I am a big fan of the PowerShell Community Extensions. I think they have done a great job in providing extra functionality to PowerShell through the cmdlets and providers.

In all of the excitement around the Active Directory provider a couple of the cmdlets that can interact with Active Directory have been overlooked.

Get-ADObject will search the Active Directory for objects. If no parameters are supplied it will attempt to return all of the objects in Active Directory. One point to be aware of is that the cmdlets will only return a single page of results. There is a setting in Active Directory that controls how many objects are returned on a page – the default is 1000. Unfortunately there isn’t a parameter to override the current setting in the cmdlet. If you need to return more than 1000 entries you will need to make the change in AD.

With that caveat out of the way it is still a very useful cmdlet. It has a number of parameters allowing you to:

  • specify the domain controller
  • specify a search in the global catalog
  • specify authentication credentials
  • specify a domain controller
  • specify a filter and scope for the search

One thing to be aware of is that the filter uses the LDAP syntax

Just to demonstrate a few searches

PS> Get-ADObject -filter ("cn=Richard")






To display all users with disabled accounts

PS> Get-ADObject -Filter "(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2))"







{CN=HASSI Satu,OU=Finland,DC=starking,DC=org}


To display all users with country set to Holland

PS> Get-ADObject -Filter "(&(objectclass=user)(objectcategory=user)(c=NL))"




{CN=BELDER Bastiaan,OU=Holland,DC=starking,DC=org}

{CN=van den BERG Margrietus,OU=Holland,DC=starking,DC=org}

{CN=BERMAN Thijs,OU=Holland,DC=starking,DC=org}

{CN=BLOKLAND Johannes,OU=Holland,DC=starking,DC=org}

{CN=BOZKURT Emine,OU=Holland,DC=starking,DC=org}

{CN=van BUITENEN Paul,OU=Holland,DC=starking,DC=org}

{CN=BUITENWEG Kathalijne Maria,OU=Holland,DC=starking,DC=org}

{CN=van den BURG Ieke,OU=Holland,DC=starking,DC=org}

{CN=CORBEY Dorette,OU=Holland,DC=starking,DC=org}

{CN=DOORN Bert,OU=Holland,DC=starking,DC=org}

{CN=EURLINGS Camiel,OU=Holland,DC=starking,DC=org}

{CN=de GROEN-KOUWENHOVEN Elly,OU=Holland,DC=starking,DC=org}

{CN=HENNIS-PLASSCHAERT Jeanine,OU=Holland,DC=starking,DC=org}

{CN=in ‘t VELD Sophia,OU=Holland,DC=starking,DC=org}

{CN=LAGENDIJK Joost,OU=Holland,DC=starking,DC=org}

{CN=LIOTARD Kartika Tamara,OU=Holland,DC=starking,DC=org}

{CN=MAAT Albert Jan,OU=Holland,DC=starking,DC=org}

{CN=MAATEN Jules,OU=Holland,DC=starking,DC=org}

{CN=MANDERS Toine,OU=Holland,DC=starking,DC=org}

{CN=MARTENS Maria,OU=Holland,DC=starking,DC=org}

{CN=MASTENBROEK Edith,OU=Holland,DC=starking,DC=org}

{CN=MEIJER Erik,OU=Holland,DC=starking,DC=org}

{CN=MULDER Jan,OU=Holland,DC=starking,DC=org}

{CN=van NISTELROOIJ Lambert,OU=Holland,DC=starking,DC=org}

{CN=OOMEN-RUIJTEN Ria,OU=Holland,DC=starking,DC=org}

{CN=WIERSMA Jan Marinus,OU=Holland,DC=starking,DC=org}

{CN=WORTMANN-KOOL Corien,OU=Holland,DC=starking,DC=org}

A good search tool that delivers what its sets out to do. As long as the issue of a 1000 maximum on the results is remembered it is fine.

Other cmdlets from the 1.1 version of the PowerShell Community Extensions that will be useful are:

  • get-domaincontroller
  • get-dhcpserver
  • resolve-host

This entry was posted in Active Directory administration with PowerShell. Bookmark the permalink.

2 Responses to Get-ADObject

  1. Kevin says:

    One thing I’ve found with PS V3.0 is that you need to use -LDAPFilter as opposed to -Filter. To search for all disabled user accounts…
    Get-ADObject -LDAPFilter “(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2))”

    Using the -Filter option generates the following error
    Get-ADObject : Error parsing query: ‘(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2))’ Error Message: ‘syntax error’ at position: ‘2’.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s