Windows Active Directory provides very useful enterprise user management capabilities. Powershell is a new scripting language provides for Microsoft Operating systems. Get-ADUser is a very useful command or commandlet which can be used to list Active Directory users in different ways.
List Domain Users Interactively
We will start with a simple example. We will list all domain users. In this example, we will do not provide any option or parameter to the Get-ADUser command. But after running the command we will be asked for a filter. We will provide asterisk * as a filter which means all users.
PS> Get-ADUSer
The following information is provided with the Get-ADUser command.
- `DistingushedName` will provide the complete canonical name for the user.
- `Enabled` will show whether the user account is enabled or not.
- `GivenName` is the human-readable name which is generally the name and surname of the user.
- `ObjectClass` is the user type which is generally `user`.
- `ObjectGUID` is the unique ID of the current user or object.
- `SamAccountName` is the or SAM account name of the user.
List Domain Users
In this example, we will list all domain users by providing the asterisk as parameter * to the Get-ADUser command. We will use the -Filter option.
PS> Get-ADUser -Filter *
List All Users In A Container or OU
As an enterprise environment has a lot of users with different departments, containers, and OU we may need to list only given department, container or OU. We will use the -SearchBase option and provide the OU to filter users. In this example, we will use DC=ABC, DC=LOCAL
PS> Get-ADUser -Filter * -SearchBase "DC=ABC,DC=LOCAL"
Filter Users By Username
We can filter users by their username. We will use a query language that will specify the name in Powershell. We will also use the -Filter option. In this example, we will list users whose usernames start with the H letter.
PS> Get-ADUser -Filter 'Name -like "H*"'
Alternatively, we can specify the search term like;
*dan will search the user names those ends with the dan.
Filter Users By Surname
Another popular search case is searching the users according to their surnames. We will use the Surname property of the user with the -Filter option. In the following example, we will search the users those surnames end with the ak .
PS> Get-ADUser -Filter 'Surname -like "*ak"'
Complex Filter and Search with AND
Search and filter with single property is easy but in some cases, we may need to search and filter for multiple conditions. We can use the AND and OR logic for different properties. Below we will search for the users whose name starts with İs and surname ends with the an . So we will use an AND logic in order to met both conditions for the Name and Surname properties.
PS> Get-ADUser -Filter { (Name -Like "İs*") AND (Surname -Like "*an")}
Let’s make this example more complex but more useable by adding more conditions. We will search and filter users which resides in the MyUsers OU with the specified name and surname.
PS> Get-ADUser -SearchBase "DC=MyUsers,DC=ABC,DC=LOCAL" '' -Filter { (Name -Like "İs*") AND (Surname -Like "*an")}
Get All Properties
As Active Directory is a very complex environment there are a lot of attributes and properties about users. By default, only some of them are printed like Name, SID, Surname, GivenName, etc. We can also list all of these attributes with the -Properties command and asterisk *.
PS> Get-ADUser -Filter * -Properties *
As we can see from the screenshot that properties like AccountExpirationDate, AccountLockoutTime, … are printed.
- `AccountExprirationDate` will show the account expire day if it is set. If not there will be now value.
- `AccountExpires` will show whether the account has an expiration date.
- `AccountLockoutTime` will show the interval to lock the account when it is idle.
- `BadLogonCount` will show how many unsuccessful login attempts occurred in the past.
- `Created` will show the date and time information about the account creation.
- `Company` will show the user company name of the user account if set.
Filter and Show Specific Properties
As there are a lot of properties and by default, only some of them are printed we may need specific properties to be printed. We can print specific property or attribute by specifying with the -Property option like below. We will print properties like BadLogonCount, Title etc.
PS> Get-ADUser -Filter * -Properties "BadLogonCount","Title"
Show Properties For Specific User
We can also show properties of the given or specific user we need to provide the username to the -Filter option and the properties or attributes we want to show.
PS> Get-ADUser -Filter "Name -like 'İsmail Baydan'" -Properties "BadLogonCount","Title"
Export To CSV File
If we ware working with 3rd party systems and provide Active Directory user data we can use CSV format. We can export the Active Directory User data in CSV to a file with the Export-CSV command like below. We will also provide the CSV file name and path which is ADUsers.csv in this example.
PS> Get-ADUser -Filter "*" | Export-CSV -Path ADUsers.csv
Print Email Address
Email address information also printed with the Get-ADUser command. We will just provide the email as the property we want to print.
PS> Get-ADUser -Filter "*'" -Properties "EmailAddress"
List Only Enabled Users
Active Directory users can be disabled for different reasons like Security. So after a user account is disabled its Enabled property will be set to false. If we need to list only enabled users and filter out disabled users we can use Enabled -eq $True filter.
PS> Get-ADUser -Filter {Enabled -eq $True}
how to get AD user LOGON name to csv
Voila Poulpe :
get-aduser -filter * | select-object samaccountname | Out-File c:\USERAD2.csv
How to get the enabled users who have logged in in last 90 days. For legal reasons I cant disable some users.
Conrad
| export-csv c:\DIR_YOU_WANT\contacts.csv
how count the aduser object or adcomputer every 1000 then after reading the 1000 objects will parse to csv file and continue again to count 1001 until it reach the last objects?
is that possible