Tech News Today
  • Hardware
    • Motherboards
    • CPUs
    • Graphic Cards
    • RAM
    • SSDs
    • Computer Cases
    • Monitors
    • Peripherals
    • Power Supply Unit
    • PC Builds
    • Computer Tips
  • Software
  • Operating System
    • Windows
    • Mac
    • Linux
  • Gaming
  • Mobile
  • Console
  • More
    • Internet
    • Networking
    • Security
    • Buyer’s Guide
    • Gadgets
    • Laptops
    • Reviews
    • How To
    • News
Facebook Twitter Instagram
Tech News Today
  • Hardware
    • Motherboards
    • CPUs
    • Graphic Cards
    • RAM
    • SSDs
    • Computer Cases
    • Monitors
    • Peripherals
    • Power Supply Unit
    • PC Builds
    • Computer Tips
  • Software
  • Operating System
    • Windows
    • Mac
    • Linux
  • Gaming
  • Mobile
  • Console
  • More
    • Internet
    • Networking
    • Security
    • Buyer’s Guide
    • Gadgets
    • Laptops
    • Reviews
    • How To
    • News
Tech News Today
Home»Windows»How To Use PowerShell Get-ADUser

How To Use PowerShell Get-ADUser

Anup ThapaBy Anup ThapaJanuary 17, 2023
powershell get-aduser

The Get-ADUser cmdlet is a very versatile tool that’s used to get active directory users. If you need to identify specific AD users, you can use values like their SAM account name to do so. Or you can use the Properties parameter when you need detailed info on one or more users.

Similarly, when you’re dealing with a large number of user objects, the Filter parameter is useful for getting AD users based on certain filters like Email, City, Title, etc. Combined with tools like sort and export, Get-ADUser makes user management in domains very convenient.

Table of Contents

  • PowerShell Get-ADUser Requirements
  • Get-ADUser Parameters
    • Identity
    • Filter
    • LDAPFilter
  • Useful Get-ADUser Examples

PowerShell Get-ADUser Requirements

On Domain Controllers, the Get-ADUser command obviously works by default. But if you try to run this command on other systems that are part of the AD domain, you may encounter the Get-ADUser is not recognized error.

This is because you must install the RSAT AD component first You can do so with Add-WindowsCapability –online –Name "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0". Once you do this, you can use Get-ADUser on any system.

You won’t be limited to domain admin accounts either; any authorized AD user account will work. One thing to remember is that while non-admin accounts can retrieve most user object attributes using this command, some sensitive info might be accessible to domain admins only.

Get-ADUser Parameters

Get-ADUser primarily uses three parameters to retrieve user objects – Identify, Filter, and LDAPFilter.

Identity retrieves a user object using a specific value like its distinguished name or GUID. This is useful when you need to find a user object and remember the required value. 

Filter returns a list of user objects based on the selected queries. In cases where you need to get AD users whose password has expired, or ones that haven’t logged in the last 2 weeks, and so on, filter can be useful. You can further narrow down the results to only user objects from specific servers, specific OUs, etc.

LDAPFilter also uses query strings to filter the user objects. The difference is that, unlike Filter which follows PowerShell syntax, LDAPFilter uses its own LDAP query syntax (attribute and value). This means it does have a slight learning curve, but you’ll find it to be a useful tool once you get used to it.

There are other useful parameters too like SearchBase and SearchScope that we’ll cover in our examples. We recommend referring to Microsoft’s documentation if you want to check the complete list of parameters, but the prior three are the ones we’ll focus on in this article.

Identity

Identity returns a single AD user object using one of the following properties:

  • Distinguished name (DN)
  • ObjectGUID 
  • objectSid (SID, or security identifier)
  • SamAccountName

Let’s say you need details on a user named Ava. Assuming her SamAccountName is ava, you can retrieve the user object with Get-ADUser -Identity ava.

get aduser identity username

This command only returns 10 main properties though. If you need the complete properties list for a user object, you should use Get-ADUser -Identity ava -Properties * instead. 

get aduser all properties

Filter

As people generally don’t remember the property values required for the Identity parameter, Filter tends to be more commonly used. Filter specifies a query string that follows the PowerShell Expression Language syntax to retrieve AD user objects. As such, the operator comes between the operand and the value.

A basic example would be Get-AdUser -Filter "Name -like '*a*'", where Name is the operand, like is the operator, and a is the value. This command returns all user objects that contain the letter a in their name.

get aduser filter name like

Another useful command is Get-ADUser -Filter * which retrieves all the AD objects.

get aduser filter all

Now, here’s the list of Filter operators:

OperatorFunction
eqEqual to
geGreater than or equal to
leLess than or equal to
neNot equal to
approxApproximately equal to
gtGreater than
ltLess than
likeLike
notlikeNot like
andAll clauses must be true
orAny of the clauses should be true
notThe clause must be false
bandBitwise AND
borBitwise OR

As stated earlier, using Get-ADUser <user> -Properties * returns the complete list of properties. You can check this list for all the acceptable properties you can use to filter the output. But for now, here are some commonly used ones:

  • AccountExpirationDate
  • City
  • Company
  • Country
  • CountryCode
  • Department
  • Description
  • EmailAddress
  • EmployeeID
  • EmployeeNumber
  • Enabled
  • Initials
  • LogonCount
  • Name
  • PasswordExpired
  • SamAccountName
  • State 
  • Title

Using these operators and properties, you can create various types of filters. For instance, to only get users with Tech in their description, you could use Get-ADUser -Filter "Description -like 'Tech'". To list only active AD users, you’d use Get-ADUser -Filter 'Enabled -eq $true'

Similarly, you could combine the commands to list active AD users that have Tech in their description as such:
Get-ADUser -Filter {Description -like 'Tech' -and Enabled -eq $true}

get aduser double filter and

When on a non-admin account, you may encounter a non-terminating error if you don’t have permission to perform the task. In this case, you can use the Credential option to run the command with different credentials as such:
Get-ADUser -Filter * -Credential ava

get aduser credential parameter

Finally, since Filter usually returns a lot of AD objects, you can further optimize the output by specifying the exact property values you need. Use the Properties parameter to retrieve the values first, then use the Select-Object option to display only the specified properties.
Get-ADUser -Filter * -Properties Name, Initials | Select-Object Name, Initials

get aduser properties select object

LDAPFilter

LDAP clauses follow the (ADAttribute Operator Value) format. Specifically, it uses the following operators:

OperatorFunction
=Equal to
>=Greater than or equal to
<=Less than or equal to
~=Approximately equal to
&Boolean AND
|Boolean OR
!Boolean NOT

Let’s look at some basic examples. The following command returns AD objects whose names end with era:
Get-ADUser -LDAPFilter "(name=*era)"

get aduser ldapfilter name like

To get objects that don’t include Tech in their description:
Get-ADUser -LDAPFilter '(!(description=Tech))'

get aduser ldapfilter not

To combine multiple clauses so that you get objects with A in their name, but no Tech in the description:
Get-ADUser -LDAPFilter '(&(!(description=Tech))(cn=A))'

get aduser combine ldapfilter and

Useful Get-ADUser Examples

You should have a handle on basic Get-ADUser usage at this point. We’ve listed more examples of some common use cases here that will demonstrate other useful parameters and scenarios.

  • To get the output in table format, use Format-Table or ft:
    Get-ADUser -Filter * | Format-Table
    get-aduser-filter-format-table-ft
  • To get objects from a specific container, use SearchBase:
    Get-ADUser -Filter * -SearchBase "OU=Cali,OU=Locations,DC=mylab,DC=local"
    get-aduser-searchbase
  • To get objects down to a certain level of the OU hierarchy only, use SearchScope:
    Get-ADUser -Filter * -SearchBase "OU=Cali,OU=Locations,DC=mylab,DC=local" -SearchScope 1 | ft
    get-aduser-searchscope
  • To get objects from a specific domain controller, use Server:
    Get-ADUser –Server mylab.local –Identity ava
    get-aduser-server
  • To get users who don’t have a phone number set,
    Get-ADUser -LDAPFilter '(!phone=*)'
    get-aduser-ldapfilter-not-phone
  • To display the Email addresses of all users,
    Get-ADUser -Filter * -Properties Name, EmailAddress | select Name, EmailAddress
    get-aduser-emailaddress
  • To export the output to text,
    Get-ADUser -filter * -properties Name, PasswordLastSet | ft Name, PasswordLastSet > C:\pwddata.txt
    get-aduser-export-to-text
  • To export the output to CSV,
    Get-ADUser -filter * -properties Name, PasswordLastSet | select-object Name, PasswordLastSet | Export-csv -path C:\pwddata.csv -Append -Encoding UTF8
    get-aduser-export-csv
how-to
Anup Thapa
  • LinkedIn

Anup Thapa is a tech writer at TechNewsToday. He mostly writes informative articles, tutorials, and troubleshooting guides related to Windows systems, networking, and computer hardware. Anup has been writing professionally for almost 5 years, and tinkering with PCs for much longer. His love for all things tech started when he got his first PC over 15 years ago. It was a Pentium IV system running Windows XP on a single 256 MB stick. He spent his formative years glued to this PC, troubleshooting any hardware or software problems he encountered by himself. Professionally, Anup has had brief forays into a variety of fields like coding, hardware installation, writing, etc. In doing so, he's worked with people of different backgrounds and skill levels, from average joes to industry leaders and experts. This has given him not just a versatile skillset, but also a unique perspective for writing that enables him to concisely communicate complex information and solve his reader's problems efficiently. You can contact him at anup@technewstoday.com

Related Posts

fat32 vs ntfs

FAT32 Vs NTFS—What’s the Difference?

June 2, 2023
how to add unallocated space to c drive

How to Add Unallocated Space to C Drive

June 2, 2023
pagefile.sys

What is Pagefile.sys? Do You Need It?

June 1, 2023
destination folder access denied

4 Ways to Fix Destination Folder Access Denied

May 30, 2023
disable fullscreen optimizations

How to Disable Fullscreen Optimizations on Windows

May 29, 2023
please wait for the gpsvc

Fix: Please Wait for the GPSVC

May 28, 2023
Add A Comment

Leave A Reply Cancel Reply

Latest Posts
fat32 vs ntfs

FAT32 Vs NTFS—What’s the Difference?

June 2, 2023
pagefile.sys

What is Pagefile.sys? Do You Need It?

June 1, 2023
legacy vs uefi

Legacy Vs UEFI—Which One is Better?

May 31, 2023
You may also like
how to add unallocated space to c drive

How to Add Unallocated Space to C Drive

June 2, 2023
monitor blinking on and off

8 Ways to Fix Monitor Blinking On and Off

June 2, 2023
how to retrieve aol mail

How to Retrieve AOL Mail

June 1, 2023
Recommended
Cookie Clicker Garden Guide

Cookie Clicker Garden Guide to Unlocking Every Seed

September 26, 2021
monitor no signal

Computer Turns On But Monitor Says No Signal (9 Ways To Fix)

November 10, 2022
Facebook Twitter Pinterest
  • Home
  • About Us
  • Our Team
  • Editorial Guidelines
  • Privacy Policy
  • Affiliate Disclosure
© 2023 TechNewsToday, editor@technewstoday.com | Tech Central Pvt. Ltd.

Type above and press Enter to search. Press Esc to cancel.