<< A B C D E F G H I J K L M N O P Q R S T U V W X Y Z


active directory users, save to CSV

Get-ADUser -Filter {mail -like "*" -and enabled -eq "true" -and Surname -like "*"} | Select-Object GivenName, Surname, Name, UserPrincipalName  | Export-Csv documents\ADusers4.csv

Notice this only gets users with





email, find AD Object using - see


find where some entity might reside whether user/group/contact/alias - when I want to search exhaustively through AD, I run the following 5 commands in PowerShell:

$SearchUser = "someone";
Get-ADObject -LDAPFilter "objectClass=Contact" -Properties Name,mail | Where-Object{$_.mail -like "$($SearchUser)*"} | ft Name, mail, distinguishedName;
Get-ADGroup -Filter {(GroupCategory -eq "Distribution") -and (mail -like "$($SearchUser)*")} -Properties name, mail, distinguishedName | ft name, mail, distinguishedName;
Get-ADGroup -Filter {(GroupCategory -eq "Security") -and (mail -like "$($SearchUser)*")} -Properties name, mail, distinguishedName | Sort-Object mail | ft name, mail, distinguishedName;
Get-ADUser -Filter {mail -like "$($SearchUser)*"} -Properties UserPrincipalName, mail, distinguishedName | ft UserPrincipalName, mail, distinguishedName;
Get-ADUser -filter * | where-Object {$_.ProxyAddresses -match "$($SearchUser)" } | fl;

To look for:



Get-ADUser, all properties - see user, all properties

Get-ADUser, filter on a property to be null - see null, filter on property

groups, find to which groups a user belongs

Get-ADPrincipalGroupMembership someUser | select Name, GroupCategory, GroupScope

groups, delete a user from all but one

We don’t want to remove this user from “Domain Users” just yet especially if we’re going to keep his ID around for a while as a shared mailbox accessible by his successor.

There's no provider filter parameter for Get-ADPrincipalGroupMemebership, so we must use late filtering:

Get-ADPrincipalGroupMembership someUser | Where-Object {$_.name -ne 'Domain Users'} | select name, GroupCategory, GroupScope

Remove users from all groups in AD. Go to their ID in ADUC and look what’s in “member of”. To remove his membership in all groups except “Domain Users”. Or, with PowerShell

Get-ADPrincipalGroupMembership someUser | Where-Object {$_.name -ne 'Domain Users'} | % {Remove-ADPrincipalGroupMembership -Identity someUser -MemberOf $_ -confirm:$false}

groups in an OU, display

Get-ADGroup -Filter '*' | select-object * | where -object {$_.distinguishedname -like "*,OU=yourOU,*"} | sort-Object groupCategory,GroupScope,name | ft name,groupCategory,GroupScope, DistinguishedName


Get-ADGroup -Filter * -SearchBase 'OU=yourOU,DC=yourdomain,DC=com' | sort-Object SearchBase,groupCategory,GroupScope,name | ft name,groupCategory,GroupScope, DistinguishedName

groups, list by type

Get-ADGroup -filter * | Sort-Object GroupCategory,GroupScope,Name | ft Name,GroupCategory,GroupScope, DistinguishedName








null, filter on property

In this example, we want to find all ADUsers whose msExchHideFromAddressLists property is not set. So we quite reasonably attempt to filter on that filter not equal to the $null variable:

Get-ADuser -filter {msExchHideFromAddressLists -eq $null} -Properties msExchHideFromAddressLists | ft Name, msExchHideFromAddressLists

But that fails with:

Get-ADuser : Variable: 'null' found in expression: $null is not defined.

So, instead filter on -notlike "*":

Get-ADuser -filter {msExchHideFromAddressLists -notlike "*"} -properties msExchHideFromAddressLists | ft Name, msExchHideFromAddressLists

You can actually still filter on the $null variable. Just not in the very first part of the command where you're using the -filter. Instead, use later after a pipe:

Get-ADuser -filter * -properties msExchHideFromAddressLists | ? {$_.msExchHideFromAddressLists -eq $null} | ft Name, msExchHideFromAddressLists

I like to think that the first method of filtering on -notlike "*" is more efficient and elegant.


OUs (Organizational Units), list

Get-ADOrganizationalUnit -filter * | ft Mame, DistinguishedName

OUs for contacts (just the lowest level)

Get-ADObject -filter {objectclass -eq "contact" } -Properties targetaddress,distinguishedName | Sort-Object {((($_.DistinguishedName.Split(',', 2))[1]).Split(',', 2))[0]},name | select name, targetaddress,@{Name='OU';Expression={((($_.DistinguishedName.Split(',', 2))[1]).Split(',', 2))[0]}} | ogv


properties, see all - sometimes by default, when you do a get "-" even with a "fl" appended, you don't get all the properties

Get-ADUser somauser -Properties *



rename a user

Seems like this ought to be simple, right? But problem: it seems that you need to use the Rename-ADObject and that command wants an identity. And all you might have is a name. So you have to pipe the Get-ADuser into a Set-ADuser (in order to get an object with an identity) and then finally pipe that into Rename-ADObject. The first two commands are probably superfluous; included here in case you already had $DepartingUserIdentity as a variable earlier in a script. The last command is what you really need.

$DepartingUserIdentity = "someUser";
$DepartingUserName = (Get-ADUser $DepartingUserIdentity).Name
Get-ADUser $DepartingUserIdentity | Set-ADUser -PassThru | Rename-ADObject -NewName "departed $DepartingUserName" -PassThru


search for where some entity might reside whether user/group/contact/alias - see find where some entity might reside whether user/group/contact


trust relationship broken

Test-ComputerSecureChannel -credential yourdomain\someadmin -Repair


user, all properties

if you try to get a "full list" of all the properties for a user, you'll end up with a rather disappointingly small list:

Get-ADUser someuser

You know there's more stuff buried in there! So use this instead:

Get-ADUser someuser -Properties *

user, compare all properties for a list

("user1", "user2") | %{Get-ADUser $_ -Properties *} | export-csv "c:SomeFile.csv"

userParameters, find users whose userParameters is not null

Get-ADUser -Filter * -Properties samAccountName, userParameters | where {$_.userParameters -ne $null} | Sort-Object samAccountName | fl samAccountName, userParameters