Use PowerShell to Find Non-Default User Properties in AD

Use PowerShell to Find Non-Default User Properties in AD

  • Comments 10
  • Likes

Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell and the Active Directory module provider to find non-default AD DS user properties.

Hey, Scripting Guy! Question Hey, Scripting Guy! I need to find information about users such as office location, and phone number that is not returned by the Active Directory module provider by default. How do I do this?

—DP

Hey, Scripting Guy! Answer Hello DP,

Microsoft Scripting Guy, Ed Wilson, is here. Today is what is officially called the calm after the storm. Massive thunderstorms ripped through Charlotte last night, knocking out power and phones. Hey, that is OK; but dude, I lost my Internet connection in the process. Major bummer. With battery backups, a generator, and what-not, I can handle bad weather—as long as it does not knock out my Internet connection. I do not have a backup ISP provider. Hey, where I live, I was lucky to get the one I have. Oh, well.

Guess what? I was just told that Windows PowerShell MVP and honorary Scripting Guy, Sean Kearney, will be presenting at Microsoft TechEd in New Orleans and in Madrid. Way to go Sean! By the way, there are two more days until the $300 discount expires.

Note   This is the third in a series of blog postings about using the Active Directory module provider. The first blog is an overview called Playing with the AD: Drive for Fun and Profit. The second blog is Find Active Directory User Information with the PowerShell Provider, in which I talk about how to use the Windows PowerShell provider to find user information in Active Directory.

Quick review

To create the Charlotte: PSDrive (points to the Charlotte organizational unit or OU), I ran the following commands. (Obviously, you need to change the commands to point to an OU and a domain that exist on your system.)

PS C:\> ipmo activedirectory

PS C:\> New-PSDrive -Name charlotte -PSProvider activedirectory -Root "AD:\ou=charlot

te,dc=iammred,dc=net"

 

Name           Used (GB)     Free (GB) Provider      Root

----           ---------     --------- --------      ----

charlotte                              ActiveDire... //RootDSE/ou=charlotte,dc=ia...

 

PS C:\> sl charlotte:

PS charlotte:\>

Getting properties of the user

I might think that to easily see all of the information associated with the Ed Wilson user, I can pipe the output to the Format-List (fl is an alias) cmdlet as shown here.

PS charlotte:\> dir | ? name -match 'ed wilson' | fl *

The command and the output associated with the command are shown in the image that follows.

Image of command output

The problem with this approach is that only four properties of the user return. The four default properties are DistinguishedName, Name, ObjectClass, and ObjectGUID. However, a quick look in Active Directory Users and Computers reveals that there are many more attributes and values available. This is shown here.

Image of menu

What about Get-ADUser?

Due to performance reasons, the Get-ADUser cmdlet does not return all properties of a user object. It returns the following properties:

PS C:\> Get-ADUser 'cn=ed wilson,ou=charlotte,dc=iammred,dc=net' | select -expand propertynames

DistinguishedName

Enabled

GivenName

Name

ObjectClass

ObjectGUID

SamAccountName

SID

Surname

UserPrincipalName

Therefore, if I want to access additional attributes and their associated values, I need to specifically request the attributes I desire. Unfortunately, the attribute names bear little relationship to the names that appear in Active Directory Users and Computers. The best way to find the required attributes is to use ADSI Edit. In modern versions of ADSI Edit, there is a view that shows only attributes that contain values.
Consequently, it is fairly easy to match the actual name of the Active Directory attribute and the name that appears in Active Directory Users and Computers.

Note   In my Windows PowerShell 3.0 Step by Step book, I have a chapter that includes screenshots that map the Active Directory Users and Computers interface to the actual AD Attribute names.

The ADSI Edit property sheet for the Ed Wilson user object is shown here.

Image of menu

Use Get-ItemProperty to get other attributes

So what is the trick to obtaining additional attributes from the user object beyond the four default properties returned by Get-Item? One approach is to use the Get-ItemProperty cmdlet. This technique is shown here where I retrieve the city (lower case L) attribute for the user.

PS charlotte:\> Get-ItemProperty -Path '.\CN=ed wilson' -Name l

l            : Charlotte

PSPath       : Microsoft.ActiveDirectory.Management\ActiveDirectory:://RootDSE/CN=ed

                wilson,ou=Charlotte,DC=Iammred,DC=net

PSParentPath : Microsoft.ActiveDirectory.Management\ActiveDirectory:://RootDSE/ou=Ch

               arlotte,DC=Iammred,DC=net

PSChildName  : CN=ed wilson

PSDrive      : charlotte

PSProvider   : Microsoft.ActiveDirectory.Management\ActiveDirectory

Use Get-Item to get other attributes

I do not have to use the Get-ItemProperty cmdlet to retrieve other attributes from a user object. I can use the Get-Item cmdlet and type in an array of attributes in the Properties parameter. This technique is shown here where I add in the city (l) and the phone number (telephoneNumber) to the command.

PS charlotte:\> get-item -Path "cn=ed wilson" -Properties l, telephonenumber

 

PSPath             : Microsoft.ActiveDirectory.Management\ActiveDirectory:://RootDSE

                     /cn=ed wilson,ou=charlotte,dc=iammred,dc=net

PSParentPath       : Microsoft.ActiveDirectory.Management\ActiveDirectory:://RootDSE

                     /ou=charlotte,dc=iammred,dc=net

PSChildName        : cn=ed wilson

PSDrive            : charlotte

PSProvider         : Microsoft.ActiveDirectory.Management\ActiveDirectory

PSIsContainer      : True

distinguishedName  : cn=ed wilson,ou=charlotte,dc=iammred,dc=net

l                  : Charlotte

name               : ed wilson

objectClass        : user

objectGUID         : bb10b5a2-58d7-4f8a-ab10-2ee84fc7cb58

telephoneNumber    : 555-555-1212

PropertyNames      : {distinguishedName, l, name, objectClass...}

AddedProperties    : {}

RemovedProperties  : {}

ModifiedProperties : {}

PropertyCount      : 7

Use Get-Item and retrieve all of the attributes

I can also use a wildcard character (*) to retrieve all of the attributes for my user object. The command is shown here.

PS charlotte:\> get-item -Path "cn=ed wilson" -Properties *

The command and its associated output are shown in the following image.

Image of command output

DP, that is all there is to using the Active Directory module provider to find information about users. Active Directory Week will continue tomorrow when I will talk about modifying user attributes.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy 

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment
  • how about Get-ADUser –Filter ' name -like "*username*"'  -prop *

  • @Tonyr that will definitely work. Thanks for sharing.

  • Very useful but get-aduser's Properties parameter would seem to work the same way

  • @Jkavanagh58 Of course it would work the same way -- my point this week is to show how to use the ActiveDirectory provider (in fact if you have Get-ADUser cmdlet you automatically have this AD: drive). The cool thing about Windows PowerShell is that it lets you work the way that you want to do. So if you enjoy using the specialized cmdlets from the ActiveDirectory module that is fine. But my point this week is that you can also do much of the same thing by using the *item cmdlets and therefore you do not need to learn any new cmdlets if you do not want to do so. It is all about choices and you can therefore work the way it is most natural for you to do so.

  • Confusing article, you start off talking about Get-ADUser, then digress to Get-Item and Get-ItemProperty

  • It's only confusing if you don't read the article properly

  • Very helpful article. Nice to know how to use the base PowerShell cmdlets out of the box. Especially when there is a freeze in deployments to our production boxes and cannot install the AD cmdlets!

  • I was able to review the status of many users looking at the LastLogonTimestamp attribute, but I have found one user (who is an active user, and has been for many years) where there is no LastLogonTimestamp value for them. Any idea what might be causing that?

  • Found a blog that discusses something similar

    http://shabaztech.com/retrieving-user-properties-from-active-directory/

  • thanks