Home
PowerShell
How to export AD enabled users to CSV using PowerShell

How to export AD enabled users to CSV using PowerShell

The Get-ADUser cmdlet is your primary tool for filtering and exporting active user accounts from Active Directory. Whether you need to run a compliance audit or manage user licenses, knowing how to get AD enabled users is essential.

You have two main methods in PowerShell to retrieve enabled users: using the simplified -Filter parameter or the more complex -LDAPFilter parameter. We recommend the simplified -Filter method for clarity and ease of use.

Windows PowerShell

Steps to obtain enabled users report using PowerShell using Get-ADUser cmdlet:

Identify the domain from which you want to retrieve the report.
Identify the LDAP attributes you need to fetch the report.
Identify the primary DC to retrieve the report.
Compile the script.
Execute it in Windows PowerShell.
The report will be exported in the given format.
To obtain the report in a different format, modify the script accordingly to the needs of the user.

Method 1: Using the Get-ADUser Filter (recommended)


												Import-Module ActiveDirectory 

												Get-ADUser -Filter {Enabled -eq $true} -Properties * |  

												Select-Object Name, SamAccountName, Title, Department, EmailAddress |  

												Export-Csv -Path "C:\Scripts\AD_EnabledUsers.csv" -NoTypeInformation

Method 2: Using the LDAP Filter


												Import-Module ActiveDirectory 

												Get-ADUser -LDAPFilter "(&(objectCategory=person)(objectClass=user)(!userAccountControl:1.2.840.113556.1.4.803:=2))" -Properties sAMAccountName, givenName, sn, enabled | 

												Select-Object sAMAccountName, givenName, sn, enabled | 

												Export-Csv -Path "C:\Scripts\LDAP_EnabledUsers.csv" -NoTypeInformation

ADManager Plus

Generate and export enabled AD users to CSV (and other formats) using ADManager Plus:

Navigate to Reports > User Reports > Enabled Users.
Select the required domain and OU.
Click Generate.
After the report generates, click Export As to download it in HTML, CSV, XLS, or PDF.

Start your free trial

Example use cases and scripts

Example 1: Export all enabled users.

Use PowerShell to generate a list of all enabled users and create a simple active users report.


                                   Get-ADUser -Filter {Enabled -eq $true} | Export-CSV "C:\AD_EnabledUsers.csv" -NoTypeInformation

This command exports all active accounts with default properties for quick auditing.

Example 2: PowerShell export enabled AD users to CSV with specific properties

Create detailed reports using the Get-ADUser filter (enabled true) with specific attributes.


                                   Get-ADUser -Filter {Enabled -eq $true} -Properties Department,Manager,LastLogonDate,EmailAddress | Select Name,SamAccountName,Department,Manager,LastLogonDate,EmailAddress | Export-CSV "C:\DetailedEnabledUsers.csv" -NoTypeInformation

This PowerShell script exports active AD users and provides comprehensive details for HR reporting.

Example 3: Export enabled users from specific OU

Generate a PowerShell enabled user list report from a specific organizational unit.


                                   Get-ADUser -Filter {Enabled -eq $true} -SearchBase "OU=Sales,DC=contoso,DC=com" -Properties * | Select Name,Title,Department,Office | Export-CSV "C:\SalesEnabledUsers.csv" -NoTypeInformation

Limitations of using PowerShell to get users' last logon information

While PowerShell can be used to obtain the last logon details of users, it comes with several limitations.

Inaccurate information: Understanding the differences between LastLogon, LastLogonTimeStamp, and LastLogonDate attributes is crucial but often confusing.
Complexity: Writing scripts to query all DCs, handle date conversions, and format data correctly is time-consuming and error-prone.
Security risks: Running scripts directly against DCs requires elevated permissions and delegating this task to junior admins or help desk staff can be a significant security risk.

This filters enabled users from the Sales OU specifically, which is useful for departmental audits.

Supported parameters

Parameters	Description
-Identity	Specifies an AD user object by distinguished name, GUID, security identifier, or SAM account name
-Filter	Specifies a query string using PowerShell Expression Language to retrieve multiple objects
-SearchBase	Specifies the AD path to search under (OU or container distinguished name (DN))
-SearchScope	Specifies the scope of AD search (Base, OneLevel, or Subtree)
-Properties	Specifies which user properties to retrieve (default returns a limited set)
-LDAPFilter	Specifies an LDAP query string for filtering users

Troubleshooting common export issues

Error: Export file is empty or missing data.

Cause: The most common reasons are an incorrect filter syntax or failing to select the required properties.
Solution: Always verify the filter and explicitly include all desired properties. (Selecting the properties is what prevents empty exports):
Get-ADUser -Filter {Enabled -eq $true} -Properties * | Select Name,SamAccountName,Enabled

Error: "Export-CSV: Access to the path is denied."

Cause: Insufficient permissions to write to the specified location.
Solution: Use a writable path (like your Desktop) or run PowerShell as an administrator:
Export-CSV "$env:USERPROFILE\Desktop\EnabledUsers.csv" -NoTypeInformation

Error: Special characters appear incorrectly in CSV.

Cause: Encoding issues with Export-CSV default settings.
Solution: Specify UTF8 encoding for proper character display:
Export-CSV "C:\EnabledUsers.csv" -NoTypeInformation -Encoding UTF8

Error: Multi-valued attributes shown as System.Object[ ].

Cause: Properties like MemberOf contain multiple values, which CSV cannot handle directly.
Solution: Use a calculated property with -join to convert the multi-valued property into a single string. (-join is what turns the multi-valued property into a single string for easier export):
Get-ADUser -Filter {Enabled -eq $true} -Properties MemberOf | Select Name,@{N='Groups';E={$_.MemberOf -join ';'}}

Best practices for exporting enabled users from Active Directory

Always use specific filters: Using {Enabled -eq $true} ensures only active accounts are exported, reducing errors, and data size.
Limit properties to needed ones: Avoid using -Properties * on large domains. Only specify the attributes you require for better performance and faster script execution.
Test with small datasets: Use the -ResultSetSize parameter to limit your initial export results and confirm your script works correctly before running a full domain export.

Limitation of using PowerShell to export enabled users

Manual scheduling required: No built-in scheduling without complex configuration for regular exports.
Complex filtering syntax: Creating advanced filters for enabled users requires PowerShell expertise.
No data validation: Exported data isn't automatically validated for completeness or accuracy.
Performance degradation: Large exports of enabled accounts CSV can time out or consume excessive memory.
Limited error recovery: Script failures during export might result in partial or corrupted files.
No incremental exports: Cannot easily export only changes since last run without complex scripting.

Highlights of using ADManager Plus to export AD enabled users

One-click report for enabled users: Generate active users report without any PowerShell scripting knowledge.
Scheduled reports: Set up recurring enabled user report generation.
Multiple export formats: Export to CSV, XLS, PDF, and HTML with professional formatting.
Custom reports: Save and reuse export configurations for consistent reporting.

Generate and export AD enabled users to CSV with ADManager Plus

Try it now for free

Related features:

Related Powershell Guides: