If you need to find Active Directory (AD) users in your domain, the Powershell Get-Aduser command is here. User accounts are assigned to employees, service accounts and other resources. Before you know it, AD user accounts are getting difficult to manage.
Using the Get-AdUser PowerShell cmdlet, you can get AD users many different ways. In this article, you’re going to learn a few of those ways and how to use this handy cmdlet.
Manage and Report Active Directory, Exchange and Microsoft 365 with ManageEngine ADManager Plus. Download Free Trial!
Prerequisites
To use the Get-AdUser cmdlet examples covered in this article, be sure you have the following:
- On a Windows PC joined to an AD domain
- Logged in as an AD user account
- Have the PowerShell Active Directory module installed
Finding a User Account with Identity
The Get-AdUser cmdlet has one purpose and one purpose only. It exists to provide as many options as possible to find domain users. If you already know the user name to look up, you can use the Identity parameter.
The Identity parameter allows you to provide one of four different identifiers.
- distinguishedName (DN)
- samAccountName
- GUID
- SID
Below you can see some examples of finding a user account using various identifiers. Notice that it returns a set of AD attributes for each user account.
PS> Get-ADUser -Identity abertram
DistinguishedName : CN=Anne Bertram,OU=Marketing,DC=mylab,DC=local
Enabled : False
GivenName : Anne
Name : Anne Bertram
ObjectClass : user
ObjectGUID : b98fd0c4-3d5d-4239-8245-b04145d6a0db
SamAccountName : abertram
SID : S-1-5-21-4117810001-3432493942-696130396-3142
Surname : Bertram
UserPrincipalName : [email protected]
PS> Get-ADUser -Identity 'S-1-5-21-4117810001-3432493942-696130396-3142'
DistinguishedName : CN=Anne Bertram,OU=Marketing,DC=mylab,DC=local
Enabled : False
GivenName : Anne
Name : Anne Bertram
ObjectClass : user
ObjectGUID : b98fd0c4-3d5d-4239-8245-b04145d6a0db
SamAccountName : abertram
SID : S-1-5-21-4117810001-3432493942-696130396-3142
Surname : Bertram
UserPrincipalName : [email protected]
PS> Get-ADUser -Identity 'CN=Anne Bertram,OU=Marketing,DC=mylab,DC=local'
DistinguishedName : CN=Anne Bertram,OU=Marketing,DC=mylab,DC=local
Enabled : False
GivenName : Anne
Name : Anne Bertram
ObjectClass : user
ObjectGUID : b98fd0c4-3d5d-4239-8245-b04145d6a0db
SamAccountName : abertram
SID : S-1-5-21-4117810001-3432493942-696130396-3142
Surname : Bertram
UserPrincipalName : [email protected]The most common attribute to use for the
Identityparameter will be thesamAccountNameattribute.
The Get-ADUser Filter
If you need to find more than one domain user or don’t know an identifier, use a filter. To do so, you’ve got a couple of parameters on hand called Filter and LDAPFilter.
Each filter parameter allows a user to provide a conditional statement. When this condition is met, Get-AdUser will return user accounts matching that condition.
The most common parameter to filter users is Filter. The Filter parameter allows you to create conditions that are like the PowerShell Where-Object command filter syntax.
The Filter parameter uses a language called PowerShell expression language syntax. This language is a bit like what you’d use with Where-Object but not quite. For a breakdown of how to use this filter, check out this Active Directory and LDAP filters article.
Below is an example of using the Filter parameter. This example provides an AD attribute (givenName in this example) and sets a condition. The filter is only allow users to return if they have a givenName equal to Adam.
PS> Get-AdUser -Filter "givenName -eq 'Adam'"
DistinguishedName : CN=ADBertram,OU=Accounting,DC=mylab,DC=local
Enabled : False
GivenName : Adam
Name : ADBertram
ObjectClass : user
ObjectGUID : 8ec5e2a8-1fda-42cb-9406-b1e6356dd457
SamAccountName : ADBertram
SID : S-1-5-21-4117810001-3432493942-696130396-3163
Surname : Bertram
UserPrincipalName : ADBertram
DistinguishedName : CN=Hughes\, Adam,CN=Users,DC=mylab,DC=local
Enabled : True
GivenName : Adam
Name : Hughes, Adam
ObjectClass : user
ObjectGUID : 96778db3-3dbd-4b83-9183-db111caa2791
SamAccountName : ahughes
SID : S-1-5-21-4117810001-3432493942-696130396-38201
Surname : Hughes
UserPrincipalName :The other filtering option is LDAPFilter which will not be covered in this article. For more information on the LDAPFilter and its syntax, check out this article on Active Directory and LDAP filters.
Using Get-AdUser by OU
By providing an identity or filter, PowerShell returns all users in the domain matching the criteria. It does not limit by OU. You’ll need to set up a “filter” for Get-AdUser to filter by OU using Get-Aduser -SearchBase <OU>.
Using the SearchBase parameter allows you to begin searching for a user account in a specific OU. The SearchBase parameter accepts an OU’s distinguished name (DN).
For example, you could find all users in the MyUsers OU as shown below. Using the Filter of * means to match all user accounts.
PS> Get-ADUser -Filter * -SearchBase 'OU=MyUsers,DC=domain,DC=local'Perhaps you only want to find user accounts in a single OU and exclude any child OUs. In that case, you could use the SearchBase and SearchScope parameters. The SearchScope parameter defines how deep in the OU hierarchy you’d like to search.
For example, if you’d like to find all user accounts in an OU and all child OUs, you’d use 1 for the SearchScope value. If you’d like to search through all child and grandchildren OUs, you’d use 2.
Below is an example of searching for user accounts in the MyUsers OU and all child OUs underneath it.
PS> Get-ADUser -Filter * -SearchBase 'OU=MyUsers,DC=domain,DC=local' -SearchScope 2Using Alternate Credentials
By default, Get-AdUser will run under the context of the logged-on user. But you can also provide alternative credentials using the Credential parameter.
To authenticate with alternate credentials, create a PSCredential object using Get-Credential like below:
PS> $cred = Get-Credential
PS> Get-AdUser -Filter * -Credential $credFor more information on credentials, check out Using the PowerShell Get-Credential cmdlet and all things credentials.
The PowerShell Get-AdUser Properties Parameter
When you run Get-AdUser, you’ll immediately see only a few attributes are returned. You’ll also see that even when the output is piped to Select-Object -Property *, all attributes aren’t still returned.
To use PowerShell to get AD user attributes, use the Property parameter. This parameter accepts one or more comma-delimited attributes to show with the output.
Below you’ll see an example of using Get-AdUser to find all properties for all user accounts with a givenName of Adam. The output is snipped but you’ll see other familiar attributes like email address, password properties and more here.
PS> Get-AdUser -Filter "givenName -eq 'Adam'" -Properties *
AccountExpirationDate :
accountExpires : 9223372036854775807
AccountLockoutTime :
AccountNotDelegated : False
AllowReversiblePasswordEncryption : False
AuthenticationPolicy : {}
AuthenticationPolicySilo : {}
BadLogonCount : 0
badPasswordTime : 0
badPwdCount : 0
CannotChangePassword : False
CanonicalName : mylab.local/Accounting/ADBertram
........Manage and Report Active Directory, Exchange and Microsoft 365 with ManageEngine ADManager Plus. Download Free Trial!
Summary
The Get-ADUser cmdlet is a handy command to find AD user accounts, build reports and more. It’s a great way to pull AD users from a domain. For a breakdown of Get-AdUser and all parameters, read the help content by running Get-Help Get-AdUser.
For many other examples of how to use Get-AdUser, check out the blog post Active Directory Scripts Galore: Come and Get It!.
