Get-ADUser is one of the basic PowerShell cmdlets that can be used to get information about Active Directory domain users and their properties. You can use the Get-ADUser to view the value of any AD user object attribute, display a list of users in the domain with the necessary attributes and export them to CSV, and use various criteria and filters to select domain users.
The Get-ADUser cmdlet has been available since PowerShell 2.0 and is a part of the special module Active Directory for Windows PowerShell (introduced in Windows Server 2008 R2). RSAT-AD-PowerShell cmdlets allow you to perform various operations on AD objects.
In this post we’ll show you how to get information on the last time when a user’s password was changed and the password expiration date by using Get-ADUser PowerShell cmdlet.
How to Find AD User and List Properties with Get-ADUser?
To use the RSAT-AD-PowerShell module, you need to run the elevated PowerShell console and import the module with the command:
Import-Module activedirectory
The RSAT-AD-PowerShell module is installed by default on Windows Server 2012 (and newer) when you deployed the Active Directory Domain Services (AD DS) role. To install the module on a domain member server, run the command:
Install-WindowsFeature -Name "RSAT-AD-PowerShell" –IncludeAllSubFeature
In the desktop Windows 10 version in order to use the Get-ADUser cmdlet you need to install the appropriate version of RSAT and enable the Active Directory Module for Windows PowerShell feature through the Control Panel (Programs -> Turn Windows features on or off-> Remote Server Administration Tools -> Role Administration Tools -> AD DS and AD LDS Tools -> AD DS Tools).
You can install the RSAT AD module in Windows 10 1809 and newer from PowerShell:
Add-WindowsCapability –online –Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"There is also a way to use the AD-PowerShell module without RSAT installing on your computer. It is enough to copy the main module files and import the module into the PoSh session:
Import-Module "C:\PS\AD\Microsoft.ActiveDirectory.Management.dll"
Import-Module "C:\PS\AD\Microsoft.ActiveDirectory.Management.resources.dll"
A complete list of all the arguments of the Get-ADUser cmdlet can be obtained as follows:
help Get-ADUserTo use the Get-ADUser cmdlet, you do not need to run it under an account with a domain administrator or delegated permissions. Any authorized AD domain user can run PowerShell commands to get the values of most AD object attributes (except for confidential ones, see the example in the article LAPS). If you need to run the Get-ADUser command from a different account, use the Credential parameter.
To display the list of all domain accounts, run this command:
Get-ADUser -filter *Important. It is not recommended to run this command in the domains with a large number of accounts, since the domain controller providing the information can be overloaded.
To execute an AD query on a specific domain controller, use the -Server parameter:
Get-ADUser –Server dc-01.contoso.com –Identity tuser
To change user attributes, use the Set-ADUser cmdlet.
By default the Get-ADUser cmdlet returns only 10 basic user attributes (out of more than 120 user account properties): DistinguishedName, SamAccountName, Name, SID, UserPrincipalName, ObjectClass, account status (Enabled: True/False according to the UserAccountControl AD attribute), etc. In this case, the cmdlet’s output doesn’t contain information about the time of the last user password change.
To display the detailed information about all available user attributes, run this command:
Get-ADUser -identity tuser -properties *
The Get-ADUser cmdlet with the Properties * parameter displayed a list of all AD user attributes and their values.
Then we’ll go to the formatting of Get-ADUser output so that the necessary user attributes are displayed. You can display several user attributes at once:
- PasswordExpired
- PasswordLastSet
- PasswordNeverExpires
- LastLogonTimestamp
Run the command:
Get-ADUser tuser -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires, lastlogontimestamp
Now in the user data there is the information about the account status (Expired: True/False), the date of the last password change and the time of the last user logon to the domain (lastlogontimestamp). To display this information in a more convenient table view and remove all unnecessary attributes use the Select-Object –Property or Format-Table:
Get-ADUser -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires | ft Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires
Get-ADUser: Multiple OU’s Search with SearchBase
To display users only from a specific domain container (Organizational Unit), use the SearchBase parameter:
Get-ADUser -SearchBase 'OU=nyc,DC=contoso,DC=com' -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires | ft Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires
If you need to select users from multiple OUs at once, use the following PowerShell script:
$OUs = "OU=nyc,DC=contoso,DC=com","OU=la,DC=contoso,DC=com","OU=london,DC=contoso,DC=com"
$OUs | foreach {Get-ADUser -SearchBase $_ -Filter * |select Name, Enabled}
How to Get Emails From Active Directory Using PowerShell?
User email address is one of the user object attributes in Active Directory. To list the email addresses of users, you must add the EmailAddress field to the properties of the Get-ADUser cmdlet.
Get-ADUser -filter * -properties EmailAddress -SearchBase 'OU=nyc,DC=contoso,DC=com'| select-object Name, EmailAddress
The list of active user accounts with e-mail addresses:
Get-ADUser -Filter {(mail -ne "null") -and (Enabled -eq "true")} -Properties Surname,GivenName,mail | Select-Object Name,Surname,GivenName,mail | Format-Table
To get the list of Active Directory users with no Email address:
Get-ADUser -Filter * -Properties EmailAddress | where -Property EmailAddress -eq $null
The next example allows to export the email address book of the company from the AD to a CSV file, which can later be imported into email clients such as Outlook or Mozilla Thunderbird:
Get-ADUser -Filter {(mail -ne "null") -and (Enabled -eq "true")} -Properties Surname,GivenName,mail | Select-Object Name,Surname,GivenName,mail | Export-Csv -NoTypeInformation -Encoding utf8 -delimiter "," $env:temp\adress_list.csv
Get-ADUser: Export AD Users to CSV/TXT
The resulting list of domain users with attributes can be exported to a text file:
Get-ADUser -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires | ft Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires > C:\temp\users.txt
Or you can export AD users list to a CSV file (which will later be conveniently imported to Excel):
Get-ADUser -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires | where {$_.name –like "*Dmitry*"} | sort-object PasswordLastSet | select-object Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires | Export-csv -path c:\tmp\user-passwords-expires.csv -Append -Encoding UTF8
Using Get-ADUser with Filter Items
Using the –Filter parameter, you can filter the list of user accounts by one or more attributes. As arguments of this parameter, you can specify the value of certain attributes of Active Directory users. If you use the –Filter parameter, the Get-ADUser cmdlet will only list users that match the filter criteria.
For example, I want to list active (Enabled) user accounts whose name contains “Dmitry” (in the example below, a multiple filters are used; you can combine conditions using the standard logical PowerShell comparison operators):
Get-AdUser -Filter "(Name -like '*Dmitry*') -and (Enabled -eq 'True')" -Properties * |select name,enabled
Additionally, you can sort the resulting list of users by a specific user attribute (column) with the Sort-Object cmdlet. You can also use the Where-Object cmdlet to specify multiple filtering criteria at once.
Get-ADUser -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires -SearchBase 'OU=nyc,DC=contoso,DC=com'| where {$_.name –like "*Dmitry*" -and $_.Enabled -eq $true} | sort-object PasswordLastSet | select-object Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires
So you can make a table with any necessary attributes of Active Directory users.
Get-ADUser Usage Examples
Let’s show some more useful command examples for querying Active Directory users with various filters. You can combine them to get the necessary list of AD user objects:
Display AD users, whose name starts with Joe:
Get-ADUser -filter {name -like "Joe*"}
You can use PowerShell to calculate the total number of user account in the Active Directory:
Get-ADUser -Filter {SamAccountName -like "*"} | Measure-Object
Find disabled Active Directory user accounts:
Get-ADUser -Filter {Enabled -eq "False"} | Select-Object SamAccountName,Name,Surname,GivenName | Format-Table
You can check Active Directory user account creation date with the command:
get-aduser -Filter * -Properties Name, WhenCreated | Select name, whenCreated
You can get the list of newly added Active Directory users created in the last 24 hours:
$lastday = ((Get-Date).AddDays(-1))
Get-ADUser -filter {(whencreated -ge $lastday)}
List the accounts with an expired password (you can configure password expiration options in the domain password policy):
Get-ADUser -filter {Enabled -eq $True} -properties name,passwordExpired| where {$_.PasswordExpired}|select name,passwordexpired You can use the Get-ADUser and Add-ADGroupMember cmdlets to create dynamic AD user groups (depending on city, position, department, etc.).
For the list of accounts that are stored in a text file (one account per line), you need to get the user’s company name from AD and save it to a CSV file (you can easily import this file into Excel).
Import-Csv c:\ps\users_list.csv | ForEach {
Get-ADUser -identity $_.user -Properties Name, Company |
Select Name, Company |
Export-CSV c:\ps\users_ad_list.csv -Append -Encoding UTF8
}
The users who haven’t changed their passwords in the last 90 days:
$90_Days = (Get-Date).adddays(-90)
Get-ADUser -filter {(passwordlastset -le $90_days)}
To get a user’s photo from Active Directory and save it to a jpg file, run the following commands:
$usr = Get-ADUser sjoe -Properties thumbnailPhoto
$usr.thumbnailPhoto | Set-Content sjoe.jpg -Encoding byte
To get a list of AD groups which the user account is a member of:
Get-AdUser sjoe -Properties memberof | Select memberof -expandproperty memberof
List the users from the OU that are members of a specific domain security group:
Get-ADUser -SearchBase 'OU=nyc,DC=contoso,DC=com' -Filter * -properties memberof | Where-Object {($_.memberof -like "*CEO*")}
List the domain computers the user is allowed to logon (logon restriction through the AD attribute LogonWorkstations).
Get-ADUser jbrown -Properties LogonWorkstations | Format-List Name, LogonWorkstationsTo get a computer or perform a search for multiple computers from Active Directory you can use another cmdlet – Get-ADComputer.
