The Get-ADUser cmdlet is a very versatile tool that’s used to get active directory users. If you need to identify specific AD users, you may use values like their SAM account name to do so. Or you can utilize the Properties parameter when you need detailed info on one or more users.
Similarly, when you’re dealing with a large number of user objects, the Filter parameter is useful for getting AD users based on certain filters like Email, City, Title, etc. Combined with tools like sort and export, Get-ADUser makes user management in domains very convenient.
PowerShell Get-ADUser Requirements
On Domain Controllers, the Get-ADUser command obviously works by default. But if you attempt to run this command on other systems that arepart of the AD domain, you may encounter theGet-ADUser is not recognizederror.
This is because you must install theRSAT ADcomponent first you may do so withAdd-WindowsCapability –online –Name “Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0”. Once you do this, you can use Get-ADUser on any system.
You won’t be limited to domain admin accounts either; any authorized AD user account will work. One thing to remember is that while non-admin accounts can retrieve most user object attributes using this command, some sensitive info might be accessible to domain admins only.
Get-ADUser Parameters
Get-ADUser primarily uses three parameters to retrieve user objects – Identify, Filter, and LDAPFilter.
Identityretrieves a user object using a specific value like its distinguished name or GUID. This is useful when you need to find a user object and remember the required value.
Filterreturns a list of user objects based on the selected queries. In cases where you need to get AD users whose password has expired, or ones that haven’t logged in the last 2 weeks, and so on, filter can be useful. you may further narrow down the results to only user objects from specific servers, specific OUs, etc.
LDAPFilteralso uses query strings to filter the user objects. The difference is that, unlike Filter which follows PowerShell syntax, LDAPFilter uses its own LDAP query syntax (attribute and value). This means it does have a slight learning curve, but you’ll find it to be a useful tool once you get used to it.
There are other useful parameters too likeSearchBaseandSearchScopethat we’ll cover in our examples. We recommend referring to Microsoft’s documentation if you want to check thecomplete list of parameters, but the prior three are the ones we’ll focus on in this article.
Identity returns a single AD user object using one of the following properties:
Let’s say you need details on a user named Ava. Assuming her SamAccountName is ava, you may retrieve the user object withGet-ADUser -Identity ava.
This command only returns 10 main properties though. If you need the complete properties list for a user object, you should useGet-ADUser -Identity ava -Properties *instead.
