:

Get-ADUser -filter {name -like "Joe*"}

You can use PowerShell to calculate the total number of user accounts in the Active Directory:

Get-ADUser -Filter {SamAccountName -like "*"} | Measure-Object

Find disabled Active Directory user accounts:

Get-ADUser -Filter {Enabled -eq "False"} | Select-Object SamAccountName,Name,Surname,GivenName | Format-Table

You can check the Active Directory user account creation date with the command:

get-aduser -Filter * -Properties Name, WhenCreated | Select name, whenCreated

You can get the list of newly added Active Directory users created in the last 24 hours:


$lastday = ((Get-Date).AddDays(-1))
Get-ADUser -filter {(whencreated -ge $lastday)}

List the accounts with an expired password (you can configure password expiration options in the domain password policy):

Get-ADUser -filter {Enabled -eq $True} -properties name,passwordExpired| where {$_.PasswordExpired}|select name,passwordexpired

You can use the Get-ADUser and Add-ADGroupMember cmdlets to create dynamic AD user groups (depending on city, job title, department, etc.).

Task: for the list of user accounts that are stored in a text file (one account per line), you need to get the user’s company name from AD and save it to a CSV file (you can easily import this CSV file into Excel).

Import-Csv c:\ps\users_list.csv | ForEach {
Get-ADUser -identity $_.user -Properties Name, Company |
Select Name, Company |
Export-CSV c:\ps\users_ad_list.csv -Append -Encoding UTF8
}

The users who haven’t changed their domain passwords in the last 90 days:

$90_Days = (Get-Date).adddays(-90)
Get-ADUser -filter {(passwordlastset -le $90_days)}

Find inactive user accounts (not logged on to the domain for more than 180 days). The lastLogonTimestamp attribute is used to get the user’s logon history to the domain:

$LastLogonDate= (Get-Date).AddDays(-180)
Get-ADUser -Properties LastLogonTimeStamp -Filter {LastLogonTimeStamp -lt $LastLogonDate } | ?{$_.Enabled –eq $True} |  Sort LastLogonTimeStamp| FT Name, @{N='lastlogontimestamp'; E={[DateTime]::FromFileTime($_.lastlogontimestamp)}} -AutoSize

To get a user’s photo from Active Directory and save it to a jpg file, run the following commands:

$usr = Get-ADUser sjoe -Properties thumbnailPhoto
$usr.thumbnailPhoto | Set-Content sjoe.jpg -Encoding byte

To get a list of AD groups which the user account is a member of:

Get-AdUser sjoe -Properties memberof | Select memberof -expandproperty memberof

List the users from the OU that are members of a specific domain security group:

Get-ADUser -SearchBase 'OU=Rome,OU=Italy,DC=woshub,DC=com' -Filter * -properties memberof | Where-Object {($_.memberof -like "*CEO*")}

List users from the OU that are members of a specific domain security group:

Get-ADUser -SearchBase 'OU=Rome,OU=Italy,DC=woshub,DC=com' -Filter * -properties memberof | Where-Object {($_.memberof -like "*CEO*")}

List all users from the OU, except for members of a specific group:

$Users = Get-ADUser -filter * -SearchBase ‘OU=Berlin,DC=woshub,DC=com’ -properties memberOf
ForEach ($User In $Users)
{
$Groups = -join @($User.memberOf)
If ($Groups -notlike '*Domain Admins*')
{
$User.Name
}
}

Exporting a list of AD users with the Organizational Unit name to the Out-GridView table:

get-aduser -filter * -Properties cn,canonicalname | select name,userprincipalname,@{Name="OU";expression={$_.Canonicalname.substring(0,$_.canonicalname.length-$_.cn.length)}}| Out-GridView

powershell: export active directory user list to out-gridview table

Check that the AD user account exists:
$SamAccountName='jbrown'
if (@(Get-ADUser -Filter { SamAccountName -eq $SamAccountName }).Count -eq 0)
{  Write-Host "User $SamAccountName doesn’t exist"}

List the domain computers the user is allowed to sign in (logon restriction through the LogonWorkstations AD attribute).

Get-ADUser jbrown -Properties LogonWorkstations | Format-List Name, LogonWorkstations

Tip. The Get-ADComputer cmdlet is used to get computer properties or search for multiple computers from Active Directory.

30 comments
4
Facebook Twitter Google + Pinterest
previous post
Configuring UserPrincipalName and UPN Suffixes in Active Directory
next post
Get User or Group Creation Date in Azure AD (or MS365) with PowerShell

Related Reading

Configuring Event Viewer Log Size on Windows

May 24, 2023

How to Detect Who Changed the File/Folder NTFS...

May 24, 2023

Enable Single Sign-On (SSO) Authentication on RDS Windows...

May 23, 2023

Allow Non-admin Users RDP Access to Windows Server

May 22, 2023

How to Create, Change, and Remove Local Users...

May 17, 2023

Categories

  • Active Directory
  • Group Policies
  • Exchange Server
  • Microsoft 365
  • Azure
  • Windows 11
  • Windows 10
  • Windows Server 2022
  • Windows Server 2019
  • Windows Server 2016
  • PowerShell
  • VMWare
  • Hyper-V
  • Linux
  • MS Office

Recent Posts

  • Configuring Event Viewer Log Size on Windows

    May 24, 2023
  • How to Detect Who Changed the File/Folder NTFS Permissions on Windows?

    May 24, 2023
  • Enable Single Sign-On (SSO) Authentication on RDS Windows Server

    May 23, 2023
  • Allow Non-admin Users RDP Access to Windows Server

    May 22, 2023
  • How to Create, Change, and Remove Local Users or Groups with PowerShell?

    May 17, 2023
  • Fix: BSOD Error 0x0000007B (INACCESSABLE_BOOT_DEVICE) on Windows

    May 16, 2023
  • View Success and Failed Local Logon Attempts on Windows

    May 2, 2023
  • Fix: “Something Went Wrong” Error When Installing Teams

    May 2, 2023
  • Querying Windows Event Logs with PowerShell

    May 2, 2023
  • Configure Windows LAPS (Local Administrator Passwords Solution) in AD

    April 25, 2023

Follow us

  • Facebook
  • Twitter
  • RSS
Popular Posts
  • Configure Google Chrome Settings with Group Policy
  • How to Find the Source of Account Lockouts in Active Directory?
  • Get-ADComputer: Find Computer Properties in Active Directory with PowerShell
  • How to Disable or Enable USB Drives in Windows using Group Policy?
  • Configuring Proxy Settings on Windows Using Group Policy Preferences
  • Deploy PowerShell Active Directory Module without Installing RSAT
  • How to Refresh AD Groups Membership without Reboot/Logoff?
Footer Logo

@2014 - 2023 - Windows OS Hub. All about operating systems for sysadmins


Back To Top