Related features:

Related Powershell Guides:

How to use the Get-ADUser PowerShell cmdlet

The Get-ADUser cmdlet is one of the most widely used PowerShell cmdlet utilized by administrators working with AD. This cmdlet allows you to query and get all AD users, their specific properties, and apply filters to find specific AD users based on organizational units (OUs), group membership, or attributes. This article explains how to use the Get-ADUser cmdlet with practical examples, including advanced filtering techniques, property selection, and much more. This article also compares the cmdlet directly with the AD user reports in ADManager Plus, an AD reporting tool.

Get AD users: PowerShell vs. ADManager Plus

See how the script-based approach in PowerShell compares to the simple, GUI-based reporting in ADManager Plus.

Windows PowerShell

Before you start, ensure you have:

  • The Active Directory PowerShell Module installed.
  • The correct PowerShell execution policy is configured.
  • The account you are using has read permissions for the AD domain you intend to query.

To get all AD users using PowerShell:

  1. Open Windows PowerShell as the administrator and execute the following script:
    Get-ADUser -Filter *

Use different parameters along with the Get-ADUser cmdlet to generate more granular user reports.

ADManager Plus

To get all AD users using ADManager Plus:

  1. Log in to ADManager Plus.
  2. Navigate to Reports > User Reports > General Reports > All Users.
  3. Select the desired domain.
  4. Click Generate.
Get all AD users using ADManager Plus' predefined reports.
Start your free trial

Get-ADUser parameters

Here are some common parameters that can be used along with the Get-ADUser cmdlet:

Parameter Description
-Identity This parameter specifies a single user to retrieve by their sAMAccount Name, DN, GUID, or SID.
-Filter This parameter finds users based on a query. Use * to find all users.
-Properties This parameter specifies which additional user attributes to retrieve.
-SearchBase Restricts the search to a specific OU or container path.
-SearchScope Defines the depth of the search (Base, OneLevel, or Subtree). The default is Subtree.
-ResultSetSize Sets the maximum number of users to be returned by the query. Use $null for no limit.
-Server Specifies which domain controller (DC) to run the query against.
-LDAPFilter Finds users using the more complex LDAP query syntax instead of the PowerShell filter.
-Credential Runs the command using the credentials of a different user account.

Get-ADUser filter example scripts and use cases

Example 1: Get a single user and all properties

To retrieve information about a specific user, use the -Identity parameter. You can identify users by their sAMAccountName, DN, GUID, or SID:

#Get user by sAMAccountName
Get-ADUser -Identity "jdoe"
#Get user by UPN
Get-ADUser -Identity "john.d@company.com"
#Get user by DN
Get-ADUser -Identity "CN=John Doe,OU=Users,DC=company,DC=com"

To get all users in your Active Directory domain, use the -Filter * parameter.

# Get all users (basic properties only)
Get-ADUser -Filter *
# Format output in a table for better readability
Get-ADUser -Filter * | Format-Table Name, sAMAccountName, Enabled

Example 2: Get more user properties like department, email address, and more

To see more useful details like email address or department, you need to use the -Properties parameter.

# To view all properties for all users
Get-ADUser -Filter * -Properties *
# To view a specific selection of properties for all users
Get-ADUser -Filter * -Properties email, department | Select-Object Name, email, department

Example 3: Filtering and exporting users to a CSV file

A common requirement is to export the list of users to a CSV file for reporting or auditing. You can do this by using the Export-Csv cmdlet along with the Get-ADUser cmdlet.

Get-ADUser -Filter * -Properties email, department | Select-Object name, email, department | Export-Csv -Path "C:\Reports\ad_users.csv" -NoTypeInformation

Example 4: Get AD users from an OU

The key to limiting your search to an OU is to use the -SearchBase parameter of the Get-ADUser cmdlet. For this, you need the distinguished name (DN) of the OU you want to search in. It's a unique path to the OU within your domain.

Here's how you can find it:

  1. Open Active Directory Users and Computers.
  2. In the top menu, click View and ensure Advanced Features is checked.
  3. Navigate to and right-click the target OU.
  4. Select Properties.
  5. In the Attribute Editor tab.
  6. Find the distinguishedName attribute in the list and copy the value from here.

Once you have the DN, use it with the -SearchBase parameter. The -Filter * command will get all users within that location.

Get-ADUser -Filter * -SearchBase "OU=Sales,DC=yourdomain,DC=com"

Example 5: Find users with a specific job title

Use this command to generate a list of all users who hold a specific job title within the organization. This can be useful while creating targeted email distribution lists or for departmental reporting.

Get-ADUser -Filter "Title -eq 'Sales Manager'" -Properties displayName, department | Select-Object displayName, department, sAMAccountName

Example 6: Find recently created users

This script retrieves a list of all user accounts created within the last seven days. This helps keep track of recent account creations or for verifying that new employees have been set up correctly.

$days = 7
$cutoffDate = (Get-Date).AddDays(-$days)
Get-ADUser -Filter 'whenCreated -ge $cutoffDate'-Properties whenCreated | Select-Object Name, sAMAccountName, whenCreated

Example 7: Find users by a partial name

When you only know part of a user's name, you can find them using a wildcard (*). For instance, if you want to find all the users whose names contain "John", you can use the following script:

Get-ADUser -Filter "Name -like '*John*'" -Properties displayName, email | Select-Object displayName, email

Example 8: Find direct reports of a manager

This script uses a user's DN to find all user accounts that list that user as their manager, effectively mapping out team structures.

$manager = Get-ADUser "manager.sAMAccountName"
Get-ADUser -Filter "manager -eq '$($manager.distinguishedName)'"-Properties displayName, Title | Select-Object Name, DisplayName, Title

Example 9: Find users in multiple departments

This example demonstrates how to retrieve a list of users belonging to multiple departments. This is far more efficient than running and combining separate commands for each department.

Get-ADUser -Filter "department -eq 'Sales' -or department -eq 'Marketing'" -Properties department | Select-Object name, department

Troubleshooting tips

  1. Error: The term 'Get-ADUser' is not recognized as the name of a cmdlet.

    Solution: This error means the Active Directory Module is not installed or available in your PowerShell session. To fix this, you need to install the remote server administration tools (RSAT) for AD on your Windows client machine. On a server, ensure the Active Directory Module for Windows PowerShell feature is installed.

  2. Error: Cannot find an object with identity: 'username'

    Solution: This indicates that the user specified in the -Identity parameter could not be found. Double-check the spelling of the username and verify that the user account actually exists in AD and has not been deleted.

  3. Error: Access is denied

    Solution: The user account you are using to run the PowerShell script does not have the necessary permissions to read information from AD. To resolve this, run PowerShell as a user who is a member of the domain and has at least read access.

  4. Error: Error parsing query

    This type of error, or getting no results when you expect them, is often caused by a syntax issue in your -Filter string. Verify if variables and special characters are properly quoted and escaped.

  5. Error: Unable to find a default server with Active Directory Web Services running.

    Solution: This is a network connectivity error. The computer running the script cannot contact a DC. Check your network connection and ensure you can ping your domain and a specific DC.

Limitations of using the Get-ADUser PowerShell cmdlet for generating AD user reports

While PowerShell is a powerful tool for report generation, it comes with several inherent limitations, especially when used for regular reporting by a broader IT team.

  • Lack of a graphical user interface (GUI): PowerShell is challenging for staff outside of core systems administration to run queries or generate reports on their own.
  • Security and delegation risks: Granting users remote PowerShell access to a domain controller can pose a security risk.
  • Time-consuming for generating custom reports: Generating a custom report that filters on multiple specific attributes and presents the data clearly can take considerable time to write, test, and perfect.

Highlights of using ADManager Plus for AD user reports

ADManager Plus is a comprehensive AD reporting solution that directly addresses the limitations of PowerShell, empowering organizations to manage and report on their AD environment more efficiently and securely.

  • GUI-based and script-free: With its intuitive interface, ADManager Plus allows users of any skill level to securely generate detailed reports with just a few clicks. This eliminates the need for any scripting knowledge, reduces errors, and frees up administrators' time.
  • Extensive library of prebuilt reports: The solution comes with over 200 preconfigured reports on AD users, computers, groups, GPOs, and more.
  • Secure and granular delegation: Admins can safely delegate reporting tasks to non-administrative staff, like help desk technicians or HR managers. You can create custom roles that allow a user to run only specific reports on specific OUs, ensuring they see only the data they need without ever touching a script or gaining broad permissions.
  • Automated and scheduled reporting: Any report can be scheduled to run automatically on a daily, weekly, or monthly basis. The results can be automatically exported to CSV, PDF, XLSX, CSVDE, or HTML formats.
  • Fully customizable reports: Beyond the extensive built-in options, you can easily create custom reports tailored to your organization's unique needs. The report builder allows you to define your own conditions and filters, select any AD attribute to be displayed, and generate highly specific reports without writing a single line of script.

Get AD users with ADManager Plus, no scripts required.

Try it now for free

FAQs

The Get-ADUser cmdlet is used to get one or more user objects from AD. Administrators use it to find users based on specific criteria, view their properties, and export user data for reporting and auditing purposes.

You can filter AD users with the -Filter parameter, which accepts a query string. For example, to find all users in the Marketing department, you would use:

Get-ADUser -Filter "Department -eq 'Marketing"

To get every property for a user, you must use the -Properties parameter. This is essential for obtaining essential user attributes like LastLogonDate, whenCreated, and MemberOf.

A simple way is to attempt to retrieve the user and check if the command returns a result. If it returns an object, the user exists; if it returns nothing or an error, the user does not.

To get a list of groups a user belongs to, you need to query the MemberOf property.

Get-ADUser -Identity 'john' -Properties MemberOf | Select-Object -ExpandProperty MemberOf
The one-stop solution to Active Directory Management and Reporting
Highlights AD Management Active Directory Reports Exchange Management Popular products
Email Download Link