Gets one or more Active Directory users.
Example: Get all of the properties for a specified user
Get-ADUser -Identity ravindra.sharma -Properties *
The acceptable values for parameters (-Identity) are:
A distinguished name
A GUID (objectGUID)
A security identifier (objectSid)
A SAM account name (sAMAccountName)
Example: Get all user accounts count
(Get-ADUser -Filter *).Count
Example: Get a User by User Principal Name (UPN)
Get-ADUser -Filter 'UserPrincipalName -eq "ravindra.sharma@rs.local"'
Example : Get a filtered list of users
Get-ADUser -Filter 'Name -like "*ravindra*"'
$OUpath = "ou=People,dc=rs,dc=local"
Get-ADUser -Filter * -SearchBase $OUpath
Example: Get All Disabled Users
Get-ADUser -Filter {Enabled -eq $false} -Properties DisplayName, Enabled
Example: Get All Enabled Users
Get-ADUser -Filter {Enabled -eq $true} -Properties DisplayName, Enabled
Example: Find All Locked-Out Users
Search-ADAccount -LockedOut | Select-Object Name,SamAccountName,UserPrincipalName,Enabled,LastLogonDate | Format-Table -AutoSize
Example: Unlock a Locked-Out User
Unlock-ADAccount -Identity ravindra.sharma
Example: Find Users Whose Password Never Expires
Get-ADUser -Filter * -Properties PasswordNeverExpires | Where-Object { $_.PasswordNeverExpires -eq $true }
Example: Find Users with Expired Passwords
Get-ADUser -Filter * -Properties "msDS-UserPasswordExpiryTimeComputed" | Select-Object Name, @{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
Example: Find Users Who Haven't Logged in for 30+ Days (inactive users)
$ThirtyDaysAgo = (Get-Date).AddDays(-30)
Get-ADUser -Filter * -Properties LastLogonDate | Where-Object { $_.LastLogonDate -lt $ThirtyDaysAgo }
Example: Find Users Whose Passwords Have Not Changed in the Last 90 DaysÂ
$NinetyDaysAgo = (Get-Date).AddDays(-90)
Get-ADUser -Filter * -Properties PasswordLastSet | Where-Object { $_.PasswordLastSet -lt $NinetyDaysAgo }
🔆🔆🔆🔆🔆
Security & Legacy AD User Queries
Example: Find Users with Passwords That Never Expire (Legacy Risk)
Why? Some legacy systems may have accounts with non-expiring passwords, which is a security risk.
Get-ADUser -Filter * -Properties PasswordNeverExpires | Where-Object { $_.PasswordNeverExpires -eq $true } | Select Name, SamAccountName, PasswordNeverExpires
Example: Find Users with Empty or NULL Passwords (Critical Risk)
Why? Accounts without passwords are a major security vulnerability.
Get-ADUser -Filter * -Properties PasswordLastSet | Where-Object { $_.PasswordLastSet -eq $null } | Select Name, SamAccountName
Example: Find Users with Weak Passwords (Reversible Encryption Enabled)
Why? Passwords stored using reversible encryption can be easily decrypted.
Get-ADUser -Filter * -Properties AllowReversiblePasswordEncryption | Where-Object { $_.AllowReversiblePasswordEncryption -eq $true } | Select Name, SamAccountName
Example: Find Disabled but Not Deleted Users (Legacy Accounts Risk)
Why? These accounts might still be used for lateral movement attacks
Get-ADUser -Filter {Enabled -eq $false} -Properties LastLogonDate | Select Name, SamAccountName, LastLogonDate
Example: Find Users with Admin Privileges (Privilege Creep)
Why? Over-privileged users increase security risks.
Get-ADUser -Filter * -Properties MemberOf | Where-Object { $_.MemberOf -match "CN=Domain Admins" } | Select Name, SamAccountName
Example: Find Users with Delegation Enabled (Kerberos Delegation Risk)
Why? Users with delegation rights can impersonate others, which is a risk if misconfigured.
Get-ADUser -Filter * -Properties TrustedForDelegation | Where-Object { $_.TrustedForDelegation -eq $true } | Select Name, SamAccountName
Example: Find Users with SPN (Kerberoasting Risk)
Why? Service Principal Names (SPN) can be used in Kerberoasting attacks.
Get-ADUser -Filter {ServicePrincipalName -ne $null} -Properties ServicePrincipalName | Select Name, ServicePrincipalName
Example: Find Users with SID History (SID Injection Risk)
Why? SID history can be exploited to escalate privileges.
Get-ADUser -Filter * -Properties SIDHistory | Where-Object { $_.SIDHistory -ne $null } | Select Name, SamAccountName, SIDHistory
🔆🔆🔆🔆🔆
Get AD Users
# DEFINE THE OUTPUT CSV FILE PATH
$csvPath = ".\ADUsersReport.csv"
# DEFINE ALL REQUIRED ATTRIBUTES (INCLUDING CUSTOM ATTRIBUTES)
$attributes = @(
    "DistinguishedName",
    "Name",
    "SamAccountName",
    "UserPrincipalName",
    "Mail",
    "GivenName",
    "Surname",
    "DisplayName",
    "Title",
    "Department",
    "Company",
    "EmployeeID",
    "Description",
    "Enabled",
    "Created",
    "Modified",
    "LastLogonDate",
    "Manager",
    "StreetAddress",
    "City",
    "State",
    "PostalCode",
    "Country",
    "MobilePhone",
    "OfficePhone",
    "HomePhone",
    "ProxyAddresses",
    "MemberOf",
    "WhenCreated",
    "WhenChanged",
    "msDS-UserPasswordExpiryTimeComputed",
    "msDS-LastSuccessfulInteractiveLogonTime",
    "msDS-FailedInteractiveLogonCount",
    "extensionAttribute1",
    "extensionAttribute2",
    "extensionAttribute3"
)
# INITIALIZE AN ARRAY TO STORE USER DETAILS
$userList = @()
# GET ALL AD USERS IN A LOOP
foreach ($user in Get-ADUser -Filter * -Properties $attributes) {
    $userList += $user | Select-Object $attributes
}
# EXPORT TO CSV
$userList | Export-Csv -Path $csvPath -NoTypeInformation -Encoding UTF8
Write-Host "Export completed: $csvPath"
🔆🔆🔆🔆🔆