Find Active Directory User Attributes with PowerShell (Get-ADUser)
Find Active Directory User Attributes with PowerShell (Get-ADUser ). In this article, we will look at how to get the user attributes in AD using the ADUC console and using PowerShell.
In a real world scenario user accounts are assigned to employees when working in an organization using the Active Directory or AD. We can manage this easily through the AD Users and Computers console or ADUC. However, the number of AD users proliferates as the organization grows large and the accounts will be difficult to manage. This article will discuss the primary PowerShell command that manages AD Users, the Get-ADUser command.
Get-ADUser
The Get-ADUser PowerShell cmdlet allows you to get information about an Active Directory user, its attributes and search domain users. It is one a popular PowerShell cmdlets to retrieve information from AD. With Get-ADUser cmdlet you will find the value of any attribute of an Active Directory user or you can list domain users with attributes and then export user reports info to CSV files.
Get Active Directory User in PowerShell
Prerequisites
To use the Get-ADUser or any other active directory cmdlets, be sure we have the following:
- A domain joined workstation or server.
- A logged in user account with at least a read only AD rights.
- Have the PowerShell Active Directory module installed and imported.
According to the official Microsoft documentation, the Get-ADUser cmdlet gets a specified user object or performs a search to get multiple user objects. Moreover, the said cmdlet is accompanied by numerous parameters that make the command more efficient.
The following section of the article about how to Find Active Directory User Attributes with PowerShell (Get-ADUser Commands) we will discuss the essential parameters frequently used in a real world scenario. These parameters commonly accompany the Get-ADUser command for precise and efficient user querying.
Finding a User Account with Identity Parameter
The Identity parameter allows us to provide one of four different identifiers:
- samAccountName – A logon name that supports the previous version of Windows. This identifier is the most common parameter value used in real world scenarios.
Get-ADUser -Identity noah
- distinguishedName (DN) – A string that uniquely identifies an entry in the directory information tree.
Get-ADUser -Identity 'CN=Noah Oliver,OU=Finance,DC=abccompany,DC=com'
- GUID – the unique identifier of a user.
Get-ADUser -Identity 'b97fd0c4-3e4d-4132-8243-b02135d6b0dc'
- SID – Security identifier (SID) of the user
Get-ADUser -Identity 'S-2-2-5-21-4117810201-3432423942-696230396-3141'
The above commands will result in the same output and point to a specific user. This statement proves that we can use any given identifier and make it the value of the Identity parameter. Remember that the Identity parameter only accepts one identifier.
DistinguishedName : CN=Noah Oliver,OU=Finance,DC=abccompany,DC=com
Enabled : False
GivenName : Noah
Name : Noah Oliver
ObjectClass : user
ObjectGUID : b97fd0c4-3e4d-4132-8243-b02135d6b0dc
SamAccountName : noliver
SID : S-2-2-5-21-4117810201-3432423942-696230396-3141
Surname : Oliver
UserPrincipalName : noliver@abccompany.com
Narrowing Search Results Using the Filter Parameter
We can use a filter if we need to find more than one domain user or we do not know an identifier. To do so, we have two parameters called Filter and LDAP Filter. Both parameters allow a user to provide a conditional statement that will match an AD user object. Thus, the Get-ADUser command will display user accounts that satisfy this requirement.
The most common parameter used to filter user objects is the Filter parameter. The Filter parameter uses a language called the PowerShell expression language syntax. This language is similar to what we would use with the Where-Object pipeline command.
Get-ADUser -Filter "givenName -eq 'Noah'"
DistinguishedName : CN=Noah Jameson,OU=IT,DC=abccompany,DC=com
Enabled : False
GivenName : Noah
Name : Noah Jameson
ObjectClass : user
ObjectGUID : b27fd0c5-3f4a-4132-8245-a12134d6c0dc
SamAccountName : njameson
SID : S-1-2-5-21-4127910251-5432423947-193240392-6242
Surname : Jameson
UserPrincipalName : njameson@abccompany.com
DistinguishedName : CN=Noah Oliver,OU=Finance,DC=abccompany,DC=com
Enabled : False
GivenName : Noah
Name : Noah Oliver
ObjectClass : user
ObjectGUID : b97fd0c4-3e4d-4132-8243-b02135d6b0dc
SamAccountName : noliver
SID : S-2-2-5-21-4117810201-3432423942-696230396-3141
Surname : Oliver
UserPrincipalName : noliver@abccompany.com
Lightweight Directory Access Protocol (LDAP) is a vendor independent protocol for accessing and changing directory data. When we hear the word directory, we often think of a phone book, but it has a far broader meaning in the context of Active Directory. The LDAP protocol stores and makes many different object types accessible in Active Directory.
Because Active Directory can contain various data types, apps and users require a simple way to query it. We may also remark that this is where AD becomes both sophisticated and valuable.
The LDAPFilter parameter allows us to use LDAP filters created in Active Directory Users and Computers with the cmdlets. RFC number 4515 defines the syntax for LDAP filters.
It can be challenging to create LDAP filters. So, here are several active directory group filter examples that we can utilize as a starting point when writing our LDAP filters.
- All groups with a name of either ‘Marketing Department’ or ‘All Teams Share RO’
'(cn -eq "Marketing Department") -or (cn -eq "All Teams Share Access")' or '(|(cn=Marketing Department Department)(cn=All Teams Share RO))'
- All groups with a description of ‘Production’ but not with a name of ‘Marketing Department’
'(description -eq "Production") -and (cn -ne "Marketing Department")' or '(&(description=Production)(!(cn=Marketing Department)))'
- All groups whose description is ‘\\FS1\AllTeamsShareRO’
'description -eq "\5c\5cFS1\5cAllTeamsShareRO"' or '(description=\5c\5cFS1\5cAllTeamsShareRO)'
Get AD User in an Organizational Unit
By specifying an identity or filter, PowerShell returns all users in the domain that meet the parameters. It is not limited to an OU or Organizational Unit. We will need to use the SearchBase parameter to create a filter for Get-ADUser in a specific OU. Remember that an OU is similar to a container with AD objects like users and computers. OUs are generally found at the left hand side of the ADUC console.
We can start looking for a user account in a particular OU by using the SearchBase argument. The distinguishing name of an OU is accepted by the SearchBase parameter (DN).
For example, if we want to search for all users in an organization, the Filter parameter can accept a wildcard. A wildcard, also known as a wild character or a wildcard character, is a sign used to substitute or symbolize one or more characters. A few examples are the asterisk (*), which represents zero (space) or more characters, and the question mark (?) indicating a single character.
In this case, using the wildcard of * will match the conditions to all user accounts.
Get-ADUser -Filter * -SearchBase 'OU=Users,DC=abccompany,DC=com'
Perhaps we only want to search for user accounts in a single OU, ignoring child OUs. We might utilize the SearchBase and SearchScope parameters in such instances. The SearchScope parameter specifies how far down the OU hierarchy we want to look.
For example, if we would like to find all user accounts in an OU and all child OUs, we would use 1 for the SearchScope value. On the other hand, if we would like to search through all child and grandchildren OUs, we would use 2.
The below example searches for user accounts in the Users OU and all child OUs underneath it.
Get-ADUser -Filter * -SearchBase 'OU=Users,DC=abccompany,DC=com' -SearchScope 2
Getting the Properties of an AD User
When we run Get-ADUser, we will immediately see only a few attributes are returned. We will also see that all attributes are still not returned even when the output is piped to Select-Object -Property *.
To use PowerShell to get an AD user object attributes, we will be using the Property parameter. The Property parameter accepts one or more comma-separated attributes to show with the output.
Below we will see an example of using Get-ADUser to find all properties for a specific user account. For the reader’s convenience, since typically, this is a long list of properties to display, we snipped the output for our example below. However, we will see other familiar attributes like email address, password properties, etc.
Active Directory Reporting Tool InfraSOS
InfraSOS is SaaS tool for Active Directory Reporting. The big deal about this tool is that you can run reports on Azure AD, Office 365, Exchange and Active Directory health check tool (replication, domain controller, dns health). With infraSOS you can perform automation and workflow against your Active Directory. This tools is desirable for IT administrators or helpdesk staff who need to perform operations against your AD (Adding, deleting Users). InfraSOS has over 200 AD reports to run against Active Directory. Great auditing tool.
Find Active Directory User Attributes with PowerShell Conclusion
We may use the Get-ADUser cmdlet to locate AD user accounts. It is an excellent approach to extracting AD users from a domain. By performing Get-Help Get-ADUser, we can get a full breakdown of the Get-ADUser command and all the accompanying parameters. We may also refer to the official Microsoft documentation found in this link.
