Get-ADUser

Get one or more Active Directory users.

Syntax
 Get-ADUser -Filter string [-ResultPageSize int] [-ResultSetSize int32]
 [-SearchBase string] [-SearchScope {Base | OneLevel | Subtree}]
 [-SearchScope {Base | OneLevel | Subtree}]
 [-AuthType {Negotiate | Basic}]
 [-Credential PSCredential] [-Partition string]
 [-Properties string[]] [-Server string] [CommonParameters ]
 Get-ADUser [-Identity] ADUser [-AuthType {Negotiate | Basic}]
 [-Credential PSCredential] [-Partition string]
 [-Properties string[]] [-Server string] [CommonParameters ]
 Get-ADUser -LDAPFilter string [-ResultPageSize int] [-ResultSetSize int32]
 [-SearchBase string] [-SearchScope {Base | OneLevel | Subtree}]
 [-AuthType {Negotiate | Basic}]
 [-Credential PSCredential] [-Partition string]
 [-Properties string[]] [-Server string] [CommonParameters ]
Key
 -AuthType {Negotiate | Basic}
 The authentication method to use: Negotiate (or 0), Basic (or 1)
 A Secure Sockets Layer (SSL) connection is required for Basic authentication.
 -Credential PSCredential
 The user account credentials to use to perform this task.
 The default credentials are those of the currently logged on user unless the
 cmdlet is run from an Active Directory PowerShell provider drive.
 If the cmdlet is run from such a provider drive, the account associated with the drive is the default.
 Type a user name, such as "User64" or "Domain64\User64" or specify a
 PSCredential object such as one generated by Get-Credential 
 If a user name is specified, the cmdlet will prompt for a password.
 -Filter string
 A query string that retrieves Active Directory objects.
 This string uses the PowerShell Expression Language syntax:
 filter ::= "{" FilterComponentList"}"
 FilterComponentList ::= FilterComponent | FilterComponent JoinOperator FilterComponent | NotOperator FilterComponent
 FilterComponent ::= attr FilterOperator value | "(" FilterComponent")"
 FilterOperator ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike"
 JoinOperator ::= "-and" | "-or"
 NotOperator ::= "-not"
 attr ::= PropertyName | LDAP_Name_of_the_attribute
 value::= <compare this value with an attr by using the specified FilterOperator>
 -Identity ADUser
 An AD account object, specified with one of the following values.
 (The identifier in parentheses is the LDAP provider name for the attribute.)
 Distinguished Name 
 Example: CN=JonSmith,CN=Sales,OU=europe,CN=users,DC=corp,DC=SS64,DC=com 
 GUID (objectGUID) 
 Example: 599c3d2e-f72d-4d20-8a88-030d99495f20
 Security Identifier (objectSid) 
 Example: S-1-5-21-3165297888-301567370-576410423-1103
 Security Accounts Manager (SAM) Account Name (sAMAccountName)
 Example: JonSmith
 The cmdlet searches the default naming context or partition to find the object.
 If two or more objects are found, the cmdlet returns a non-terminating error.
 This parameter can also get this object through the pipeline or you can set this
 parameter to an object instance.
 This example shows how to set the parameter to a distinguished name.
 -Identity "CN=JonSmith,CN=Sales,OU=europe,CN=users,DC=corp,DC=SS64,DC=com"
 This example shows how to set this parameter to a group object instance named "accountInstance".
 -Identity $accountInstance
 -LDAPFilter string
 An LDAP query string that is used to filter AD objects.
 Use this parameter to run existing LDAP queries. 
 See also Help about_ActiveDirectory_Filter.
 For example to search an OU for names beginning with "sara".
 -LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=demo,DC=SS64,DC=com"
 -Partition string
 The distinguished name of an AD partition.
 string must be one of the naming contexts on the current directory server.
 The cmdlet searches this partition to find the object defined by the -Identity parameter. 
 Examples:
 -Partition "CN=Configuration,DC=Europe,DC=Test,DC=SS64,DC=com"
 -Partition "CN=Schema,CN=Configuration,DC=Europe,DC=Test,DC=SS64,DC=com"
 
 In many cases, a default value will be used for -Partition if no value is specified.
 
 -Properties string[]
 The properties of the output object to retrieve from the server (comma-separated list).
 Use this parameter to retrieve properties that are not included in the default set.
 To display all of the attributes that are set on the object, specify * (asterisk).
 Specify the property Name, or for non default/extended properties, the LDAP provider Name of the attribute.
 -ResultPageSize int
 The number of objects to include in each page for an AD Domain Services query.
 default = 256
 -ResultSetSize Int32
 The maximum number of objects to return for an AD Domain Services query.
 To receive all objects, set this to $null. Ctrl+c will stop the query and return of objects.
 default = $null.
 -SearchBase string
 An Active Directory path to search under.
 e.g.
 -SearchBase "ou=training,dc=demo,dc=ss64,dc=com"
 -SearchScope
 The scope of an AD search.
 Possible values for this parameter are:
 Base or 0 Search only the current path or object.
 OneLevel or 1 Search the immediate children
 Subtree or 2 Search the current path/object and all children
 -Server string
 The AD Domain Services instance to connect to, this may be a Fully qualified domain name,
 NetBIOS name, Fully qualified directory server name (with or without port number)

Get-ADUser gets a user object or performs a search to retrieve multiple user objects.

The -Identity parameter specifies the AD user to get. Identify a user with a distinguished name (DN), GUID, security identifier (SID), Security Accounts Manager (SAM) account name or name. Alternatively set the -Identity parameter to a user object variable, or pass a user object through the PowerShell pipeline.

To search for and retrieve more than one user, use -Filter or -LDAPFilter.
-Filter uses the PowerShell Expression Language to write query strings for AD. see help about_ActiveDirectory_Filter.
-LDAPFilter uses LDAP query strings, which for AD is often the easier option.

A shortcut method to get user properties (via PowerShell.com), get the DisplayName of the current user:

([adsisearcher]"(samaccountname=$env:USERNAME)").FindOne().Properties['displayname']

Built-in account names are localized, so the names will change based on the language of the Windows OS.
To retrieve an account based on its SID, run a WMI query with Get-CimInstance .

Standard Aliases for Get-Aduser: none

This cmdlet retrieves a default set of user object properties. To retrieve additional properties use -Properties

Examples

Get all users:

PS C:\> Get-ADUser -Filter *

Count all the users:

PS C:\> (Get-AdUser -Filter * | Measure-Object).Count

Get all users under the container 'OU=Personnel,DC=SS64,DC=COM':

PS C:\> Get-ADUser -Filter * -SearchBase "OU=Personnel,DC=SS64,DC=COM"

Get all AD Users with all their properties:

PS C:\> Get-ADUser -Filter * -Properties *

Get all properties of the user with samAccountName 'StanGetz':

PS C:\> Get-ADUser -identity StanGetz

PS C:\> Get-ADUser StanGetz -Properties *

Get a single AD User by UserPrincipalName:

Get-ADUser -Filter {UserPrincipalName -eq "Sandy.Morgan@example.com"}

Get all the available attributes for the current user:

PS C:\> Get-ADUser -Identity $env:USERNAME -Properties *

Get all names and email addresses and export to a spreadsheet:

PS C:\> $users = Get-ADUser -Filter {name -like "*"} -Properties name, mail, givenName, Surname | Select-Object name, mail, givenName, Surname

PS C:\> $users | Export-CSV C:\demo\ users.csv -NoTypeInformation

Get all users with an email address set:

PS C:\> Get-ADUser -LDAPFilter '(mail=*)' -properties SamAccountName, GivenName, Surname, mail | `
Select-Object SamAccountName, GivenName, Surname, mail

Get users with NO mail address, using a server side -filter or -LDAPfilter is faster than a WHERE clause (via PowerShell.com):

PS C:\> Get-ADUser -LDAPFilter '(!mail=*)' -properties SamAccountName, GivenName, Surname, mail | `
Select-Object SamAccountName, GivenName, Surname, mail

PS C:\> Get-ADUser -Filter {mail -notlike "*"} -Properties SamAccountName, GivenName, Surname, mail | `
Select-Object SamAccountName, GivenName, Surname, mail

Get all Disabled users:

PS C:\> Get-ADUser -Filter {Enabled -eq $false} | Select-Object Name, UserPrincipalName | Sort Name

Use a .ps1 script to retrieve a list of AD properties, including some extended properties for a given username:

param (
 [string]$userName = $(throw "-username is required.")
)
echo "[$userName]"
 
$Properties =
@(
 'DisplayName',
 'SamAccountName',
 'UserPrincipalName',
 'Enabled',
 'Created',
 'AccountExpirationDate',
 'telephoneNumber',
 'EmailAddress',
 'mobile',
 'title',
 'manager',
 'physicalDeliveryOfficeName',
 'otherTelephone',

'extensionAttribute1', # requires exchange
 'extensionAttribute7',
 'extensionAttribute15'
)
Get-ADUser $userName -Properties $Properties | Select-Object $Properties
pause

Get all users that have a name that ends with 'SvcAccount':

PS C:\> Get-ADUser -Filter 'Name -like "*SvcAccount"' | FT Name,SamAccountName -A

Get all users who are missing a Mail Address, using [ADSISearcher] via Powershell.com

$searcher = [ADSISearcher]"(&(sAMAccountType=$(0x30000000))(!(mail=*)))"
$searcher.FindAll() |
ForEach-Object { $_.GetDirectoryEntry() } |
Select-Object -Property sAMAccountName, name, mail

Get all users who are a 'memberof' the group ss64Group including nested permissions:

PS C:\> $dn = (Get-ADGroup -Identity 'ss64Group').distinguishedName
PS C:\> Get-ADUser -Filter "memberOf -recursivematch '$($dn)'"

Get all the AD groups which the user User64 is a direct member of:

(Get-ADUser User64 –Properties MemberOf).MemberOf

Get all the AD groups which the current user is a member of including any inherited groups:

Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$user = [System.DirectoryServices.AccountManagement.UserPrincipal]::Current
$groups = $user.GetAuthorizationGroups() | Select-Object SamAccountName #use Name to only get the name.
ForEach ($group in $groups){$group}

Get all the AD groups which 'User64' is a member of including any inherited groups:

Add-Type -AssemblyName System.DirectoryServices.AccountManagement
$Username = 'User64'
$ctx = New-Object 'DirectoryServices.AccountManagement.PrincipalContext' ([DirectoryServices.AccountManagement.ContextType]::Domain)
if( $Username ){
$user = [DirectoryServices.AccountManagement.UserPrincipal]::FindByIdentity( $ctx, $Username )
}
$groups = $user.GetAuthorizationGroups() | Select-Object SamAccountName #use Name to only get the name.
ForEach ($group in $groups){ $group}
$ctx.dispose()

Get all users who do NOT have 'Domain Users' (513) as their primary group:

PS C:\> Get-ADUser -filter {primaryGroupID -ne 513} |
Select-Object name | Sort-Object -property name

Get the user 'MariaO' along with their TS profile path, using a calculated property in the select statement:

PS C:\> Get-ADUser 'MariaO' | Select-object DistinguishedName,SamAccountName, GivenName,Surname, @{Name="TermPath";Expression={([adsi]("LDAP://$($_.distinguishedName)")).psbase.InvokeGet("terminalServicesProfilePath")}}

"I rely on my personality for birth control" ~ Liz Winston

Related PowerShell Cmdlets

LastLogon - Find when a user account last logged in.
Query-UserAccountControl.ps1 - List the UAC Flag for all User and Computer accounts. Identify specific configurations.
New-ADUser - Create a new AD user.
Remove-ADUser - Remove an AD user.
Set-ADUser - Modify an AD user.
Get-MgUser - Get MS Graph User (Azure).

(追記) (追記ここまで)

---