Microsoft’s Active Directory cmdlets have some issues. One of the ones that catches everyone when they start using them is that Get-ADUser doesn’t display all properties.
A default call to Get-ADUser displays a subset of the available properties of the user object:
DistinguishedName : CN=FOX Fred,OU=UserAccounts,DC=Manticore,DC=org Enabled : True GivenName : Name : FOX Fred ObjectClass : user ObjectGUID : db5a3975-980d-4749-b9c0-48aff9217b2a SamAccountName : foxfred SID : S-1-5-21-759617655-3516038109-1479587680-1314 Surname : UserPrincipalName : FredFox@manticore.org
Even if the properties are empty – such as Givenname and Surname – the property name is displayed. So, how do you get the properties that aren’t part of the default list?
There’s the brute force approach:
PS> Get-ADUser -Identity foxfred -Properties * AccountExpirationDate : accountExpires : 9223372036854775807 AccountLockoutTime : AccountNotDelegated : False AllowReversiblePasswordEncryption : False AuthenticationPolicy : {} AuthenticationPolicySilo : {} BadLogonCount : 0 badPasswordTime : 0 badPwdCount : 0 CannotChangePassword : False CanonicalName : Manticore.org/UserAccounts/FOX Fred Certificates : {} City : CN : FOX Fred codePage : 0 Company : CompoundIdentitySupported : {} Country : countryCode : 0 Created : 17/11/2016 14:07:13 createTimeStamp : 17/11/2016 14:07:13 Deleted : Department : Description : DisplayName : DistinguishedName : CN=FOX Fred,OU=UserAccounts,DC=Manticore,DC=org Division : DoesNotRequirePreAuth : False dSCorePropagationData : {01/01/1601 00:00:00} EmailAddress : EmployeeID : EmployeeNumber : Enabled : True Fax : GivenName : HomeDirectory : HomedirRequired : False HomeDrive : HomePage : HomePhone : Initials : instanceType : 4 isDeleted : KerberosEncryptionType : {} LastBadPasswordAttempt : LastKnownParent : lastLogoff : 0 lastLogon : 0 LastLogonDate : LockedOut : False logonCount : 0 LogonWorkstations : Manager : MemberOf : {} MNSLogonAccount : False MobilePhone : Modified : 18/11/2016 11:03:02 modifyTimeStamp : 18/11/2016 11:03:02 msDS-User-Account-Control-Computed : 8388608 Name : FOX Fred nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity ObjectCategory : CN=Person,CN=Schema,CN=Configuration,DC=Manticore,DC=org ObjectClass : user ObjectGUID : db5a3975-980d-4749-b9c0-48aff9217b2a objectSid : S-1-5-21-759617655-3516038109-1479587680-1314 Office : OfficePhone : Organization : OtherName : PasswordExpired : True PasswordLastSet : 17/11/2016 14:07:13 PasswordNeverExpires : False PasswordNotRequired : False POBox : PostalCode : PrimaryGroup : CN=Domain Users,CN=Users,DC=Manticore,DC=org primaryGroupID : 513 PrincipalsAllowedToDelegateToAccount : {} ProfilePath : ProtectedFromAccidentalDeletion : False pwdLastSet : 131238652330182673 SamAccountName : foxfred sAMAccountType : 805306368 ScriptPath : sDRightsEffective : 15 ServicePrincipalNames : {} SID : S-1-5-21-759617655-3516038109-1479587680-1314 SIDHistory : {} SmartcardLogonRequired : False State : StreetAddress : Surname : Title : TrustedForDelegation : False TrustedToAuthForDelegation : False UseDESKeyOnly : False userAccountControl : 512 userCertificate : {} UserPrincipalName : FredFox@manticore.org uSNChanged : 78123 uSNCreated : 62259 whenChanged : 18/11/2016 11:03:02 whenCreated : 17/11/2016 14:07:13
Using –properties * returns ALL of the properties of a user. That’s OK if you’re looking at one, or a few users, but becomes a very expensive operation if you’re looking at thousands of user objects.
A more elegant approach is to specify the properties you want:
PS> Get-ADUser -Identity foxfred -Properties EmailAddress, LockedOut, ProtectedFromAccidentalDeletion, whenCreated DistinguishedName : CN=FOX Fred,OU=UserAccounts,DC=Manticore,DC=org EmailAddress : Enabled : True GivenName : LockedOut : False Name : FOX Fred ObjectClass : user ObjectGUID : db5a3975-980d-4749-b9c0-48aff9217b2a ProtectedFromAccidentalDeletion : False SamAccountName : foxfred SID : S-1-5-21-759617655-3516038109-1479587680-1314 Surname : UserPrincipalName : FredFox@manticore.org whenCreated : 17/11/2016 14:07:13
You get the properties you specified and the default properties.
So, while Get-ADUser doesn’t display all properties you can overcome this by using the –properties parameter with a * for all properties or a list of the properties you want in addition to the defaults.
How can I list all the properties available in Attribute Editor for the AD user (AD Users and Computers)?
Is this specific to a certain version on Powershell? When I try -Properties * it gives me an error that a parameter with that name cannot be found. I am using Powershell version 4 currently.
Never mind. I was piping output to FL -Property *.