Using GivenName and Surname instead of samAccountName

A recent comment on this post – – asked about using the given name and surname rather than the samAccountName in Get-ADUser.

Get-ADUser has 4 options when using the –Identity parameter:

Account name = samAccountNmae

Distinguished Name


Security identifier = SID.

Using the given name and surname. on the surface doesn’t seem possible BUT (and there’s always a but with PowerShell) you can use the –Filter or –LDAPFilter parameters.

Where you know the samAcccountName you can do this:

Get-ADUser -Identity gdreen

Working with the names you could try this:

Get-ADUser -Filter {GivenName -eq ‘Dave’ -and Surname -eq ‘Green’}

Alternatively, you could use an LDAP filter:

Get-ADUser -LDAPFilter “(&(GivenName=Dave)(Sn=Green))”

The LDAP syntax is a bit more complex but you can parse it as

(GivenName=Dave) AND (Sn=Green)

You have to use the LDAP name, Sn, for the Surnam property rather than the more friendly property name that the –Filter parameter allows.

If you wanted to modify the code in the original article to use this approach:

$users = Import-Csv -Path C:\Scripts\adtest.csv           
foreach ($user in $users) {           
$fname = $user.GivenName
$lname = $user.Surname
Get-ADUser -Filter {GivenName -eq $fname  -and Surname -eq $lname} -Properties * |           
select SamAccountName, Division, Office, City            

I’ve found that its easier to substitute variables into the filter rather than try and and use the object from the CSV file directly.

The LDAP filter version would be

$users = Import-Csv -Path C:\Scripts\adtest.csv           
foreach ($user in $users) {           
Get-ADUser -LDAPFilter “(&(GivenName=$($user.GivenName))(Sn=$($user.Surname)))” -Properties * |           
select SamAccountName, Division, Office, City            

In this case you’re substituting into a string and it works quite nicely.

This entry was posted in PowerShell and Active Directory. Bookmark the permalink.

13 Responses to Using GivenName and Surname instead of samAccountName

  1. Hi Richard,

    Another good way to search for ‘woolly’ names in AD is to use Ambiguous Name Resolution (ANR). So you could try:

    Get-AdUser -Filter {anr -eq ‘Dave’}

    or (even better)

    Get-AdUser -Filter {anr -eq ‘Dave Green’}

    LDAP versions:
    Get-AdUser -LdapFilter ‘(anr=dave)’
    Get-AdUser -LdapFilter ‘(anr=dave green)’

    There’s a great Wiki article on ANR here:


  2. robstelz says:

    Hi Richard. Me again 🙂 I know you said that Get-ADUser can only call users by the 4 attributes listed above, but I believe you mentioned there was a way to call an AD user by other means. I am running the script below…it is very strange because I run the script, I get no errors, but the EmployeeID attribute does not get updated. Can you help me to determine what I am doing wrong?

    My CSV file looks like…


    And I am running…

    foreach ($user in $users){Get-ADUser -Filter “mail -eq ‘($user.mail)'” -Properties * | % { Set-ADUser $_ -Replace @{EmployeeID= $_.EmployeeID}}}

    Thanks again!!

    • Hi
      I’m assuming you start by getting the contents of the CSV file
      $users = import-csv csvfile.csv

      Your problem comes because of using $_.EmployeeID in Set-ADUser.

      your code needs to look more like this

      foreach ($user in $users){
      Get-ADUser -Filter “mail -eq ‘($user.mail)’” -Properties * |
      Set-ADUser -Replace @{EmployeeID= $user.EmployeeID}

      Get-ADUser should only return a single user

      @{EmployeeID= $_.EmployeeID}
      will set the EmployeeId to the value of EmployeeId on the object coming down the pipeline so doesn’t change. You need to refer back to the user info you imported into the CSV

      I’m going to do a post on the problems of using $_

  3. robstelz says:

    Yes, correct, sorry forgot that part. I am importing CSV and setting the variable to $users

  4. robstelz says:

    I ran it like this but nothing but blood on the screen…
    foreach ($user in $users){Get-ADUser -Filter “mail -eq ‘($user.mail)’” -Properties * | Set-ADUser -Replace @{EmployeeID= $user.EmployeeID}}

    At line:1 char:27
    + foreach ($user in $users){Get-ADUser -Filter “mail -eq ‘($user.mail)’” -Properti …

    • Yeah – my mistake. I typed faster than I thought
      foreach ($user in $users){
      Get-ADUser -Filter “mail -eq ‘($user.mail)’” -Properties * |
      foreach {Set-ADUser $_ -Replace @{EmployeeID= $user.EmployeeID}}

  5. robstelz says:

    Getting this now…

    Get-ADUser : Error parsing query: ‘mail -eq ‘(@{; EmployeeID=018737}.mail)’’ Error Message:
    ‘syntax error’ at position: ’10’.
    At line:1 char:27
    + foreach ($user in $users){Get-ADUser -Filter “mail -eq ‘($user.mail)’” -Properti …
    + ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo : ParserError: (:) [Get-ADUser], ADFilterParsingException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:Microsoft.ActiveDirectory.Management.ADFilterParsingException,Micr

    • try

      foreach ($user in $users){

      $mail = $user.mail
      Get-ADUser -Filter {mail -eq $mail} -Properties * |
      foreach {Set-ADUser $_ -Replace @{EmployeeID= $user.EmployeeID}}

      BTW I though the AD property was EmailAddress rather than mail

  6. robstelz says:

    That did it!! So I needed to filter my imported users and make their mail field a variable and then compare the current mail attribute in AD to the new variable. Beauty in motion!! Thank you again!! Very much!! I now owe you 2 beers 🙂

  7. Jason says:

    Fantastic script and it does exactly what i need it to do but i cant seem to get it to export to a csv file it always wants me to inputobject . All help appreciated, i am running the following
    $users = Import-Csv -Path C:\Scripts\adtest.csv
    foreach ($user in $users) {
    $fname = $user.GivenName
    $lname = $user.Surname
    Get-ADUser -Filter {GivenName -eq $fname -and Surname -eq $lname} -Properties * |
    select SamAccountName, Division, Office, City
    export-csv c:\temp\aduserslist.csv

  8. Ali says:

    Thanks Richard for an amazing post.
    I am using the script to get mail address, UPN and sAMAccountName.
    I searched the whole middle earth but nothing seemed to work ;-( untill i landed on your blog.
    My problem was that i was unable to get the attrib “mail” and it turned out what you have posted !
    I could get every attribute without putting the object in a variable, but it will not rerun mail address. And as soon as I used your script which puts the objects in variable …..i got the email addresses to… just like magic.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s