The Get-ADUser PowerShell cmdlet allows you to get information about an Active Directory user, its attributes, and search among domain users. It is one of the more popular PowerShell cmdlets for getting information from AD. Using the Get-ADUser cmdlet, you can get the value of any attribute of an AD user account, list domain users with attributes, export user reports to CSV files, and use various criteria to select and filter domain users.
- Get-ADUser Cmdlet in Active Directory PowerShell Module
- How to Find AD User and List Properties with Get-ADUser?
- Get-ADUser -SearchBase: Getting Users from Specific OUs
- How to Get a User’s Email Address from AD Using PowerShell?
- Get-ADUser: Exporting Active Directory Users to CSV with PowerShell
- Get-ADUser Filter Examples
- PowerShell Get-ADUser Examples
Get-ADUser Cmdlet in Active Directory PowerShell Module
The Get-ADUser cmdlet is included in a special module for interacting with Active Directory – Active Directory Module for Windows PowerShell. The RSAT-AD-PowerShell module cmdlets enable you to perform various operations on AD objects.
In this example, we’ll show how to use the Get-ADUser PowerShell cmdlet to get information about the last time a user’s password was changed, when the password expires, and other users’ properties.
To use the RSAT-AD-PowerShell module, you need to run the elevated PowerShell console and import the module with the command:
Import-Module ActiveDirectory
The RSAT-AD-PowerShell module is installed by default on Windows Server 2012 (and newer) when you deployed the Active Directory Domain Services (AD DS) role. To install the module on a domain member Windows Server host, run the command:
Install-WindowsFeature -Name "RSAT-AD-PowerShell" –IncludeAllSubFeature
In order to use the Get-ADUser cmdlet on desktop Windows 10/11, you need to install the appropriate version of RSAT. You can enable RSAT through Settings -> Apps -> Optional Features -> Add a feature -> RSAT: Active Directory Domain Services and Lightweight Directory Services Tools.
You can install the RSAT AD module on Windows 10 and 11 with PowerShell:
Add-WindowsCapability –online –Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
If the RSAT-AD-PowerShell module is not installed on the computer, then when you run the Get-ADUser command, an error will appear:
Get-ADUser: The term 'get-aduser' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again.
Check that the module is installed, and if necessary, import it into your PowerShell session:
Import-Module ActiveDirectory
Import-Module "C:\PS\AD\Microsoft.ActiveDirectory.Management.dll"
Import-Module "C:\PS\AD\Microsoft.ActiveDirectory.Management.resources.dll"
A complete list of all the arguments of the Get-ADUser cmdlet can be obtained as follows:
help Get-ADUser
How to Find AD User and List Properties with Get-ADUser?
To display the list of all domain user accounts, run this command:
Get-ADUser -filter *
To display the properties of a specific user, use the –Identity parameter. Identity can be a username, login (SAMAccountName), DN (Distinguished Name), SID, or GUID.
The following PowerShell commands will return the same result for the same AD user account:
Get-ADUser –Identity b.smith
Get-ADUser –Identity "CN=Brian Smith,OU=Users,OU=Berlin,DC=woshub,DC=loc"
Get-ADUser –Identity "Brian Smith"
By default, the Get-ADUser cmdlet returns only 10 basic user attributes (out of more than 120 user account properties): DistinguishedName, SamAccountName, Name, SID, UserPrincipalName, ObjectClass, account status (Enabled: True/False according to the UserAccountControl AD attribute), etc. In this case, the cmdlet’s output doesn’t contain information about the time of the last user password change.
Get-ADUser –Server DC01.woshub.com –Identity tstuser
If you need to get user data from another AD domain, you need to specify the domain controller name and credentials to access it:
$ADcred = Get-Credential
Get-ADUSer tstuser -Server DC01.contoso.com -Credential $ADcred
To display the detailed information about all available user attributes, run this command:
Get-ADUser -identity tuser -properties *
The Get-ADUser cmdlet with the Properties * switch lists all the AD user’s attributes and their values (including empty ones). A similar list of user attributes is available in the Active Directory Users and Computers graphical snap-in (dsa.msc) under the attribute editor tab.
Then we’ll go to the formatting of Get-ADUser output so that the necessary user attributes are displayed. For example, you want to display the values of the following user properties:
- PasswordExpired
- PasswordLastSet
- PasswordNeverExpires
- LastLogonTimestamp
Run the command:
Get-ADUser tuser -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires, lastlogontimestamp
Now in the user data, there is the information about the account password status (Expired: True/False), the date of the last password changes, and the time of the last user logon to the domain (lastlogontimestamp attribute). To display this information in a more convenient table view and remove all unnecessary attributes use the Select-Object –Property and Format-Table:
Get-ADUser -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires | ft Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires
Get-ADUser -SearchBase: Getting Users from Specific OUs
To display users only from a specific domain container (Organizational Unit), use the –SearchBase parameter:
Get-ADUser -SearchBase 'OU=London,DC=woshub,DC=loc' -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires | ft Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires
If you need to select users from multiple OUs at once, use the following PowerShell script:
$OUs = "OU=NY,DC=woshub,DC=com","OU=LA,DC=woshub,DC=com","OU=MA,DC=woshub,DC=com"
$OUs | foreach {Get-ADUser -SearchBase $_ -Filter * |select Name, Enabled}
How to Get a User’s Email Address from AD Using PowerShell?
User email address is one of the user object attributes in Active Directory. To list the email addresses of users, you must add the EmailAddress field to the properties of the Get-ADUser cmdlet.
Get-ADUser -filter * -properties EmailAddress -SearchBase 'OU=Paris,OU-Fr,DC=woshub,DC=com'| select-object Name, EmailAddress
The list of enabled user accounts with e-mail addresses:
Get-ADUser -Filter {(mail -ne "null") -and (Enabled -eq "true")} -Properties Surname,GivenName,mail | Select-Object Name,Surname,GivenName,mail | Format-Table
To get the list of Active Directory users with no Email address:
Get-ADUser -Filter * -Properties EmailAddress | where -Property EmailAddress -eq $null
The following example allows you to export a company email list from AD to a CSV file. Later, you can import this CSV address list into desktop email clients such as Outlook or Mozilla Thunderbird:
Get-ADUser -Filter {(mail -ne "null") -and (Enabled -eq "true")} -Properties Surname,GivenName,mail | Select-Object Name,Surname,GivenName,mail | Export-Csv -NoTypeInformation -Encoding utf8 -delimiter "," $env:temp\adress_list.csv
Get-ADUser: Exporting Active Directory Users to CSV with PowerShell
The resulting list of domain users with attributes can be exported to a text file:
Get-ADUser -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires | ft Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires > C:\temp\users.txt
Or you can export the AD users list to a CSV file:
Get-ADUser -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires | where {$_.name –like "*Dmitry*"} | sort-object PasswordLastSet | select-object Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires | Export-csv -path c:\tmp\user-passwords-expires.csv -Append -Encoding UTF8
Get-ADUser Filter Examples
Using the –Filter switch, you can filter the list of user accounts by one or more attributes. This is useful for searching AD users whose attributes match specified criteria. Values for specific attributes of Active Directory users can be specified as arguments to this parameter. When you use the –Filter parameter, the Get-ADUser cmdlet will only display users that match the filter criteria.
For example, I want to list active (Enabled) user accounts whose name contains “Dmitry”. The example below uses multiple filters; you can combine conditions using the logical PowerShell comparison operators. In this example, user attributes must satisfy both filter conditions (-and):
Get-AdUser -Filter "(Name -like '*Dmitry*') -and (Enabled -eq 'True')" -Properties * |select name,enabled
All PowerShell logical operators can be used to select values for user attributes (-eq, -ne, -gt, -ge, -lt, -le, -like, -notlike, -and, -or, etc.)
Additionally, you can sort the resulting list of users by a specific user attribute with the Sort-Object cmdlet. You can also use the Where-Object cmdlet to specify multiple filtering criteria at once.
Get-ADUser -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires -SearchBase 'OU=NY,DC=woshub,DC=com'| where {$_.name –like "*Dmitry*" -and $_.Enabled -eq $true} | sort-object PasswordLastSet | select-object Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires
Thus, you can get a list of users with any necessary Active Directory attributes.
To search for users by several attributes at once (legacyExchangeDN, proxyAddresses, SAMAccountName, Surname, DisplayName, SamAccountName, physicalDeliveryOfficeName, RDN, and msExchMailNickname), you can use the Ambiguous Name Resolution (ANR) feature:
Get-ADUser -Filter {anr -eq 'John'} | select Name
You can use an LDAP filter in Get-ADUser queries. An LDAP filter is specified using the –LdapFilter attribute.
Get-ADUser -LDAPFilter '(&(department=it)(title=sysops))'
PowerShell Get-ADUser Examples
Let’s show some more useful PowerShell command examples for querying Active Directory users with various filters. You can combine them to get the required list of AD user objects:
Display AD users, whose name starts with Joe:
Get-ADUser -filter {name -like "Joe*"}
You can use PowerShell to calculate the total number of user accounts in the Active Directory:
Get-ADUser -Filter {SamAccountName -like "*"} | Measure-Object
Find disabled Active Directory user accounts:
Get-ADUser -Filter {Enabled -eq "False"} | Select-Object SamAccountName,Name,Surname,GivenName | Format-Table
You can check the Active Directory user account creation date with the command:
get-aduser -Filter * -Properties Name, WhenCreated | Select name, whenCreated
You can get the list of newly added Active Directory users created in the last 24 hours:
$lastday = ((Get-Date).AddDays(-1))
Get-ADUser -filter {(whencreated -ge $lastday)}
List the accounts with an expired password (you can configure password expiration options in the domain password policy):
Get-ADUser -filter {Enabled -eq $True} -properties name,passwordExpired| where {$_.PasswordExpired}|select name,passwordexpired
Task: for the list of user accounts that are stored in a text file (one account per line), you need to get the user’s company name from AD and save it to a CSV file (you can easily import this CSV file into Excel).
Import-Csv c:\ps\users_list.csv | ForEach {
Get-ADUser -identity $_.user -Properties Name, Company |
Select Name, Company |
Export-CSV c:\ps\users_ad_list.csv -Append -Encoding UTF8
}
The users who haven’t changed their domain passwords in the last 90 days:
$90_Days = (Get-Date).adddays(-90)
Get-ADUser -filter {(passwordlastset -le $90_days)}
Find inactive user accounts (not logged on to the domain for more than 180 days). The lastLogonTimestamp attribute is used to get the user’s logon history to the domain:
$LastLogonDate= (Get-Date).AddDays(-180)
Get-ADUser -Properties LastLogonTimeStamp -Filter {LastLogonTimeStamp -lt $LastLogonDate } | ?{$_.Enabled –eq $True} | Sort LastLogonTimeStamp| FT Name, @{N='lastlogontimestamp'; E={[DateTime]::FromFileTime($_.lastlogontimestamp)}} -AutoSize
To get a user’s photo from Active Directory and save it to a jpg file, run the following commands:
$usr = Get-ADUser sjoe -Properties thumbnailPhoto
$usr.thumbnailPhoto | Set-Content sjoe.jpg -Encoding byte
To get a list of AD groups which the user account is a member of:
Get-AdUser sjoe -Properties memberof | Select memberof -expandproperty memberof
List the users from the OU that are members of a specific domain security group:
Get-ADUser -SearchBase 'OU=Rome,OU=Italy,DC=woshub,DC=com' -Filter * -properties memberof | Where-Object {($_.memberof -like "*CEO*")}
List users from the OU that are members of a specific domain security group:
Get-ADUser -SearchBase 'OU=Rome,OU=Italy,DC=woshub,DC=com' -Filter * -properties memberof | Where-Object {($_.memberof -like "*CEO*")}
List all users from the OU, except for members of a specific group:
$Users = Get-ADUser -filter * -SearchBase ‘OU=Berlin,DC=woshub,DC=com’ -properties memberOf
ForEach ($User In $Users)
{
$Groups = -join @($User.memberOf)
If ($Groups -notlike '*Domain Admins*')
{
$User.Name
}
}
Exporting a list of AD users with the Organizational Unit name to the Out-GridView table:
get-aduser -filter * -Properties cn,canonicalname | select name,userprincipalname,@{Name="OU";expression={$_.Canonicalname.substring(0,$_.canonicalname.length-$_.cn.length)}}| Out-GridView
Check that the AD user account exists:
$SamAccountName='jbrown'
if (@(Get-ADUser -Filter { SamAccountName -eq $SamAccountName }).Count -eq 0)
{ Write-Host "User $SamAccountName doesn’t exist"}
List the domain computers the user is allowed to sign in (logon restriction through the LogonWorkstations AD attribute).
Get-ADUser jbrown -Properties LogonWorkstations | Format-List Name, LogonWorkstations
