Microsoft’s Active Directory cmdlets have some issues. One of the ones that catches everyone when they start using them is that Get-ADUser doesn’t display all properties.
A default call to Get-ADUser displays a subset of the available properties of the user object:
DistinguishedName : CN=FOX Fred,OU=UserAccounts,DC=Manticore,DC=org
Enabled : True
GivenName :
Name : FOX Fred
ObjectClass : user
ObjectGUID : db5a3975-980d-4749-b9c0-48aff9217b2a
SamAccountName : foxfred
SID : S-1-5-21-759617655-3516038109-1479587680-1314
Surname :
UserPrincipalName : FredFox@manticore.org
Even if the properties are empty – such as Givenname and Surname – the property name is displayed. So, how do you get the properties that aren’t part of the default list?
There’s the brute force approach:
PS> Get-ADUser -Identity foxfred -Properties *
AccountExpirationDate :
accountExpires : 9223372036854775807
AccountLockoutTime :
AccountNotDelegated : False
AllowReversiblePasswordEncryption : False
AuthenticationPolicy : {}
AuthenticationPolicySilo : {}
BadLogonCount : 0
badPasswordTime : 0
badPwdCount : 0
CannotChangePassword : False
CanonicalName : Manticore.org/UserAccounts/FOX Fred
Certificates : {}
City :
CN : FOX Fred
codePage : 0
Company :
CompoundIdentitySupported : {}
Country :
countryCode : 0
Created : 17/11/2016 14:07:13
createTimeStamp : 17/11/2016 14:07:13
Deleted :
Department :
Description :
DisplayName :
DistinguishedName : CN=FOX Fred,OU=UserAccounts,DC=Manticore,DC=org
Division :
DoesNotRequirePreAuth : False
dSCorePropagationData : {01/01/1601 00:00:00}
EmailAddress :
EmployeeID :
EmployeeNumber :
Enabled : True
Fax :
GivenName :
HomeDirectory :
HomedirRequired : False
HomeDrive :
HomePage :
HomePhone :
Initials :
instanceType : 4
isDeleted :
KerberosEncryptionType : {}
LastBadPasswordAttempt :
LastKnownParent :
lastLogoff : 0
lastLogon : 0
LastLogonDate :
LockedOut : False
logonCount : 0
LogonWorkstations :
Manager :
MemberOf : {}
MNSLogonAccount : False
MobilePhone :
Modified : 18/11/2016 11:03:02
modifyTimeStamp : 18/11/2016 11:03:02
msDS-User-Account-Control-Computed : 8388608
Name : FOX Fred
nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
ObjectCategory : CN=Person,CN=Schema,CN=Configuration,DC=Manticore,DC=org
ObjectClass : user
ObjectGUID : db5a3975-980d-4749-b9c0-48aff9217b2a
objectSid : S-1-5-21-759617655-3516038109-1479587680-1314
Office :
OfficePhone :
Organization :
OtherName :
PasswordExpired : True
PasswordLastSet : 17/11/2016 14:07:13
PasswordNeverExpires : False
PasswordNotRequired : False
POBox :
PostalCode :
PrimaryGroup : CN=Domain Users,CN=Users,DC=Manticore,DC=org
primaryGroupID : 513
PrincipalsAllowedToDelegateToAccount : {}
ProfilePath :
ProtectedFromAccidentalDeletion : False
pwdLastSet : 131238652330182673
SamAccountName : foxfred
sAMAccountType : 805306368
ScriptPath :
sDRightsEffective : 15
ServicePrincipalNames : {}
SID : S-1-5-21-759617655-3516038109-1479587680-1314
SIDHistory : {}
SmartcardLogonRequired : False
State :
StreetAddress :
Surname :
Title :
TrustedForDelegation : False
TrustedToAuthForDelegation : False
UseDESKeyOnly : False
userAccountControl : 512
userCertificate : {}
UserPrincipalName : FredFox@manticore.org
uSNChanged : 78123
uSNCreated : 62259
whenChanged : 18/11/2016 11:03:02
whenCreated : 17/11/2016 14:07:13
Using –properties * returns ALL of the properties of a user. That’s OK if you’re looking at one, or a few users, but becomes a very expensive operation if you’re looking at thousands of user objects.
A more elegant approach is to specify the properties you want:
PS> Get-ADUser -Identity foxfred -Properties EmailAddress, LockedOut, ProtectedFromAccidentalDeletion, whenCreated
DistinguishedName : CN=FOX Fred,OU=UserAccounts,DC=Manticore,DC=org
EmailAddress :
Enabled : True
GivenName :
LockedOut : False
Name : FOX Fred
ObjectClass : user
ObjectGUID : db5a3975-980d-4749-b9c0-48aff9217b2a
ProtectedFromAccidentalDeletion : False
SamAccountName : foxfred
SID : S-1-5-21-759617655-3516038109-1479587680-1314
Surname :
UserPrincipalName : FredFox@manticore.org
whenCreated : 17/11/2016 14:07:13
You get the properties you specified and the default properties.
So, while Get-ADUser doesn’t display all properties you can overcome this by using the –properties parameter with a * for all properties or a list of the properties you want in addition to the defaults.