OGet ADUserThe PowerShell cmdlet allows you to get information about an Active Directory user, their attributes, and search across domain users. It is one of the most popular PowerShell cmdlets for getting information from AD. With the Get-ADUser cmdlet, you can get the value of any attribute from an AD user account, list domain users with attributes, export user reports to CSV files, and use various criteria to select and filter domain users.
Content:
- Cmdlet Get-ADUser uden PowerShell-modul hasta Active Directory
- How to find AD user and list properties with Get-ADUser?
- Get-ADUser -SearchBase: retrieval of users from specific organizational units
- How to get an AD user's email address using PowerShell?
- Get-ADUser: exporte usuarios de Active Directory a CSV con PowerShell
- Examples of Get-ADUser filter
- Get-ADUser Examples for PowerShell
Cmdlet Get-ADUser uden PowerShell-modul hasta Active Directory
OGet ADUserThe cmdlet is included in a special module to interact with Active Directory -Active Directory-módulo hasta Windows PowerShell. The RSAT-AD-PowerShell module cmdlets allow you to perform various operations on AD objects.
Observation. Previously, to get information about AD user account attributes, you had to use different tools:bringconsole (includedYou save your AD requests), VBS scripts, dsquery, etc. All of these tools can be easily replaced with the Get-ADUser cmdlet.
In this example, we show you how to use the Get-ADUser PowerShell cmdlet to get information about the last time a user's password was changed whenpassword expiresand the properties of other users.
To use the RSAT-AD-PowerShell module, run the elevated PowerShell console and import the module with the command:
Importmodul ActiveDirectory
ORSAT-AD-PowerShell module is installedby default on Windows Server 2012 (and later) after you deploy the Active Directory Domain Services (AD DS) role. To install the module on a domain member Windows Server host, run the command:
Installer windows function-Navegación "RSAT-AD-PowerShell" -IncludeAllSubFeature
To use the Get-ADUser cmdlet on the Windows 10/11 desktop, install the appropriate version ofRSAT. You can activate RSAT throughsettings->Applications->optional resources->add a resource->RSAT: Active Directory Domain Services and Lightweight Directory Services Tools.
You can install the RSAT AD module on Windows 10 and 11 using PowerShell:
Add-WindowsCapability –online –Nombre "Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0"
If the RSAT-AD-PowerShell module is not installed on the computer, an error appears when you run the Get-ADUser command:
Get-ADUser: The term 'get-aduser' is not recognized as the name of a cmdlet, function, script file, or executable program. Please check the spelling of the name or, if a path was included, confirm that the path is correct and try again.
Make sure the module is installed and, if necessary, import it into your PowerShell session:
Importmodul ActiveDirectory
There is also a way touse AD-PowerShell module without installing RSATon your computer. Simply copy the files from the main module and import the module into your PowerShell session:
Import module "C:\PS\AD\Microsoft.ActiveDirectory.Management.dll"
Import module "C:\PS\AD\Microsoft.ActiveDirectory.Management.resources.dll"
A complete list of all arguments to the Get-ADUser cmdlet can be obtained as follows:
ajuda Get-ADUser
How to find AD user and list properties with Get-ADUser?
To use the Get-ADUser cmdlet, you do not need to run it under a domain administrator account ordelegatepermissions Any authorized AD domain user can run PowerShell commands to get the values of most AD object attributes (except sensitive ones, see example in articleLocal Admin Password Solution - LAPS). If you need to run the Get-ADUser command under a different account, use:Credentialsparameter.
To display the list of all user accounts in the domain, run this command:
Get-ADUser-filter *
Important. It is not recommended to run this command in Active Directory domains with a large number of user accounts. This can overwhelm the domain controller that is providing the AD information.
use theset-betrayedcmdlet setmodify active directory user attributes.
To view the properties of a particular user, use-Identityparameter. The identity can be a username, login (SAMAccountName), DN (Distinguished Name), SID, or GUID.
The following PowerShell commands return the same output for the same AD user account:
Get-ADUser – Identidad b.smith
Get-ADUser –Identity "CN=Brian Smith,OU=Brugere,OU=Berlin,DC=woshub,DC=loc"
Get-ADUser – Identidade "Brian Smith"
By default, the Get-ADUser cmdlet returns only 10 basic user attributes (out of more than 120 user account properties): DistinguishedName, SamAccountName, Name,S.I.D.,UserPrincipalName, ObjectClass, AccountStatus (Enabled: True/False according toAD attribute of UserAccountControl), etc. In this case, the output of the cmdlet does not contain information about the time oflast user password change.
To run an AD query on a specific domain controller, use-Serverpossibility:
Get-ADUser –Servidor DC01.woshub.com –Identity tstuser
If you need to get user data from another AD domain, provide the name of the domain controller and the credentials to access it:
$ADcred = Get credentials
Get-ADUSer tstuser -Server DC01.contoso.com -Credential $ADcred
To display detailed information about all available user attributes, run this command:
Get-ADUser -user-identity -properties *
El cmdlet Get-ADUserProperties *switch shows all AD user attributes and their values (including empty). A similar list of user attributes is available in the Active Directory Users and Computers graphical snap-in (dsa.msc) lowattribute editor guide.
Next, we move on to formatting the output of Get-ADUser to display the required user attributes. For example, you want to display the values of the following user properties:
- password expired
- Last Password Setting
- The password never expires
- LastLogonTimestamp
Run the command:
Get-ADUser martes propiedades PasswordExpired, PasswordLastSet, PasswordNeverExpires, lastlogontimestamp
Now in the user data there is information about the status of the account password (Expired: True/False), the date of the last password change and the time of the last login of the user to the domain (last timestampattribute). To display this information in a more convenient table view and remove all unnecessary attributes, useSelect Object – Propertymiformat table:
Get-ADUser -filter * -egenskaber PasswordExpired, PasswordLastSet, PasswordNeverExpires | Nombre de usuario, PasswordExpired, PasswordLastSet, PasswordNeverExpires
Get-ADUser -SearchBase: retrieval of users from specific organizational units
To only display users from a specific domain container (organizational unit), use:research basisparameter:
Get-ADUser -SearchBase 'OU=London,DC=woshub,DC=loc' -filter * -egenskaber PasswordExpired, PasswordLastSet, PasswordNeverExpires | Nombre de usuario, PasswordExpired, PasswordLastSet, PasswordNeverExpires
To select users from multiple organizational units at once, use the following PowerShell script:
$OU = "OU=NY,DC=woshub,DC=com","OU=LA,DC=woshub,DC=com","OU=MA,DC=woshub,DC=com"
$OU | foreach {Get-ADUser -SearchBase $_ -Filter * |select name, enabled}
How to get an AD user's email address using PowerShell?
The user's email address is one of the attributes of the user object in Active Directory. To specify users' email addresses, addEmail addressfield for the Get-ADUser cmdlet properties.
Get-ADUser -filter * -properties EmailAddress -SearchBase 'OU=Paris,OU-Fr,DC=woshub,DC=com'| name of the selected object, email address
The list of activated user accounts with email addresses:
Get-ADUser -Filter {(mail -ne "null") -and (Enabled -eq "true")} -Properties LastName,FirstName,mail | Select the first name, last name, first name, email of the object | format table
To get the list of Active Directory users without an email address:
Get-ADUser -Filter * -Properties email address | where -Property Email Address -eq $null
The following example allows you to export a company's email list from AD to a CSV file. Later you can import this CSVmailing listin desktop email clients such as Outlook or Mozilla Thunderbird:
Get-ADUser -Filter {(mail -ne "null") -and (Enabled -eq "true")} -Properties LastName,FirstName,mail | Select the first name, last name, first name, email of the object | Export-Csv -NoTypeInformation -utf8 encoding -delimiter "," $env:temp\adress_list.csv
Get-ADUser: exporte usuarios de Active Directory a CSV con PowerShell
The resulting list of domain users with attributes can be exported to a text file:
Get-ADUser -filter * -egenskaber PasswordExpired, PasswordLastSet, PasswordNeverExpires | ft Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires > C:\temp\users.txt
Or you can export AD user list to CSV file:
Get-ADUser -filter * -egenskaber PasswordExpired, PasswordLastSet, PasswordNeverExpires | onde {$_.nombre –como "*Dmitry*"} | objeto de clasificación PasswordLastSet | nombre del objeto select, PasswordExpired, PasswordLastSet, PasswordNeverExpires | Export-csv -path c:\tmp\user-passwords-expires.csv -Append -Codificación UTF8
AD user list can be exporteddirectly to an excel file using PowerShell.
Examples of Get-ADUser filter
User-Filterchange, you can filter the list of user accounts by one or more attributes. this is usefulto fetch AD userswhose attributes match the specified criteria. Values for specific attributes of Active Directory users can be supplied as arguments to this parameter. when you use-Filterparameter, the Get-ADUser cmdlet will only display users that match the filter criteria.
For example, I want to specify active (enabled) user accounts whose name contains "Dmitri”. The following example uses multiple filters; You can combine conditions using PowerShell's logical comparison operators. In this example, the user attributes must satisfy both filter conditions (-mi):
Get-AdUser -Filter "(Name -like '*Dmitry*') -e (Enabled -eq 'True')" -Properties * |select name,habilitado
All PowerShell logical operators can be used to select values for user attributes (-eq,- Es,-gt,-ge,-lt,- o,-as,- Interesting,-mi,-o, etc.)
Also, you can sort the resulting list of users by a specific user attribute withorder the objectcmdlet. you can also usewhere objectcmdlet to specify multiple filter criteria at once.
Get-ADUser -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires -SearchBase 'OU=NY,DC=woshub,DC=com'| malvado {$_.name –like "*Dmitry*" -e $_.Enabled -eq $true} | objeto de clasificación PasswordLastSet | el nombre debe seleccionar, PasswordExpired, PasswordLastSet, PasswordNeverExpires
So you can get a list of users with all the necessary attributes from Active Directory.
To search for users by multiple attributes at once (inheritedExchangeDN, proxyAddresses, SAMAAccountName, LastName, DisplayName, SamAccountName, PhysicalDeliveryOfficeName, RDN, and msExchMailNickname), you can use ambiguous name resolution (ANR) resource:
Get-ADUser -Filter {anr -eq 'John'} | select name
Advice. When searching for Active Directory users using Get-ADUser, from a performance perspective, specify the criteria usingFilterThe attribute is preferable to using the pipeline forwhere objectcmdlet. In this case, filtering of the selection results will be done on the domain controller and a smaller set of data will be transferred to your computer over the network.
You can use an LDAP filter in Get-ADUser queries. An LDAP filter is specified using–LdapFiltroattribute.
Get-ADUser -LDAPFilter '(&(department=it)(title=sysops))'
Get-ADUser Examples for PowerShell
Let's show some more useful PowerShell command examples for querying Active Directory users with different filters. You can combine them to get the necessary list of AD user objects:
Show AD users whose name starts withJosé:
Get-ADUser -filter {name -like "Joe*"}
You can use PowerShell to calculate the total number of user accounts in Active Directory:
Get-ADUser -Filter {SamAccountName -like "*"} | Medida-objeto
Find disabled Active Directory user accounts:
Get-ADUser -Filter {Enabled -eq "False"} | Select object SamAccountName,FirstName,LastName,FirstName | format table
You can check the active directorycreating a user accountdate with the command:
get-aduser -Filter * -Name of the properties when they are created | Choose the name when it is created
You can get the list of recently added Active Directoryusers created in the last 24 hours:
$last day = ((Get-Date).AddDays(-1))
Get-ADUser -filter {(when created -ge $lastday)}
List accounts with an expired password (you can configure password expiration settings indomain password policy):
Get-ADUser -filter {Enabled -eq $True} -properties name,passwordDeprecated| where {$_.PasswordExpired}|selection name,password expired
You can use Get-ADUser andAdd-ADGroupMembercmdletsto create dynamic AD user groups(depending on the city, position, department, etc.).
Task: For the list of user accounts stored in a text file (one account per line), get the user's company name from AD and save it to a CSV file (you canimport this csv file to excel).
Import-Csv c:\ps\users_list.csv | for each {
Get-ADUser -Identity $_.user -Properties Nombre, Empresa |
Select Name, Company |
Export CSVc:\ps\users_ad_list.csv -Add -UTF8 encoding
}
Users who have not changed their domain passwords in the last 90 days:
$90_Days = (Get-Date).adddays(-90)
Get-ADUser -filter {(passwordlastset -le $90_days)}
Meetinactive user accounts(not connected to the domain for more than 180 days). The LastLogonTimestamp attribute is used toget user login historyfor the domain:
$LastLogonDate= (Get-Date).AddDays(-180)
Get-ADUser -Properties LastLogonTimeStamp -Filter {LastLogonTimeStamp -lt $LastLogonDate } | ?{$_.Activeret –eq $Verdadero} | Orden LastLogonTimeStamp| Nombre de FT, @{N='lastlogontimestamp'; E={[DateTime]::FromFileTime($_.lastlogontimestamp)}} -AutoSize
to get oneactive directory user imageand save it to a jpg file, run the following commands:
$usr = Get-ADUser view -Properties thumbnailPhoto
$usr.thumbnailPhoto | Set-Content sjoe.jpg -Byte encoding
How to get a list of AD groups that the user account is a member of:
Get-AdUser sjoe -Member Properties | select member of -expand property member of
Specify the OU users who are members of a specific domain security group:
Get-ADUser -SearchBase 'OU=Rome,OU=Italy,DC=woshub,DC=com' -Filter * -Properties member of | Where-Object {($_.memberof -like "*CEO*")}
Specify the OU users who are members of a specific domain security group:
Get-ADUser -SearchBase 'OU=Rome,OU=Italy,DC=woshub,DC=com' -Filter * -Properties member of | Where-Object {($_.memberof -like "*CEO*")}
List of all OU users except members of a specific group:
$Users = Get-ADUser -filter * -SearchBase 'OU=Berlin,DC=woshub,DC=com' -memberOf properties
ForEach($user i $users)
{
$Grupos = -join @($User.memberOf)
If ($Groups -notlike '*Domain Admins*')
{
$User.Name
}
}
Export a list of AD users with OU name toOut-GridViewlow hill:
get-aduser -filter * -Propriedades cn,canonicalname | seleccionar nombre, usuario principal,@{Name="OU";expression={$_.Canonicalname.substring(0,$_.canonicalname.length-$_.cn.length)}}| Out-GridView
Check if the AD user account exists:
$SamAccountName='jbrown'
if (@(Get-ADUser -Filter { SamAccountName -eq $SamAccountName }).Count -eq 0)
{Write-host "User $SamAccountName does not exist"}
List the computers in the domain that the user can log in to (Login Restriction viaLogon workstationsAttributed to AD).
Get-ADUser jbrown -Properties LogonWorkstations | Logon Workstation Name List Format
Advice. OGet AD ComputerThe cmdlet is used to retrieve computer properties or search multiple computers in Active Directory.
FAQs
How do I find AD user details in PowerShell? ›
Description. The Get-ADUser cmdlet gets a specified user object or performs a search to get multiple user objects. The Identity parameter specifies the Active Directory user to get. You can identify a user by its distinguished name (DN), GUID, security identifier (SID), or Security Account Manager (SAM) account name.
How do I see user details in Active directory? ›Go to Start -> Administrative Tools, and click on Active Directory Users and Computers. The ADUC console will open. Expand the console tree, and right-click on the user object whose mandatory properties you wish to see.
How to find enabled users in Active directory using PowerShell? ›- Identify the domain from which you want to retrieve the report.
- Identify the LDAP attributes you need to fetch the report.
- Identify the primary DC to retrieve the report.
- Compile the script.
- Execute it in Windows PowerShell.
Use the Get-AdUser cmdlet with Properties * (asterisk) to display all attributes that are available for the object. To get specific properties for an ad user account, you can specify properties for this parameter with comma separated.
How to get user details from Active Directory using command line? ›- Click Start, and then click Run.
- In the Open box, type cmd.
- At the command prompt, type the command dsquery user parameter . The parameter specifies the parameter to use. For the list of parameters, see the online help for the d squery user command.
Open the Start menu, then type cmd in the Search box and press Enter. In the command line window that appears, type set user and press Enter. Look at the USERDOMAIN: entry. If the user domain contains your computer's name, you're logged in to the computer.
How do I find the distinguished name of a user in Active directory? ›- Navigate and right-click the OU where you want to read users, then select Properties.
- In the OU Properties, select the Attribute Editor tab. Click on distinguishedName to highlight it, then click View. ...
- Example: OU=Users,OU=Company_1OU,DC=Company_1,DC=internal.
- Get-ADObject -Filter 'WhenChanged -gt $ChangeDate' -IncludeDeletedObjects.
- Get-ADGroup SomeGroup | Get-ADGroupMember.
- Set-ADUser Set-ADComputer Set-ADObject Set-ADGroup Add-ADGroupMember.
To view or manipulate the file system attributes in PowerShell, use the “Get-Item” or “Get-Childitem” cmdlets to create an object of “System. IO. FileInfo” class for each of your target files and folders. This object has an “Attributes” property.
How do I get AdUser with credentials? ›Using Get-AdUser with alternate credentials
By default, the Get-AdUser cmdlet is run in the context of the currently logged-on user. If you wish to run the command with alternate credentials, you can use a variable, store the alternate credentials in that variable, then run the command using the '-Credential' switch.
Which command is used to see user details information? ›
id Command
It gives the id details of users including the group id along with the secondary group IDs and names of a user choosen by the system.
To get the domain user list, you can use the Get-ADUser command. To run this command you need to make sure that you have the RSAT (Remote Server Administration Tools) installed on the computer. The above command will get all users from the active directory domain.
How to get user name and domain in cmd? ›- Open a DOS command prompt.
- Type: SET and press Enter. USERNAME is the name of the Windows user currently logged in. USERDOMAIN is the domain of the Windows user.
From the command prompt type “netdom query fsmo” and hit “enter”. The above command should return the five roles and which DC they are on. That's it for the Netdom query method, very simple and straightforward.
How do I get all user attribute attributes in Active Directory? ›Go to Start and open Administrative tools. Click on Active Directory users and Computers. Right click on the object whose attributes you wish to view, and click Properties. In the dialogue box that opens, you will be able to view all the AD attributes of the object categorized based on the attribute type.
How to get a list of all computers in Active Directory PowerShell? ›There is no specific PowerShell cmdlet or script to fetch all computers accounts in a specific Active Directory (AD) domain. You will have to use the Get-ADComputer cmdlet, and use the right parameters and filters to get the desired list of AD computer accounts.
How do I get file details in PowerShell? ›To get file attributes in PowerShell, you can use Get-ChildItem or Get-Item cmdlets. It returns the file attributes or properties available on the specified files. To get the list of all properties available, use the Get-Member cmdlet.
How to export a list of users from Active Directory using PowerShell? ›- Step 1: Get-ADUser PowerShell Command. ...
- Step 2: Export to CSV command. ...
- Step 3: Export specific user attributes. ...
- Step 4: How to export all users. ...
- Step 5: Export Users from a specific OU. ...
- Export only enabled users. ...
- Export users to CSV with last logon date.
The first and easiest method is by using the PowerShell cmdlet Get-Credential . You can simply execute Get-Credential , which will result in a username and password prompt. From there you could enter the domainName\userName or you can call the cmdlet with some optional parameters.
How do I get a list of users in an OU in PowerShell? ›How can I list all users in a particular organizational unit (OU)? Use the Get-ADUser cmdlet from the ActiveDirectory Module (available from the RSAT tools). Specify the SearchBase as the name of the OU, and use a wildcard pattern for the Filter.
How to check if user is disabled in Active directory PowerShell? ›
- Run Netwrix Auditor → Navigate to "Reports" → Expand the "Active Directory" section → Go to "Active Directory – State-in-Time" → Select "User Accounts" → Click "View" → Type the user's logon name in the “Logon Name” filter → Click "View Report".
- Review the report:
- Open the Active Directory Users and Computers snap-in.
- In the left pane, connect to the domain you want to query.
- Right-click on the domain and select Find.
- Beside Find, select Common Queries.
- Check the box beside “disabled accounts.”
- Click the Find Now button.
- First thing open Powershell and start with the command Get-ADComputer.
- Let's type and press enter. The command will return all the Computers in Active Directory with the Properties that select and lastlogontimestamp.
To find the accounts, run a script that queries Active Directory for inactive user accounts. In Active Directory Module for Windows PowerShell, Search-ADAccount –AccountInactive –UsersOnly command returns all inactive user accounts.
Which PowerShell command will check the Active Directory status? ›The command Repadmin /replsummary summarizes the replication status of all the domain controllers in all the domains in the forest. You will also get to know the last time a DC replicated, and why it stopped replicating.
How can I find Active Directory users and Computers? ›To open Active Directory Users and Computers, log into a domain controller, and open Server Manager from the Start menu. Now, in the Tools menu in Server Manager, click Active Directory Users and Computers. For more details on accessing Active Directory and other ways to access the admin tools, keep reading!
How to find list of inactive users in Microsoft 365 using PowerShell? ›- Open PowerShell ISE on your local computer.
- Connect to your Microsoft 365 Azure Active Directory environment by running the following command: Connect-AzureAD.
- Get all users in your environment using Get-AzureADUser cmdlet and iterate through each one of them.