Get-ADUser (ActiveDirectory) (2023)

  • Reference
Module:
ActiveDirectory

Gets one or more Active Directory users.

Syntax

Get-ADUser [-AuthType <ADAuthType>] [-Credential <PSCredential>] -Filter <String> [-Properties <String[]>] [-ResultPageSize <Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope <ADSearchScope>] [-Server <String>] [<CommonParameters>]
Get-ADUser [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Identity] <ADUser> [-Partition <String>] [-Properties <String[]>] [-Server <String>] [<CommonParameters>]
Get-ADUser [-AuthType <ADAuthType>] [-Credential <PSCredential>] -LDAPFilter <String> [-Properties <String[]>] [-ResultPageSize <Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope <ADSearchScope>] [-Server <String>] [<CommonParameters>]

Description

The Get-ADUser cmdlet gets a specified user object or performs a search to get multiple user objects.

The Identity parameter specifies the Active Directory user to get.You can identify a user by its distinguished name (DN), GUID, security identifier (SID), or Security Account Manager (SAM) account name.You can also set the parameter to a user object variable such as $<localUserObject> or pass a user object through the pipeline to the Identity parameter.

To search for and retrieve more than one user, use the Filter or LDAPFilter parameters.The Filter parameter uses the PowerShell Expression Language to write query strings for Active Directory.PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter.For more information about the Filter parameter syntax, type Get-Help about_ActiveDirectory_Filter.If you have existing Lightweight Directory Access Protocol (LDAP) query strings, you can use the LDAPFilter parameter.

This cmdlet retrieves a default set of user object properties.To retrieve additional properties use the Properties parameter.For more information about how to determine the properties for user objects, see the Properties parameter description.

Examples

Example 1: Get all of the users in a container

PS C:\> Get-ADUser -Filter * -SearchBase "OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM"

This command gets all users in the container OU=Finance,OU=UserAccounts,DC=FABRIKAM,DC=COM.

Example 2: Get a filtered list of users

PS C:\> Get-ADUser -Filter 'Name -like "*SvcAccount"' | Format-Table Name,SamAccountName -AName SamAccountName---- --------------SQL01 SvcAccount SQL01SQL02 SvcAccount SQL02IIS01 SvcAccount IIS01

This command gets all users that have a name that ends with SvcAccount.

Example 3: Get all of the properties for a specified user

PS C:\> Get-ADUser -Identity ChewDavid -Properties *Surname : DavidName : Chew DavidUserPrincipalName :GivenName : DavidEnabled : FalseSamAccountName : ChewDavidObjectClass : userSID : S-1-5-21-2889043008-4136710315-2444824263-3544ObjectGUID : e1418d64-096c-4cb0-b903-ebb66562d99dDistinguishedName : CN=Chew David,OU=NorthAmerica,OU=Sales,OU=UserAccounts,DC=FABRIKAM,DC=COM

This command gets all of the properties of the user with the SAM account name ChewDavid.

Example 4: Get a specified user

PS C:\> Get-ADUser -Filter "Name -eq 'ChewDavid'" -SearchBase "DC=AppNC" -Properties "mail" -Server lds.Fabrikam.com:50000

This command gets the user with the name ChewDavid in the Active Directory Lightweight Directory Services (AD LDS) instance.

Example 5: Get all enabled user accounts

C:\PS> Get-ADUser -LDAPFilter '(!userAccountControl:1.2.840.113556.1.4.803:=2)'

This command gets all enabled user accounts in Active Directory using an LDAP filter.

Parameters

-AuthType

Specifies the authentication method to use.The acceptable values for this parameter are:

  • Negotiate or 0
  • Basic or 1

The default authentication method is Negotiate.

A Secure Sockets Layer (SSL) connection is required for the Basic authentication method.

(Video) Get-ADUser Examples: How to Find AD Users with PowerShell

Type:ADAuthType
Accepted values:Negotiate, Basic
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

-Credential

Specifies the user account credentials to use to perform this task.The default credentials are the credentials of the currently logged on user unless the cmdlet is run from an Active Directory PowerShell provider drive.If the cmdlet is run from such a provider drive, the account associated with the drive is the default.

To specify this parameter, you can type a user name, such as User1 or Domain01\User01 or you can specify a PSCredential object.If you specify a user name for this parameter, the cmdlet prompts for a password.

You can also create a PSCredential object by using a script or by using the Get-Credential cmdlet.You can then set the Credential parameter to the PSCredential object.

If the acting credentials do not have directory-level permission to perform the task, Active Directory PowerShell returns a terminating error.

Type:PSCredential
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

-Filter

Specifies a query string that retrieves Active Directory objects.This string uses the PowerShell Expression Language syntax.The PowerShell Expression Language syntax provides rich type-conversion support for value types received by the Filter parameter.The syntax uses an in-order representation, which means that the operator is placed between the operand and the value.For more information about the Filter parameter, type Get-Help about_ActiveDirectory_Filter.

Syntax:

The following syntax uses Backus-Naur form to show how to use the PowerShell Expression Language for this parameter.

<filter> ::= "{" <FilterComponentList> "}"

<FilterComponentList> ::= <FilterComponent> | <FilterComponent> <JoinOperator> <FilterComponent> | <NotOperator> <FilterComponent>

<FilterComponent> ::= <attr> <FilterOperator> <value> | "(" <FilterComponent> ")"

<FilterOperator> ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike"

<JoinOperator> ::= "-and" | "-or"

<NotOperator> ::= "-not"

<attr> ::= <PropertyName> | <LDAPDisplayName of the attribute>

<value>::= <compare this value with an <attr> by using the specified <FilterOperator>>

(Video) Get ADUser information using PowerShell

For a list of supported types for <value>, type Get-Help about_ActiveDirectory_ObjectModel.

Note: For String parameter type, PowerShell will cast the filter query to a string while processing the command. When using a string variable as a value in the filter component, make sure that it complies with the PowerShell Quoting Rules. For example, if the filter expression is double-quoted, the variable should be enclosed using single quotation marks:Get-ADUser -Filter "Name -like '$UserName'". On the contrary, if curly braces are used to enclose the filter, the variable should not be quoted at all: Get-ADUser -Filter {Name -like $UserName}.

Note: PowerShell wildcards other than *, such as ?, are not supported by the Filter syntax.

Note: To query using LDAP query strings, use the LDAPFilter parameter.

Type:String
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

-Identity

Specifies an Active Directory user object by providing one of the following property values.The identifier in parentheses is the LDAP display name for the attribute.The acceptable values for this parameter are:

  • A distinguished name
  • A GUID (objectGUID)
  • A security identifier (objectSid)
  • A SAM account name (sAMAccountName)

The cmdlet searches the default naming context or partition to find the object.If two or more objects are found, the cmdlet returns a non-terminating error.

This parameter can also get this object through the pipeline or you can set this parameter to an object instance.

Type:ADUser
Position:0
Default value:None
Accept pipeline input:True
Accept wildcard characters:False

-LDAPFilter

Specifies an LDAP query string that is used to filter Active Directory objects.You can use this parameter to run your existing LDAP queries.The Filter parameter syntax supports the same functionality as the LDAP syntax.For more information, see the Filter parameter description or type Get-Help about_ActiveDirectory_Filter.

Type:String
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

-Partition

Specifies the distinguished name of an Active Directory partition.The distinguished name must be one of the naming contexts on the current directory server.The cmdlet searches this partition to find the object defined by the Identity parameter.

In many cases, a default value is used for the Partition parameter if no value is specified.The rules for determining the default value are given below.Note that rules listed first are evaluated first, and when a default value can be determined, no further rules are evaluated.

In AD DS environments, a default value for Partition is set in the following cases:

  • If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name.
  • If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive.
  • If none of the previous cases apply, the default value of Partition is set to the default partition or naming context of the target domain.

In AD LDS environments, a default value for Partition is set in the following cases:

  • If the Identity parameter is set to a distinguished name, the default value of Partition is automatically generated from this distinguished name.
  • If running cmdlets from an Active Directory provider drive, the default value of Partition is automatically generated from the current path in the drive.
  • If the target AD LDS instance has a default naming context, the default value of Partition is set to the default naming context.To specify a default naming context for an AD LDS environment, set the msDS-defaultNamingContext property of the Active Directory directory service agent object (nTDSDSA) for the AD LDS instance.
  • If none of the previous cases apply, the Partition parameter does not take any default value.
Type:String
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

-Properties

Specifies the properties of the output object to retrieve from the server.Use this parameter to retrieve properties that are not included in the default set.

(Video) Get All Active Directory Users Details - Using PowerShell

Specify properties for this parameter as a comma-separated list of names.To display all of the attributes that are set on the object, specify * (asterisk).

To specify an individual extended property, use the name of the property.For properties that are not default or extended properties, you must specify the LDAP display name of the attribute.

To retrieve properties and display them for an object, you can use the Get-* cmdlet associated with the object and pass the output to the Get-Member cmdlet.

Type:String[]
Aliases:Property
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

-ResultPageSize

Specifies the number of objects to include in one page for an Active Directory Domain Services query.

The default is 256 objects per page.

Type:Int32
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

-ResultSetSize

Specifies the maximum number of objects to return for an Active Directory Domain Services query.If you want to receive all of the objects, set this parameter to $Null (null value).You can use Ctrl+C to stop the query and return of objects.

The default is $Null.

Type:Int32
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

-SearchBase

Specifies an Active Directory path to search under.

When you run a cmdlet from an Active Directory provider drive, the default value of this parameter is the current path of the drive.

When you run a cmdlet outside of an Active Directory provider drive against an AD DS target, the default value of this parameter is the default naming context of the target domain.

When you run a cmdlet outside of an Active Directory provider drive against an AD LDS target, the default value is the default naming context of the target LDS instance if one has been specified by setting the msDS-defaultNamingContext property of the Active Directory directory service agent (DSA) object (nTDSDSA) for the AD LDS instance.If no default naming context has been specified for the target AD LDS instance, then this parameter has no default value.

When the value of the SearchBase parameter is set to an empty string and you are connected to a GC port, all partitions are searched.If the value of the SearchBase parameter is set to an empty string and you are not connected to a GC port, an error is thrown.

Type:String
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

-SearchScope

Specifies the scope of an Active Directory search.The acceptable values for this parameter are:

(Video) Displaying AD user properties in PowerShell

  • Base or 0
  • OneLevel or 1
  • Subtree or 2

A SearchScope with a Base value searches only for the given user. If an OU is specified in the SearchBase parameter, no user will be returned by, for example, a specified Filter statement.A OneLevel query searches the immediate children of that path or object. This option only works when an OU is given as the SearchBase. If a user is given, no results are returned.A Subtree query searches the current path or object and all children of that path or object.

Type:ADSearchScope
Accepted values:Base, OneLevel, Subtree
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

-Server

Specifies the Active Directory Domain Services instance to connect to, by providing one of the following values for a corresponding domain name or directory server.The service may be any of the following: Active Directory Lightweight Domain Services, Active Directory Domain Services or Active Directory Snapshot instance.

Domain name values:

  • Fully qualified domain name (FQDN)
  • NetBIOS name

Directory server values:

  • Fully qualified directory server name
  • NetBIOS name
  • Fully qualified directory server name and port

The default value for the Server parameter is determined by one of the following methods in the order that they are listed:

  • By using Server value from objects passed through the pipeline.
  • By using the server information associated with the Active Directory PowerShell provider drive, when running under that drive.
  • By using the domain of the computer running PowerShell.
Type:String
Position:Named
Default value:None
Accept pipeline input:False
Accept wildcard characters:False

Inputs

None or Microsoft.ActiveDirectory.Management.ADUser

A user object is received by the Identity parameter.

Outputs

ADUser

Returns one or more user objects.

This cmdlet returns a default set of ADUser property values.To retrieve additional ADUser properties, use the Properties parameter.

To get a list of the default set of properties of an ADUser object, use the following command:

Get-ADUser<user>| Get-Member

To get a list of the most commonly used properties of an ADUser object, use the following command:

Get-ADUser<user>-Properties Extended | Get-Member

To get a list of all the properties of an ADUser object, use the following command:

Get-ADUser<user>-Properties * | Get-Member

(Video) How to Export AD users to a CSV file based on OU or selected objects using PowerShell

Notes

  • This cmdlet does not work with an Active Directory snapshot.
  • New-ADUser
  • Remove-ADUser
  • Set-ADUser

FAQs

How to get all active users in Active Directory PowerShell? ›

The Get-AdUser cmdlet in PowerShell is used to get one or more active directory users. An Active Directory Get-AdUser retrieves a default set of user properties. Using the Identity parameter, you can specify the active directory user to get its properties.

How to query Active Directory from PowerShell? ›

If the Active Directory Management module is installed in Windows 10/11 or Windows Server 2019/2022, you can also access specific Active Directory (AD) information in PowerShell. The "Get-Command Get-Ad*" command already shows numerous cmdlets that can display information from Active Directory.

How do I get a list of users in Active Directory? ›

Track Active Directory User Accounts Creation using Native Method
  1. Select the modified GPO.
  2. In the right pane's “Security Filtering” section, click “Add” and type “Everyone” in the window that opens the screen.
  3. Click “Check Names” to validate the value.
  4. Click “OK” to add it.

How to query Active Directory from command line? ›

How to search Active Directory
  1. Click Start, and then click Run.
  2. In the Open box, type cmd.
  3. At the command prompt, type the command dsquery user parameter . The parameter specifies the parameter to use. For the list of parameters, see the online help for the d squery user command.
Sep 24, 2021

How do I extract active users in SAP? ›

1. tcode AL08 will give all logged in users in SAP (includes all application severs).

How do you display all active users in your system? ›

Select System > Status. Click the Active Users tab to display the system active users page.

How do I get data from Active Directory? ›

In the Run As Account dialog box, in the Display name box, enter a name for the Run As account. In the Account list, select Windows Account. Enter the credentials for an account that has rights to read from AD DS, and then click OK. On the Domain or organizational unit page, click Test Connection.

Is there an API for Active Directory? ›

The Managed Service for Microsoft Active Directory API is used for managing a highly available, hardened service running Microsoft Active Directory (AD).

What PowerShell command is used to get a directory listing of the working directory? ›

List the files in a Windows PowerShell directory. Like the Windows command line, Windows PowerShell can use the dir command to list files in the current directory. PowerShell can also use the ls and gci commands to list files in a different format.

How do I search for users in Active Directory users and Computers? ›

To search the Active Directory objects, follow the steps below:
  1. Select the AD Mgmt tab.
  2. Click the Search Users, Groups, and Computers link under Search Users.
  3. All the domains configured in the Domain Settings will be available here to select. ...
  4. Select the objects that have to be searched for. ...
  5. Specify the search criteria.

How to find inactive users in Active Directory using PowerShell? ›

In Active Directory Module for Windows PowerShell, Search-ADAccount –AccountInactive –UsersOnly command returns all inactive user accounts.

How can I test if Active Directory is working? ›

The best way to verify the operation of Active Directory is to run the console utility Dcdiag (Domain Controller Diagnosis). Dcdiag executes several tests to verify that AD is working correctly. If Dcdiag reports a failed test you will need to troubleshoot your domain controller to find the cause.

Can you grep a directory? ›

You can make grep search in all the files and all the subdirectories of the current directory using the -r recursive search option: grep -r search_term .

How do I get LDAP information from Active Directory? ›

Click Start >Administrative Tools, and then open Active Directory Administrative Center. Shortcut: Click Start, click Run, type dsac.exe, and then press Enter. On the Overview page, under Global Search, in the search field type the LDAP username and then click Search.

What is the use of SM04 Tcode in SAP? ›

Transaction code SM04 shows the list of the users which are logged on to the instance in which are currently logged in. The total number of users and sessions are given at the bottom of the list.

How do I extract a user from an Active Directory group? ›

In this first example, I'll show you how to export Active Directory group members using the Get-ADGroupMember PowerShell cmdlet.
  1. Step 1: Load the Active Directory Module. ...
  2. Step 2: Find AD Group. ...
  3. Step 3: Use Get-AdGroupMember to list group members. ...
  4. Step 4: Export group members to CSV file.
Dec 17, 2022

How do you mass unlock users in SAP? ›

In SAP system, you have different transactions under User Maintenance that you can use for different purpose.
  1. T-Code − SU10 User Mass Maintenance.
  2. You can select multiple users at one time and lock/unlock them directly. To select multiple users, you need to select a checkbox and click on lock/unlock button.
Feb 13, 2020

How do I get more daily active users? ›

4 Proven Ways To Increase Daily Active Users (DAU)
  1. Deliver Quality From the Onboarding Stage.
  2. Create a Community With Activity Feeds.
  3. Communicate Helpful Information to Users.
  4. Play Around With Gamification.
  5. Personalization Impacts DAU Engagement.
Aug 8, 2022

What is the command to view all the currently logged in users? ›

The who command is used to display the users logged into the system. The who command related to the w command that is used to display information about the users currently on the machine and their processes.

Which command is used to get all users? ›

Users command is used to print the user name who are all currently logged in the current host.

Can Excel pull data from Active Directory? ›

In Excel, open the Data tab and choose From Other Sources -> From Microsoft Query. Choose the ActiveDirectory DSN. Select the option to use Query Wizard to create/edit queries. In the Query Wizard, expand the node for the table you would like to import into your spreadsheet.

How do I export data from Active Directory Users and Computers? ›

Run Netwrix Auditor → Navigate to “Reports” → Open “Active Directory” → Go to “Active Directory - State-in-Time” → Select “Computer Accounts” → Click “View”. To save the report, click the "Export" button → Choose a format, such as PDF → Click “Save as” → Choose a location to save it.

How to get user data from the Active Directory using C#? ›

You can easily find a lot of different examples from google. Here is a sample that is doing exactly what you are asking for. using (var context = new PrincipalContext(ContextType. Domain, "yourdomain.com")) { using (var searcher = new PrincipalSearcher(new UserPrincipal(context))) { foreach (var result in searcher.

What are the 3 types of APIs? ›

Today, there are three categories of API protocols or architectures: REST, RPC and SOAP. These might be dubbed "formats," each with unique characteristics and tradeoffs and employed for different purposes. REST.

Is Active Directory still being used? ›

Tens of thousands of companies use Microsoft Active Directory, including about 90 percent of Fortune 1000 companies. In recent years, some users have switched to Microsoft Azure Active Directory, which is a cloud-based identity and access management solution that works much in the same way as the original AD.

How do I get a list of directories in a directory? ›

Steps
  1. Open File Explorer in Windows. ...
  2. Click in the address bar and replace the file path by typing cmd then press Enter.
  3. This should open a black and white command prompt displaying the above file path.
  4. Type dir /A:D. ...
  5. There should now be a new text file called FolderList in the above directory.

How can I get a list of files in a directory? ›

-
  1. To list all files in the current directory, type the following: ls -a This lists all files, including. dot (.) ...
  2. To display detailed information, type the following: ls -l chap1 .profile. ...
  3. To display detailed information about a directory, type the following: ls -d -l .

How do I get a list of all files and directories in a given directory in Python? ›

To get a list of all the files and folders in a particular directory in the filesystem, use os. listdir() in legacy versions of Python or os. scandir() in Python 3.

How to get list of inactive computer accounts in Active Directory? ›

How to Find Inactive (Old) Computers in Active Directory Domain? You can use the Get-ADComputer cmdlet to find inactive computer objects in a domain. The LastLogonTimeStamp attribute can be used as search criteria.

How to find and remove stale users and computers in Active Directory? ›

Note: One must have installed Active Directory Domain Services (AD DS) server role.
  1. Step 1: Open Command Prompt. ...
  2. Step 2: Find computers/users that are inactive. ...
  3. Step 3: Disable inactive computers/users. ...
  4. Step 4: Find disabled computers/users and delete them. ...
  5. Step 5: Delete Inactive Users/Computer account.
Jan 29, 2016

Can Active Directory automatically disable inactive accounts? ›

Azure Active Directory (Azure AD) does not include the ability to disable inactive accounts automatically, however, automation can be implemented to provide this administrative function.

Is Active Directory difficult to learn? ›

Learning Microsoft's Active Directory service is a simple process. However, it is quite sensitive and entering the wrong domain name system (DNS) can alter the whole outcome. There are many paths you can take to master Active Directory. All you need to do is invest enough time and effort into learning this tool.

How to diagnose Active Directory issues? ›

Techniques to troubleshoot Active Directory issues
  1. Run diagnostics on domain controllers. When you install the Windows Server Active Directory Domain Services role, Windows also installs a command-line tool named dcdiag. ...
  2. Test DNS for signs of trouble. ...
  3. Run checks on Kerberos. ...
  4. Examine the domain controllers.
Aug 7, 2020

What are the 5 roles of Active Directory? ›

Currently in Windows there are five FSMO roles:
  • Schema master.
  • Domain naming master.
  • RID master.
  • PDC emulator.
  • Infrastructure master.
Dec 1, 2021

How to export list of all active users in Active Directory? ›

Here are the steps to export Active Directory users to CSV.
  1. Step 1: Get-ADUser PowerShell Command. To export users with PowerShell, the Get-ADUser cmdlet is used. ...
  2. Step 2: Export to CSV command. ...
  3. Step 3: Export specific user attributes. ...
  4. Step 4: How to export all users. ...
  5. Step 5: Export Users from a specific OU.
Jun 7, 2022

How do I export all active users from Active Directory? ›

All you need to do is open ADUC, navigate to your desired OU, and click the Export List button. This will export all of the accounts in the OU to a tab delimited text file.

How do I get a list of all users from a specific OU PowerShell? ›

How can I list all users in a particular organizational unit (OU)? Use the Get-ADUser cmdlet from the ActiveDirectory Module (available from the RSAT tools). Specify the SearchBase as the name of the OU, and use a wildcard pattern for the Filter.

How do I get a list of members of a distribution list in PowerShell? ›

Use the Get-DistributionGroup cmdlet to view existing distribution groups or mail-enabled security groups. To view the members of a group, use the Get-DistributionGroupMember cmdlet.

Videos

1. Powershell Get-Aduser report FASTER!
(DranTrix)
2. PowerShell - Get all Active Directory Users with Powershell and export to CSV-File
(KELVGLOBAL ICT)
3. Move AD Users to another domain in Active Directory
(Active Directory Pro)
4. Automate Active Directory with PowerShell Tutorial 3 : Getting AD Users
(JackedProgrammer)
5. Export All Active Directory Users
(Active Directory Pro)
6. How to Create AD Users from CSV
(Server Academy)
Top Articles
Latest Posts
Article information

Author: The Hon. Margery Christiansen

Last Updated: 02/02/2023

Views: 6015

Rating: 5 / 5 (50 voted)

Reviews: 89% of readers found this page helpful

Author information

Name: The Hon. Margery Christiansen

Birthday: 2000-07-07

Address: 5050 Breitenberg Knoll, New Robert, MI 45409

Phone: +2556892639372

Job: Investor Mining Engineer

Hobby: Sketching, Cosplaying, Glassblowing, Genealogy, Crocheting, Archery, Skateboarding

Introduction: My name is The Hon. Margery Christiansen, I am a bright, adorable, precious, inexpensive, gorgeous, comfortable, happy person who loves writing and wants to share my knowledge and understanding with you.