Related features:

Related Powershell Guides:

How to get all active users in Active Directory using PowerShell

Knowing how to identify active user accounts is crucial for security audits, license management, and ensuring smooth operations. While most admins use PowerShell to accomplish this, it can be time-consuming and complex. On the other hand, ADManager Plus, an Active Directory (AD) reporting tool, empowers admins to get a report of all active AD users in just a few clicks.

Getting all active users in AD

The following table lists the steps to get all active AD users using PowerShell and ADManager Plus:

Windows PowerShell

Prerequisite

Ensure the AD module is installed. If not, download the correct RSAT package for your OS and run the command below to activate the module.

Import-Module ActiveDirectory

Using Get-ADUser to filter active users

Run the following script to fetch active AD users. This uses the Get-ADUser cmdlet with a filter to find only accounts where the Enabled property is set to $True.

Get-ADUser -Filter {Enabled -eq $True} -Properties DisplayName, EmailAddress
ADManager Plus
  1. Log in to ADManager Plus and navigate to Reports > User Reports.
  2. Under Logon Reports, click Enabled Users.
  3. Select the desired domain(s) and click Generate.
ADManager Plus interface displaying all AD user accounts that are active with options to export, schedule, and manage users.
Start your free trial

Example use cases and PowerShell scripts to get active users

Example 1: Getting all active AD users

Get-ADUser -Filter 'Enabled -eq $True'

Example 2: Getting active AD users with last logon date

Get-ADUser -Filter {Enabled -eq $true} -Properties DisplayName, LastLogonDate |
Select-Object Name, DisplayName, LastLogonDate |
Sort-Object LastLogonDate -Descending

Example 3: Getting all active AD users in a specific OU

Get-ADUser -Filter {Enabled -eq $True} -SearchBase "OU=Sales,DC=domain,DC=com" -Properties DisplayName, EmailAddress |
Select-Object Name, DisplayName, EmailAddress

Example 4: Exporting active AD users to CSV

Get-ADUser -Filter {Enabled -eq $True} -Properties SamAccountName, EmailAddress |
Select-Object SamAccountName, EmailAddress |
Export-Csv -Path "EnabledUsers.csv" -NoTypeInformation

Supported parameters

The following are essential parameters that can be used for listing active AD users:

Column Description
-Filter Specifies a filter string in PowerShell expression format to limit which user objects are returned.
-Properties Specifies additional AD properties to retrieve beyond the default set, such as DisplayName and EmailAddress.
-Identity Checks a specific user by username or SamAccountName.
-Export-Csv Used to export the report to a CSV file (not a cmdlet parameter, but used in the pipeline).
-Path Output file path for exported report.

Troubleshooting tips

Even with the right commands, fetching active user data using PowerShell can occasionally result in errors or incomplete outputs. Here are some common issues and how to resolve them:

1. Get-ADUser: The term is not recognized

Cause: The AD module isn't installed or imported.

Solution: Ensure you're running PowerShell on a system that has RSAT: AD tools installed. Import the module manually by running the command below:

Import-Module ActiveDirectory

2. Missing LastLogonDate or other properties

Cause: Some properties like LastLogonDate aren't included by default.

Solution: Always specify required properties explicitly using the -Properties parameter as given below:

Get-ADUser -Filter {Enabled -eq $true} -Properties LastLogonDate

3. Permission Denied or Access Denied

Cause: Your PowerShell session doesn't have adequate permissions.

Solution: Run PowerShell as an administrator.

4. Empty Results Returned

Cause: Misconfigured filter or incorrect OU specified.

Solution:

  • Double-check your filter syntax.
  • Ensure the OU path is accurate.
  • Verify that there are active users in the specified OU.

Limitations of using PowerShell scripts to get active users

While powerful, relying solely on PowerShell for extensive user reporting can present challenges:

  • Complexity for non-scripters: Crafting and debugging complex scripts can be time-consuming for administrators less familiar with PowerShell.
  • Lack of centralized reporting: Generating comprehensive PowerShell reports for various AD attributes often requires combining multiple scripts and manual data consolidation.
  • Error handling: Robust error handling needs to be explicitly built into every script.

Benefits of choosing ADManager Plus over PowerShell

ADManager Plus bridges the gap between powerful AD reporting and ease of use. Here's why it's a better choice for many IT teams:

  • No scripts required: Easily generate reports on active users, inactive users, locked-out users, and more in a few clicks without any scripting.
  • Predefined reports: Access over 200 out-of-the-box reports, saving you significant time.
  • Customizable reports: Create tailored reports with specific attributes and filters to meet your unique auditing and compliance needs.
  • Automated report scheduling: Schedule reports to be generated and delivered automatically to your inbox, ensuring you always have up-to-date information.
  • Delegated reporting: Securely delegate AD reporting tasks to help desk technicians without exposing them to sensitive data or complex PowerShell scripts.

Fetch your active AD users list today

Try it now for free

FAQs

To find users who have logged in within the last 90 days, you can use the Get-ADUser cmdlet in PowerShell and filter based on the lastLogonTimestamp attribute:

$NinetyDaysAgo = (Get-Date).AddDays(-90)
Get-ADUser -Filter {lastLogonTimestamp -ge $NinetyDaysAgo.ToFileTime()} -Properties Name, lastLogonTimestamp |
Select-Object Name, @{Name="LastLogon"; Expression={[datetime]::FromFileTime($_.lastLogonTimestamp)}}

Alternatively, you can use ADManager Plus to quickly generate AD logon reports that show users who have logged in within your specified time frame.

To find active users who haven't logged in for a specific period (e.g., 60 days), use this PowerShell script:

$daysInactive = 60
$inactiveDate = (Get-Date).AddDays(-$daysInactive)
Get-ADUser -Filter {Enabled -eq $True -and LastLogonDate -lt $inactiveDate} -Properties LastLogonDate | Select-Object Name, SamAccountName, LastLogonDate

For a script-free approach, use ADManager Plus' Logon Reports to quickly identify inactive users or those who haven't logged in recently.

You can retrieve a list of AD users in PowerShell using the Get-ADUser cmdlet. For detailed steps with examples and supported parameters, click here.

In AD, an Enabled user is one whose account is not disabled and is technically allowed to log in (Enabled = True). However, this doesn't mean the user is actively using the account. An Active user typically refers to an enabled account that has logged in recently, usually within a defined time frame like the last 30, 60, or 90 days. So while all active users are enabled, not all enabled users are necessarily active.

Yes, ADManager Plus offers automation and scheduling features for user reports, including those on active, inactive, and recently logged-on users. Reports can be automatically delivered to the specified email addresses. You can also configure notification templates to receive alerts whenever a management task is completed.

The one-stop solution to Active Directory Management and Reporting
Highlights AD Management Active Directory Reports Exchange Management Popular products
Email Download Link