In the previous section, we learned about the Get-ADUser and Get-ADComputer cmdlets and how they can be used with other commands to filter out objects from Active Directory and perform administrative tasks. They can also be used to retrieve specific attribute values from filtered objects:
Get-ADUser -Identity user1 -Properties *
The preceding command will list down all the attributes and values associated with user1. This helps us find the exact attribute names and common values, which be can used for further filtering.
I need to know the values for Name, UserPrincipalName, and Modified for all the users. The following command will create a table with attributes and their values:
Get-ADUser -Filter * -Properties Name,UserPrincipalName,Modified | ft Name,UserPrincipalName,Modified
The following screenshot shows output for the preceding command:
I can see some accounts in the list that are service and administrator accounts. I only want to see the accounts in the Kingston office:
Get-ADUser -Filter {City -like "Kingston"} -Properties Name,UserPrincipalName,Modified | ft Name,UserPrincipalName,Modified
The preceding command filters further based on the City value.
Now I have the list of data I need, and I'd like to export it to a CSV file for future use, like so:
Get-ADUser -Filter {City -like "Kingston"} -Properties Name,UserPrincipalName,Modified | select-object Name,UserPrincipalName,Modified | Export-csv -path C:ADUSerList.csv
This example demonstrates how a search query can be built up from a granular level to find the exact information needed from objects.
The Search-ADAccount cmdlet can also be used to search for Active Directory objects based on account and password status. The full syntax of the cmdlet can be retrieved using the following command:
Get-Command Search-ADAccount -Syntax
As an example, it can be used to filter accounts that are locked out:
Search-ADAccount -LockedOut | FT Name,UserPrincipalName
This command will list down all the locked-out accounts with name and UPN.
Unlike the graphical tools, PowerShell queries can be built to filter exact objects and data from Active Directory.