logo

User Management via the Get-ADUser Cmdlet in PowerShell

Introduction

The Get-ADUser cmdlet in PowerShell provides many parameters for finding one or more users in an Active Directory (AD) domain.

By default, PowerShell runs using the account that is logged on to the machine. If you want to run a command using a different account, you can force PowerShell to prompt you for the credentials by using this switch before your command:

$cred =Get-Credential
Introduction

Searching for a Specific User

-Identity Parameter

Use the -Identity parameter if you know which AD user you want to get:

Get-ADUser -Identity “identifier”

Specify one of the following for the identifier:

  • DistinguishedName (DN)
  • SamAccountName
  • GUID
  • SID

Example

Get-ADUser -Identity "ABBEY.Crawford"
-Identity Parameter

Limiting a Search to a Particular OU

-SearchBase Parameter

Use the -SearchBase parameter to limit the search to a specific OU, specified by its distinguished name (DN):

Get-ADUser -Filter "givenname -Like 'Abbey'" -SearchBase "distinguishedName of OU"

Example

Get-ADUser -Filter "givenname -Like 'Abbey'" -SearchBase "OU=Versacorp,DC=milkyway,DC=local"
-SearchBase Parameter

-SearchScope Parameter

Combine the SearchBase and SearchScope parameters to limit the search to a particular OU and a specified number of levels of sub-OUs. For example, to find user accounts in an OU and its immediate child OUs, specify a value of 1 for SearchScope. To include both child and grandchild OUs, use a value of 2.

Get-ADUser -SearchBase " distinguishedName of OU " -SearchScope "2"

Example

Get-ADUser -Filter "givenname -Like 'Abbey'" -SearchBase "OU=Versacorp,DC=milkyway,DC=local" -SearchScope "2"
-SearchScope Parameter

Filtering for Specific Sets of Users

-Filter Parameter

If you don’t know the exact value of any identifier, you can specify a property to filter on and a value for the filter, as follows:

Get-ADUser -Filter “filter value”

Operators

OperatorMeaningSample expression
-eqEqual toName -like ‘Inga’
-neNot equal toCountry -ne ‘US’
-gtGreater thanBadLogonCount -gt ‘0’
-geGreater than or equalModified -ge ’06-04-2021 12:00:00?
-ltLess thanLastLogonTimeStamp -lt ’01-08-2020?
-leLess than or equalCreated -le ’01-08-2020?
-likeWildcard searchMail -like ‘*@xyz.com’
-notlikeWildcard search with negationDepartment -notlike ‘*’
-andAndCountry -eq ‘US’ -and Department -eq ‘Operations’
-orOrCountry -eq ‘US’ -or -Country -eq ‘UK’

Finding Users with a Certain Given Name

To search for a user with his or her first name or part of the name, use the -Filter parameter with the -like clause and a value.

The following example shows the use of the Filter parameter, that involves the AD attribute, givenName. It returns users whose givenName contains Abbey.

Get-ADUser -Filter “givenname -Like ‘Abbey’”
Finding Users with a Certain Given Name

Finding Users with Similar Names

You can modify the previous command using the wildcard operator to get all users whose name starts with a particular string, as follows:

Get-ADUser -Filter "Name -like 'Abb*'" | Select Name,givenname,surname,samAccountName,distinguishedname | ftG
Finding Users with Similar Names
Finding Users with Similar Names

Finding All Enabled Users

If you want to see all enabled users, you can use this cmdlet:

Get-ADUser -filter {Enabled -eq "true"} | ft
Finding All Enabled Users

Finding Disabled Users

Finding disabled users can be quite valuable to facilitate AD cleanup. Using a simple command with one filter, “-Filter “Enabled -eq ‘false’”” could return hundreds of disabled users, as some companies prefer to keep their Active Directory objects for auditing purposes. Use the -SearchBase filter with a specific OU to limit results. For example, this cmdlet will find all disabled user accounts in a particular OU:

Get-ADUser -Filter “Enabled -eq 'false'” -SearchBase "CN=Users,DC=Knox,DC=lab" -Properties * | Select Name,Enabled |ft
Finding Disabled Users

Finding Users Who Have Email Addresses

To find all users who have mailboxes assigned to them, use the following command:

Get-ADUser -Filter {mail -ne "null"} -Properties Name,GivenName,mail| ft Name,GivenName,mail
Finding Users Who Have Email Addresses

Finding Accounts with Password Expiry Not Set

To strengthen security, you might want to find all accounts whose ‘passwordneverexpires’ attribute is set to true, as follows:

Get-ADUser -Filter {passwordneverexpires -eq "true"} | Select Name, sAMAccountName
Finding Accounts with Password Expiry Not Set

Finding Stale User Accounts

At times, we need to filter out the user accounts that have not been in use for some time. Here is how to find all user accounts that have not been used during the last 60 days:

$CutoffDate = (Get-Date).AddDays(-60)
Get-ADUser -Filter "LastLogonDate -lt '$CutoffDate'" -Properties LastLogonDate | Select Name, LastLogonDate
Finding Stale User Accounts

Finding Users Created on a Particular Date

To see all user accounts created on a particular date in Active Directory, you can use this command:

Get-ADUser -Filter {Created -lt '7/30/2021'} | Select Name
Finding Users Created on a Particular Date

Combining Multiple Filters

You can combine multiple filters to define complex criteria for finding users.

Example 1

The following command will return all enabled users from the Sales department:

Get-ADUser -Filter "Enabled -eq 'true' -and Department -like 'Sales'" -Properties * | Select Name, Department |ft
Combining Multiple Filters

Example 2

The following cmdlet will return all users whose department attribute is not null and whose name begins with the letter A:

Get-ADUser -filter {Department -ne "null"} | Where-Object Name -like 'A*'
Combining Multiple Filters

Netwrix GroupID for Better User Management

Streamline user management and automate tasks without complex scripting

We care about security of your data.

Privacy Policy

Controlling Which Properties Are Displayed

-Properties Parameter

By default, the Get-ADUser command returns only a handful of parameters. If you want the extended list of properties of a user, use this cmdlet:

Get-ADUser -Identity “Identifier” -Properties *
-Properties Parameter

Displaying a Specific Set of Properties

Alternatively, you can explicitly list the properties you want to see for a user:

Get-ADUser -Identity Abbey.Crawford -Properties * | Select Name,Enabled,mail,department,company,title,c,st,streetaddress |ft
Displaying a Specific Set of Properties

Displaying Group Membership

To see the membership of a user, use this cmdlet:

Get-ADUser -Identity Abbey.crawford -Properties memberof | Select-Object -ExpandProperty memberof
Displaying Group Membership

Displaying Email Address

If you want to see a specific user’s email address, use this cmdlet:

Get-ADUser -Identity Abbey.Crawford -Properties * | Select Name,mail |ft
Displaying Email Address

Displaying User Principal Name (UPN)

To retrieve a user’s UPN, use this cmdlet:

Get-ADUser -Identity Abbey.Crawford -Properties * | Select Name,userprincipalname |ft
Displaying User Principal Name (UPN)

Displaying SAM Account Name

To display a user’s SAM account name, use this cmdlet:

Get-ADUser -Identity Abbey.Crawford -Properties * | Select Name,samAccountName |ft
Displaying SAM Account Name

Displaying Display Name

If you want to see the display name of a user (for example, since it might be different in ADUC), you can use this cmdlet:

Get-ADUser -Identity Abbey.Crawford -Properties * | Select Name,displayname |ft
Displaying Display Name

Displaying Distinguished Name

To see the distinguished name of a user, use this cmdlet:

Get-ADUser -Identity Abbey.Crawford -Properties * | Select Name,distinguishedname |ft
Displaying Distinguished Name

Displaying Proxy Addresses

If you want to see the proxy addresses of a user, use this cmdlet:

Get-ADUser -Identity Abbey.Crawford -Properties * | Select Name,proxyaddresses |ft
Displaying Proxy Addresses

Displaying a User’s Manager

To show the SAM account name of a user’s manager, use this command:

Get-ADUser “User Identifier” -properties * | select  amAccountName, @{Name=’Manager’;Expression={(Get-ADUser($_.manager)).samaccountname}}
Displaying a User’s Manager

Displaying Employee ID

To see the employee ID of a user, use this cmdlet:

Get-ADUser -Identity Abbey.Crawford -Properties * | Select Name,employeeid |ft
Displaying Employee ID

Displaying Telephone Numbers

To find all phone numbers of a user, use this command:

Get-ADUser -Identity “User Identifier” -Properties * | Select *Phone*
Displaying Telephone Numbers

To display these values in the form of a table, use this command:

Get-ADUser -Identity “User Identifier” -Properties * | Select Name, *Phone* | ft
Displaying Telephone Numbers

Displaying Password Expiry Date and Time

To see the password expiry date for an account, use this cmdlet:

Get-ADUser -Identity “User Identifier” -Properties msDS-UserPasswordExpiryTimeComputed | select Name, {[datetime]::FromFileTime($_.”msDS-UserPasswordExpiryTimeComputed”)}
Displaying Password Expiry Date and Time

Displaying Account Creation Date

To see when a user account was created in AD, use this command:

Get-ADUser -filter * -Properties Name,whencreated | ft Name,WhenCreated
Displaying Account Creation Date

Displaying Last Logon Date and Time

If you want to see the last time a user logged on to any system, use this cmdlet:

Get-ADUser -Identity Abbey.Crawford -Properties * | Select Name,lastlogondate |ft
Displaying Last Logon Date and Time

Displaying Last Password Change Date and Time

To see when a user last changed their password, use this cmdlet:

Get-ADUser -Identity Abbey.Crawford -properties PwdLastSet,PasswordLastSet  | sort Name | ft Name,PwdLastSet,PasswordLastSet
Displaying Last Password Change Date and Time

Displaying the Values of Extension Attributes

Organizations can use AD extension attributes to store additional information about users. For example, O365 license information can be stored in ExtensionAttribute1. To see this information, use this cmdlet:

Get-ADUser -Identity “Abbey.Crawford” -Properties * | Select sAMAccountName, extensionAttribute1
Displaying the Values of Extension Attributes

Sorting the Output

To sort the output of the Get-ADUser command using a particular property, use the following command:

Get-ADUser -Filter * | Select Name | Sort-Object -Property Name
Sorting the Output

Exporting Data to a CSV File

Example 1

The following command will find all user accounts created in the last 180 days, sort them by name, and export selected information about them to a CSV file:

Get-ADUser -filter * -properties * | Where-Object { $_.created -gt  (get-date).AddDays(-180)} | select-object Name, Created | sort Name | export-csv C:\Accounts.csv -NoTypeInformation
Exporting Data to a CSV File

Example 2

The command below finds all users in a particular OU and outputs selected details about them to a to a CSV file:

Exporting Data to a CSV File

Here is the CSV file:

Exporting Data to a CSV File

Conclusion

The Get-ADUser command is a versatile way to find one or more users that meet certain criteria. You can control which user properties are displayed and how the information is sorted, and export the output to a CSV file.

If you’re interested in a more comprehensive Active Directory and Azure AD management solution, take a look at Netwrix GroupID. It offers a more advanced management shell that is also fully compatible with PowerShell.

Windows PowerShell Scripting Tutorial for Beginners

We care about security of your data.

Privacy Policy
Since 2012, Jonathan Blackwell, an engineer and innovator, has provided engineering leadership that has put Netwrix GroupID at the forefront of group and user management for Active Directory and Azure AD environments. His experience in development, marketing, and sales allows Jonathan to fully understand the Identity market and how buyers think.
Automate Active Directory Groups & User Management