It’s no secret that since the first PowerShell version, Microsoft tries to make it the main administrative tool in Windows. And it mostly succeeds! Using simple examples, we’ll demonstrate PowerShell features of the Get-ADuser cmdlet to search for specific user objects in Active Directory domain and get different information about AD users and their attributes.
Note. Earlier to get information about the attributes of AD user accounts, you had to use different tools: ADUC console (including saved AD queries), vbs scripts, dsquery, etc.
In PowerShell 2.0, a special module that allows to work with Active Directory appeared — Active Directory Module for Windows PowerShell (announced in Windows Server 2008 R2), it’s able to operate the AD directory objects using special cmdlets. To get information about Active Directory domain users and their properties, there is a cmdlet Get-ADUser. Using the Get-ADUser cmdlet, you can retrieve the value of any attribute of an existing user account in AD. In addition, you can specify different filtering criteria and generate lists of domain users and their attributes.
In this example we’ll show how to get information on the last time when user’s password was changed and the password’s expiration date by using Get-ADUser PowerShell cmdlet.
Run PowerShell with the administrator privileges and import the Active Directory Module with the following command:
Import-Module activedirectoryTip. In Windows Server 2012 this step can be skipped since the PowerShell Active Directory Module is enabled by default.
In the Windows 10 or Windows 7 in order to use the Get-AdUser cmdlet you need to install the appropriate version of RSATand enable the Active Directory Module for Windows PowerShell component in the Control Panel (Programs -> Turn Windows features on or off-> Remote Server Administration Tools -> Role Administration Tools -> AD DS and AD LDS Tools -> AD DS Tools).
A complete list of all the arguments to the Get-ADUser cmdlet can be obtained as follows:
help Get-ADUserTo display the list of all domain accounts, run this command:
Get-ADUser -filter *
Important. It is not recommended to run this command in the domains with the large number of accounts, since the domain controller providing the information can be overloaded.
The format of the returned list isn’t too convenient, only some basic 10 of the more than 120 attributes and properties of user accounts (DN, SamAccountName, Name, SID, UPN, etc.) are displayed. We also see that the information about the time of the last password change is absent.
To display the detailed information about all available user attributes, run this command:
Get-ADUser -identity tuser -properties *
So we see the full list of AD attributes and their values associated with the user account. Then we’ll go to the formatting of Get-ADUser output so that the necessary fields are displayed. We are interested in the following properties:
- PasswordExpired
- PasswordLastSet
- PasswordNeverExpires
Run the command:
Get-ADUser tuser -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires
Now in the user data there is the information about the date of the last password change and the time of its expiration. Display this information in a more convenient table view:
Get-ADUser -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires | ft Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires
To display the data of the users from a certain OU, use SearchBase key:
Get-ADUser -SearchBase ‘OU=London,DC=woshub,DC=loc’ -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires | ft Name, PasswordExpired, PasswordLastSet, PasswordNeverExpiresThe result can be exported to a text file:
Get-ADUser -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires | ft Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires > C:\temp\users.txtAlso it can be exported to CSV file, which is convenient to import to Excel. (also, using sort-object you can sort the table by PasswordLastSet column, and add the condition where — the user name has to contain the line “Dmitry”.).
Get-ADUser -filter * -properties PasswordExpired, PasswordLastSet, PasswordNeverExpires | where {$_.name –like “*Dmitry*”} | sort-object PasswordLastSet | select-object Name, PasswordExpired, PasswordLastSet, PasswordNeverExpires | Export-csv -path c:\tmp\user-passwords-expires.csv
So you can make a table with any attributes of Active Directory users.
To obtain data about Active Directory computers you need to use another cmdlet – Get-ADComputer.
To get a list of AD user accounts with a particular characteristic, use the -Filter parameter. As arguments of this parameter, you can specify the value of certain attributes of Active Directory users.
Let’s show some more useful options of Active Directory queries using different filters. You can combine them to perform a search to get multiple user AD objects.
Display AD users, whose name starts with Joe:
Get-ADUser -filter {name -like "Joe*"}To calculate the total number of all Active directory accounts:
Get-ADUser -Filter {SamAccountName -like "*"} | Measure-ObjectThe list of all active (not blocked) AD accounts:
Get-ADUser -Filter {Enabled -eq "True"} | Select-Object SamAccountName,Name,Surname,GivenName | Format-TableThe list of the accounts with the expired password:
Get-ADUser -filter {Enabled -eq $True} -properties passwordExpired | where {$_.PasswordExpired}The list of active accounts with e-mail addresses:
Get-ADUser -Filter {(mail -ne "null") -and (Enabled -eq "true")} -Properties Surname,GivenName,mail | Select-Object Name,Surname,GivenName,mail | Format-TableTask: for the list of accounts that are stored in a text file (one account per line), you need to get the user’s company name from AD and save it to a text csv file (you can easily import this file into Excel).
Import-Csv c:\ps\users_list.csv | ForEach {
Get-ADUser -identity $_.user -Properties Name, Company |
Select Name, Company |
Export-CSV c:\ps\users_ad_list.csv -Append -Encoding UTF8
}The next example allows to export the address book of the company to a CSV file, which can later be imported into email clients such as Outlook or Mozilla Thunderbird:
Get-ADUser -Filter {(mail -ne "null") -and (Enabled -eq "true")} -Properties Surname,GivenName,mail | Select-Object Name,Surname,GivenName,mail | Export-Csv -NoTypeInformation -Encoding utf8 -delimiter "," $env:temp\adress_list.csvThe users who haven’t changed their passwords in the last 90 days:
$90_Days = (Get-Date).adddays(-90)
Get-ADUser -filter {(passwordlastset -le $90_days)}To get a user’s photo from Active Directory and save it to a file, run the following commands:
$usr = Get-ADUser sjoe -Properties thumbnailPhoto
$usr.thumbnailPhoto | Set-Content sjoe.jpg -Encoding byteTo get a list of AD groups which the user account is a member of:
Get-AdUser sjoe -Properties memberof | Select memberof -expandproperty memberof
Comments
Post a Comment
If you any doubt , Please let me know