Powershell

Use powershell see important account properties

When it comes to querying Active Directory, there is no easier way to see information about user and computer objects than by using Powershell.  Powershell provides access to query on all the properties of the objects that you would like to see as well as carry out actions based on those if you like as well.

This includes selecting a subset of attributes that you would like to see.  This can be extremely handy if you want to see a group of particular attributes that are helpful in troubleshooting certain user logon issues for instance.  Let’s take a look at how to use powershell see important account properties.

Use powershell see important account properties

Let’s look at the basics with get-aduser.  You can see all the properties of get-aduser by running the get-help get-aduser commands.

NAME
    Get-ADUser

SYNOPSIS
    Gets one or more Active Directory users.


SYNTAX
    Get-ADUser [-AuthType {Negotiate | Basic}] [-Credential <PSCredential>] [-Properties <String[]>] [-ResultPageSize
    <Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope {Base | OneLevel | Subtree}] [-Server
    <String>] -Filter <String> [<CommonParameters>]

    Get-ADUser [-Identity] <ADUser> [-AuthType {Negotiate | Basic}] [-Credential <PSCredential>] [-Partition <String>]
    [-Properties <String[]>] [-Server <String>] [<CommonParameters>]

    Get-ADUser [-AuthType {Negotiate | Basic}] [-Credential <PSCredential>] [-Properties <String[]>] [-ResultPageSize
    <Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope {Base | OneLevel | Subtree}] [-Server
    <String>] -LDAPFilter <String> [<CommonParameters>]

As you can see above there are quite a few parameters that can be passed to the get-aduser commandlet.  If we want to see all the users we have in Active Directory, we can do that with the following:

get-aduser -filter *

Now we can start to see the power of get-aduser for select and querying users.  Let’s add a bit of filtering to this command above to select based on identity of a particular user.

get-aduser -identity username -properties *

The above will show all the attributes of the Active Directory user.  Now we can start selecting attributes to really hone in on the exact properties that we would like to see in the results.  For instance:

get-aduser -identity username -properties * | select samaccountname, lockedout

Now, what is really useful is to pull out most if not all the attributes that are helpful in troubleshooting a user having problems logging in:

get-aduser -identity username -properties * | select accountexpirationdate, accountexpires, accountlockouttime, badlogoncount, padpwdcount, lastbadpasswordattempt, lastlogondate, lockedout, passwordexpired, passwordlastset, pwdlastset | format-list

You will see results similar to the following in a nice, neat, formatted list:

accountlockout01

If you wanted to see the above properties for every user you have in Active Directory, you could do the following:

get-aduser -filter * -properties * | select accountexpirationdate, accountexpires, accountlockouttime, badlogoncount, padpwdcount, lastbadpasswordattempt, lastlogondate, lockedout, passwordexpired, passwordlastset, pwdlastset | format-list

Final Thoughts

Powershell commandlets are a great way to manage your Active Directory infrastructure – especially when it comes to querying user and computer accounts and attributes set for each one.  As you can see from the post, in a few simply commandlets, we can use powershell see important account properties and have pertinent information at our fingertips about a user account.

Back to top button