Comparing cmdlets: [search-adaccount -accountdisabled] vs. [get-aduser -ldapfilter "(&(objectcategory=person)(objectclass=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2))"]

Similar Messages

• Get-ADUser : The server has returned the following error: invalid enumeration context.

  I'm running a powershell command to add the email (AD mail) attribute to users in a specific OU.  It seems to work then will bomb out with the error in the title.
  I'm using a "scripting guy" command that I've altered with my specfic OU/domain information however, I'm pasting in the more "generic" version :: Get-ADUser -LDAPFilter "(!(mail=\.name*))" -resultSetSize $null -searchbase "ou=test,dc=nwtraders,dc=com"|
  % {set-aduser -identity $_.distinguishedname -email ($_.samaccountname + "@nwtraders.com")}
  I work for a school district and this command is being used to add the mail attribute to the student's accounts.  I think about 2/3 of the students are completed but the script/command bombs and I'm not sure where or why.  I've resubmitted the
  command several times but I'm not sure whether it's starting from where it bombed or if it's starting again at the beginning and essentially re-doing the ones already completed.
  Can someone point me in the direction of a work around or a resolution to the Get-ADUser error?
  Thanks!!

  I don't know the error, so I can only guess there. But the LDAP syntax filter cannot be correct. Can you provide a link to the reference where "Scripting Guy" suggested this?
  As written, you are retrieving all users where the mail attribute does not begin with the string ".name" (case insensitve), where "name" is not a property or attribute, but a string value. LDAP syntax clauses are in the format:
  (<attributeName><operator><value>)
  In your case, <operator> is "=", <attributeName> is "mail", and <value> is ".name". The "\" character is the escape character, which means to interpret the following character (the period in
  this case) literally. You cannot use an attribute name on the right side of the operator (the "="), unless PowerShell has introduced some functionality I am not familiar with to expand the LDAP syntax. For example, the following does not filter
  on users where the first name is the same as the last name:
  (givenName=\.sn)
  Instead, it filters on users where the first name is the string ".sn". Even if "\.name" was interpreted by the Get-ADUser cmdlet to be the "Name" attribute of the user, this would cause problems. "Name" is the
  Relative Distinguished Name of the user (the value of the cn attribute) and it could include commas or spaces. I would expect "\.sAMAccountName" to make more sense.
  Richard Mueller - MVP Directory Services

• How do I use Get-ADUser to get just the Managers attribute? And then get rid of duplicates in my array/hash table?

  Hello,
        I am trying to just get the Managers of my users in Active Directory. I have gotten it down to the user and their manager, but I don't need the user. Here is my code so far:
  Get-ADUser-filter*-searchbase"OU=REDACTED,
  OU=Enterprise Users, DC=REDACTED, DC=REDACTED"-PropertiesManager|SelectName,@{N='Manager';E={(Get-ADUser$_.Manager).Name}}
  |export-csvc:\managers.csv-append 
  Also, I need to get rid of the duplicate values in my hash table. I tried playing around with -sort unique, but couldn't find a place it would work. Any help would be awesome.
  Thanks,
  Matt

  I would caution that, although it is not likely, managers can also be contact, group, or computer objects. If this is possible in your situation, use Get-ADObject in place of Get-ADUser inside the curly braces.
  Also, if you only want users that have a manager assigned, you can use -LDAPFilter "(manager=*)" in the first Get-ADUser.
  Finally, if you want all users that have been assigned the manager for at least one user, you can use:
  Get-ADUser
  -LDAPFilter "(directReports=*)" |
  Select @{N='Manager';E={ (Get-ADUser
  $_.sAMAccountName).Name }}
  -Unique | Sort Manager |
  Export-Csv .\managerList.csv -NoTypeInformation
  This works because when you assign the manager attribute of a user, this assigns the user to the directReports attribute of the manager. The directReports atttribute is multi-valued (an array in essence).
  Again, if managers can be groups or some other class of object (not likely), then use Get-ADObect throughout and identify by distinguishedName instead of sAMAccountName (since contacts don't have sAMAccountName).
  Richard Mueller - MVP Directory Services

• Get-ADUser with the -LDAPfilter using a regex

  I'm by no means a novice to PowerShell, but for my first year and 1/2 using it the organization I worked for only had 2003 AD functional level, so to do AD stuff I needed to use the Quest Active Directory tools (get-qaduser). Now that I'm working for a place
  that is a bit more modern on their infrastructure, I just can't seem to wrap my head around get-aduser stuff when dealing with filters and LDAPfilters - AKA, "I'm used to QAD being easy, please help!"
  Could someone give me an overview with lots of examples?
  Thank you.
  [email protected]

  There's definitely examples in both of the links Boe posted. LDAP filtering is certainly different from OPath and takes some getting used to if you haven't seen it before. Here's another set of examples:
  http://clintboessen.blogspot.com/2009/10/ldap-queries-for-group-scope.html
  Is there anything specific you're trying to do with it?
  Don't retire TechNet! -
  (Don't give up yet - 12,700+ strong and growing)
  Ahhh, I see my mistake ... I was asking for just plain old syntax/examples, and what I really wanted was a few examples of the
  entire command.
  I.E.
  get-aduser -LDAPFilter "(badpwdcount>=5)"
  I just never seem to remember what needs quotes, what needs single quotes, what needs parens, what needs brackets ... etc.
  [email protected]

• Can anyone help with a powershell script using the search-adaccount cmdlet to filter out accounts that have been created in the last 90 days?

  Hi,
  I have the following script that is supposed to search AD for all user accounts that haven't logged into the domain in more than 90 days.  I first did not have the where-object clause because I didn't realize the search-adaccount would provide results
  back of users that have never logged in, but were created less than 90 days ago.  So I tried to incorporate the logic to not include user accounts that were created in the last 90 days.
  #requires -version 4
  #This script creates a file of accounts that have not been logged into in the past 90 days, excluding accounts that have been created within the past 90 days since the -AccountInactive option does not factor for the whenCreated property of an AD object
  $DateThreshold = ((Get-Date).AddDays(-90))
  $ReportDate = Get-Date -Format yyyy-MM-dd
  #Create a folder according to the current date to be used for storing the report
  New-Item -Path ".\$ReportDate" -ItemType Directory
  $InactiveUsers = Search-ADAccount -UsersOnly -AccountInactive -TimeSpan "90" -SearchBase "OU=XXXX,DC=XXXX,DC=XXXX,DC=XXXX" | Where-Object {$_.whenCreated -gt $DateThreshold} | Export-Csv ".\$ReportDate\Inactive90_$ReportDate.csv"
  However, I can't ever get the whenCreated field to populate with data.  What gives?

  Hi,
  Search-ADAccount doesn't return a whenCreated property. If you want that, you'll need to use Get-ADUser as well. Here's a basic example you can build from:
  $dateThreshold = (Get-Date).AddDays(-90)
  Search-ADAccount -UsersOnly -SearchBase 'OU=Users,DC=domain,DC=com' -AccountDisabled | ForEach {
  $whenCreated = (Get-ADUser -Identity $_.SamAccountName -Properties whenCreated).whenCreated
  If ($whenCreated -gt $dateThreshold) {
  $_
  Don't retire TechNet! -
  (Don't give up yet - 12,950+ strong and growing)

• Get-aduser compare attributes inside the -filter parameter

  Hello all,
  What I would like to do is use the -filter parameter of get-aduser to compare 2 attributes within the search itself, instead of having to process the differences afterwards.
  So here is how I normally use -filter:
  get-aduser -filter {(name -like "*") -and (displayname -like "*")} -Properties displayname | `
  Foreach-object{
  If($_.name -eq $_.displayname){
  "Match!"
  As you can see, I have to get all the users and their properties first, and then subsequently I have to use a ForEach-Object loop to determine if there are any matches.
  What I would like to do is do the comparison in the -filter parameter. Something like this:
  get-aduser -filter {name -eq displayname}
  However, I'm not aware of any way to compare attributes within -filter, and I wonder if anyone knows of a way? Or is a subsequent loop the only way to compare?

  Hi,
  You can use -and in the filter:
  Get-ADUser -Filter "SamAccountName -eq 'smithr' -and GivenName -eq 'Robert'"
  I'm not exactly sure if this is what you're asking about though.
  EDIT: I think I know what you're asking now. AFAIK, there is no way to use -Filter to return users who have the same DisplayName attribute as their Name attribute. You need to have something concrete to test against inside of the filter.
  Don't retire TechNet! -
  (Don't give up yet - 12,950+ strong and growing)

• Using get-aduser to search for enabled users in entire domain filter ..

  Hi,
  my first post here.
  I have the following problem. I am trying to figure out to create a powershell command (with get-aduser) that searches for only enabled
  users (in the entire domain),  whose user account login names starts with "b" or "B" (because their user account login names are composed of Bnnnnn, n=numbers). I suppose that a string of "B*" in the command should be sufficient. The query result
  must show the user account login name (Bnnnnn),  first name
  and last name  and the enabled  (yes) status  of those enabled users. I would like to write the entire query result to a file (csv format), saving it to c: for example
  Please help. Thanks in advance

  I use -LDAPFilter mostly because I am used to the LDAP syntax. It can be used in PowerShell, VBScript, dsquery, VB, and many command line utilities (like Joe Richards' free adfind utility). Active Directory is an LDAP compliant database.
  The PowerShell -Filter syntax can do the same things, but the properties it exposes are really aliases. I'm used to the AD attribute names, like sAMAccountName and userAccountControl. PowerShell uses things like "enabled" and "surname", which are aliases
  you need to know or look up. For example, the Get-ADUser default and extended properties, with the actual AD attributes they are based on, are documented here:
  http://social.technet.microsoft.com/wiki/contents/articles/12037.active-directory-get-aduser-default-and-extended-properties.aspx
  Finally, note that the "Name" property refers to the Relative Distinguished Name (RDN) of the object, which for user objects is the value of the cn attribute (the Common Name of the user). This may not uniquely identify the user, as it only needs to be unique
  in the parent OU/container. The user login name (pre-Windows 2000 logon name) is the value of the sAMAccountName attribute, which must be unique in the domain. In the Wiki article I linked, we see that the PowerShell alias for this attribute is "SamAccountName"
  (in this case the name of the property matches the name of the AD attribute). All of this can be confusing.
  Richard Mueller - MVP Directory Services

• Powershell AD Cmdlet Get-Aduser does display "homedirectory"

  Hey Scripting Guys,
  i trying to display the homedirectory path of some users. My Powershell command look's something like that:
  Get-Aduser -Identy myuser -Properties Homedirectory
  But the attribut is displayed without a value. Has somebody an idea?
  THX.

  The User has a value assigned to the homeDirectory, but it is not displayed in powershell.
  When i export my query into a text file, the homedirectory is displayed correct - leave it a that.
  Now i trying to export in a csv, without success.
  Get-Aduser - Filter * -Properties homeDirectory -Searchbase "my dn" | Where-object { $_. homeDirectory -match "my path" } | ft homeDirectory, samAccountName | Export-CSV -NoTypeInformation C:\Myfile.csv
  The File is createt, but without content. I think there is no syntax error.
  Some idea?
  This will not wwork:
   ft homeDirectory, samAccountName | Export-CSV -NoTypeInformation C:\Myfile.csv
  You cannot oputput FT to Export-CSV.  Remove the FT.  Change it to select.
  ¯\_(ツ)_/¯

• Error troubleshooting in AD Module - Get-Aduser w/created filter

  Hi All,
  I'm working as an intern with my university, and I've been tasked with clearing out old student accounts in AD. There are currently over 4000 users in our system, and it's estimated that there are over 3500 old accounts that need to be deleted.
  We are at the 2008 R2 Domain Functional Level.
  I am going to script this through Powershell, but I'm having a terrible time getting a certain query to run properly.
  I am using the following:
  get-aduser -filter {created -lt '1/1/2010' -and lastlogontimestamp -notlike '*'} -properties created
  I will sometimes narrow my query by adding another filter for created -gt '1/1/2008', for instance.
  When I run the command as written, however, it will return several hundred users, but then it spits out the following error after the last displayed result:
  Get-ADUser : The specified method is not supported
  At C:\Users\Administrator.CSC\Desktop\test1.ps1:4 char:15
  + get-aduser <<<< -filter {created -lt '1/1/2010'} -properties created | ft name,samaccountname,created
  + CategoryInfo : NotSpecified: (:) [Get-ADUser], ADException
  + FullyQualifiedErrorId : The specified method is not supported,Microsoft.ActiveDirectory.Management.Commands.GetADUser
  If I narrow my search scope by created date, I can sometimes get the error to not appear. My guess is that there are several accounts in the database that trigger the error (or at least, that's how it appears).
  I have tried running this on both a DC and a non-dc server with server management tools installed. It doesn't matter what other filters are used, so omitting the lastlogontimestamp filter doesn't prevent the error.
  My supervisor seems to think there may be errors in the AD database, but I've done every AD health check I can think of.
  Does anyone have any suggestions?
  Thanks,
  Brandon

  If you have access to Microsoft Connect (I believe you must be an MVP), it would help to vote on this report, as that should help prioritize it.
  You don't need to be a MVP for access to Connect, here's a direct link to the bug report Richard opened:
  https://connect.microsoft.com/PowerShell/feedbackdetail/view/963333/ad-module-cmdlets-raise-error-if-there-are-more-than-256-results
  The command from the report does appear to work for me in v4 (Win7):
  PS C:\> Get-ADUser -Properties Created -Filter "Created -gt '9/1/2014'" | measure
  Count : 260
  I also tested the command that failed in the post above and v3 appears to be working for me as well (WS2012):
  PS C:\> $start = (Get-Date).AddDays(-1)
  PS C:\> get-aduser -filter {modified -gt $start} | measure
  Count : 263
  Perhaps the count needs to be higher to replicate this.
  EDIT: I just created a bunch of new user accounts and I still can't replicate this (v3 on WS2012 again):
  PS C:\> $start = (Get-Date).AddDays(-1)
  PS C:\> get-aduser -filter {modified -gt $start} | measure
  Count : 1803
  EDIT2: DC is WS2008SP2.
  Don't retire TechNet! -
  (Don't give up yet - 13,085+ strong and growing)

• Using get-aduser -filter to find blank spaces only

  Hello all,
  What I'm trying to do is pretty simple. I want to use the -filter parameter of the get-aduser cmdlet to find a defined attribute that only contains a space. For example, I want to find any users that have extensionattribute1 equal to " ". I've
  tried the following code but I get the error "the search filter cannot be recognized":
  get-aduser -filter {extensionattribute1 -eq " "}
  What I don't want to use is -like "* *", as that will give me values that contain a space anywhere. I only want to return users that have extensionattribute1 equal to one space.
  Any ideas?

  Yes, in LDAP syntax you can escape any character with the backslash escape character followed by the two character hex ASCII representation of what you want. You can get foreign characters this way. More on escaping characters here:
  http://social.technet.microsoft.com/wiki/contents/articles/5312.active-directory-characters-to-escape.aspx
  Richard Mueller - MVP Directory Services

• Help with get-aduser -filter command

  Hi! I'm having problems with getting user info from displayname
  function searchuzv {
  $uzvinfo=$InputBoxuzv.text;
  $uzvcheck = Get-ADUser -filter "DisplayName -like '*$uzvinfo*'"
  If i run Get-ADUser -filter "DisplayName -like '*$uzvinfo*'" line separately, everything is ok, and working, but when I run function, I m getting error "Get-ADUser : The search filter cannot be recognized"
  My objective is get user info when only part of displayname is provided.
  I suppose there is problem with syntax, but I can't find anything about this.
  Any suggestions?
  Bert regards,
  Ronald

  Hi Ronald,
  Try this.
  function searchuzv
  $uzvinfo=$InputBoxuzv.text
  $uzvDisp = "*"+$uzvinfo+"*"
  $uzvcheck = Get-ADUser -filter "DisplayName -like $uzvDisp"
  Regards,
  Satyajit
  Please “Vote As Helpful”
  if you find my contribution useful or “Mark As Answer” if it does answer your question. That will encourage me - and others - to take time out to help you.

• How to add SaveFileDialog to PowerShell Get-ADUser Export-CSV

  Hi,
  I am having a bit of difficulties with getting the SaveFileDialog to work when I use the Get-ADUser export-CSV.
  Current code:
  $handler_Output_Click=
  $User = Get-Aduser $textBox1.Text -Properties DisplayName,sAMAccountName,EmailAddress,Mobile,Company,Title,Enabled,LockedOut,Description,Created,Modified,LastLogonDate,AccountExpirationDate,AccountLockoutTime,BadLogonCount,CannotChangePassword,LastBadPasswordAttempt,PasswordLastSet,PasswordExpired,LogonWorkstations,CanonicalName | Select DisplayName,sAMAccountName,EmailAddress,Mobile,Company,Title,Enabled,LockedOut,Description,Created,Modified,LastLogonDate,AccountExpirationDate,AccountLockoutTime,BadLogonCount,CannotChangePassword,LastBadPasswordAttempt,PasswordLastSet,PasswordExpired,LogonWorkstations,CanonicalName | Export-CSV C:\temp\test.csv -NoTypeInformation ';' -encoding utf8
  $richTextBox1.Text = "A file 'test.csv' has been created to C:\temp\ based on the user: $($textBox1.Text)"
  Here a specific filename is already defined and I have to edit the code each time I want a different filename.
  It would be perfect if I could implement the SaveFileDialog box so I have the ability to name the file before saving and possibly even have the option to select the file type (among .CSV and All files).
  This it the export/output button itself:
  $System_Drawing_Point = New-Object System.Drawing.Point
  $System_Drawing_Point.X = 502
  $System_Drawing_Point.Y = 38
  $Output.Location = $System_Drawing_Point
  $Output.Name = "Output"
  $System_Drawing_Size = New-Object System.Drawing.Size
  $System_Drawing_Size.Height = 23
  $System_Drawing_Size.Width = 85
  $Output.Size = $System_Drawing_Size
  $Output.TabIndex = 2
  $Output.Text = "Export as file"
  $Output.UseVisualStyleBackColor = $True
  $Output.add_Click($handler_Output_Click)
  # $form1.AcceptButton = $Output
  $Output.DataBindings.DefaultDataSourceUpdateMode = 0
  $form1.Controls.Add($Output)
  And in the beginning of my script I also have defined the following:
  [System.Windows.Forms.Application]::EnableVisualStyles();
  [reflection.assembly]::loadwithpartialname("System.Windows.Forms") | Out-Null
  [reflection.assembly]::loadwithpartialname("System.Drawing") | Out-Null
  [reflection.assembly]::loadwithpartialname("System.Windows.Forms.SaveFileDialog") | Out-Null
  And also:
  $Output = New-Object System.Windows.Forms.Button
  Any ideas how can I implement the SaveFileDialog so when I press the "Export as file" button the PowerShell command "Get-Aduser $textBox1.Text -Properties DisplayName,sAMAc..." is ran and I can choose the file name from a pop-up
  dialog box where to save the file and also put a filename? Currently I have to edit the code in order to assign a new file name (or go rename the file from that location).
  Thank you in advance,
  Henri
  EDIT:
  I know that the below is the answer to the SaveFileDialog, however I cannot imagine how I could implement it to my script into the "Get-Aduser $textBox1.Text -Properties a,b,c,d | select a,b,c,d | Export-CSV C:\temp\test.csv" cmdlet.
  Function Get-SaveFile($initialDirectory)
  [System.Reflection.Assembly]::LoadWithPartialName("System.windows.forms") |
  Out-Null
  $SaveFileDialog = New-Object System.Windows.Forms.SaveFileDialog
  $SaveFileDialog.initialDirectory = $initialDirectory
  $SaveFileDialog.filter = "All files (*.*)| *.*"
  $SaveFileDialog.ShowDialog() | Out-Null
  $SaveFileDialog.filename

  Just run the dialog before exporting the file.  Why is that a problem?
  \_(ツ)_/
  It works now! I made some modifications and it works. Thank you very much for the advice.
  $handler_Output_Click={
  Add-Type -AssemblyName System.Windows.Forms
  $SaveAs1 = New-Object System.Windows.Forms.SaveFileDialog
  $SaveAs1.Filter = "CSV Files (*.csv)|*.csv|Text Files (*.txt)|*.txt|Excel Worksheet (*.xls)|*.xls|All Files (*.*)|*.*"
  $SaveAs1.SupportMultiDottedExtensions = $true;
  $SaveAs1.InitialDirectory = "C:\temp\"
  if($SaveAs1.ShowDialog() -eq 'Ok'){
  $User = Get-Aduser $textBox1.Text -Properties DisplayName,sAMAccountName,EmailAddress,Mobile,Company,Title,Enabled,LockedOut,Description,Created,Modified,LastLogonDate,AccountExpirationDate,AccountLockoutTime,BadLogonCount,CannotChangePassword,LastBadPasswordAttempt,PasswordLastSet,PasswordExpired,LogonWorkstations,CanonicalName | Select DisplayName,sAMAccountName,EmailAddress,Mobile,Company,Title,Enabled,LockedOut,Description,Created,Modified,LastLogonDate,AccountExpirationDate,AccountLockoutTime,BadLogonCount,CannotChangePassword,LastBadPasswordAttempt,PasswordLastSet,PasswordExpired,LogonWorkstations,CanonicalName | Export-CSV $($SaveAs1.filename) -NoTypeInformation ';' -Encoding UTF8
  $richTextBox1.Text = "A file $($SaveAs1.filename) has been created based on the user: $($textBox1.Text)"

• Using Get-ADUser but 3.0 needs a filter? What changed?

  I'm trying to just do a basic query of AD attributes from a text file of SamAccountNames I have, but I'm upgraded to PowerShell ISE 3.0 and there might be some things new I'm not understanding. 
  I was just trying to do something simple like this; Get-Content C:\Scripts\userabrivs.txt | ForEach { Get-ADUser -Properties * } | Export-csv C:\scripts\Output\adusers1 
  but in ISE it always asks for 
  cmdlet Get-ADUser at command pipeline position 1
  Supply values for the following parameters:
  (Type !? for Help.)
  Filter: 
  I'm not very good at this so can someone help me understand why it needs a filter when I'm just asking it to use the list of SamAccountNames I have in a text file?

  Hi,
  You're never telling Get-ADUser which user you want to return. Try this instead:
  Get-Content .\userList.txt | ForEach {
  Get-ADUser -Identity $_ -Properties *
  } | Export-Csv .\userProperties.csv
  I highly recommend only returning the properties you need, the wildcard will return more information than most people want to look at.
  Don't retire TechNet! -
  (Don't give up yet - 12,700+ strong and growing)

• Some user Accounts have no "status" string when using Get-ADUser command.

  Hello!
  I encountered a problem. When I tryed to get list of all disabled accounts in the AD, I used the command Get-ADUser -Filter 'Enabled -eq $false' . 
  But i recieved a list of users which is not full.
  So I checked again and compared 2 accounts,  both a disabled but one had a "Status" string, and the second had not.
  In gui Snap-in all Disabled accounts marked as disabled.
  So I can' t get a list of disabled users right now. 
  So here is an Example:
  DistinguishedName : CN=User1,OU=OU2,OU=OU1,DC=Domain, DC=ru
  Enabled           : False 
  GivenName         : 
  Name              : Name  
  ObjectClass       : user 
  ObjectGUID        : 3daeb58d-47f1-47a9-ad5b-bec5fd804ac0 
  SamAccountName    : user1 
  SID               : S-1-5-21-516317273-842993208-2210532530-2418 
  Surname           : Surname
  UserPrincipalName : [email protected]
  PS C:\Users\smb_khvatov> Get-ADUser komarova 
  DistinguishedName : CN=User2,OU=OU2,OU=OU1,DC=Domain, DC=ru
  GivenName         : Name
  Name              : Name
  ObjectClass       : user 
  ObjectGUID        : df8cdf8d-b0ff-4d0b-941e-3cd65d722394 
  SamAccountName    : User2
  SID               : S-1-5-21-516317273-842993208-2210532530-16161 
  Surname           : Surname
  UserPrincipalName :[email protected]

  Hope I understood you correctly:
  2 Blocked Accounts
  First one is a normal (has a "enable" string)
  Second one is without "enable" string.
  PS C:\Users\Administrator> get-aduser bychkov -properties *
  AccountExpirationDate :
  accountExpires : 9223372036854775807
  AccountLockoutTime :
  AccountNotDelegated : False
  adminCount : 1
  AllowReversiblePasswordEncryption : False
  BadLogonCount :
  CannotChangePassword : False
  CanonicalName : DOMAIN.RU/Desktop/IT/Nikolay Bychkov
  Certificates : {}
  City :
  CN : Nikolay Bychkov
  codePage : 0
  Company :
  CompoundIdentitySupported : {False}
  Country :
  countryCode : 0
  Created : 5/12/2010 4:20:23 AM
  createTimeStamp : 5/12/2010 4:20:23 AM
  Deleted :
  Department :
  Description :
  DisplayName : Nikolay Bychkov
  DistinguishedName : CN=Nikolay Bychkov,OU=IT,OU=Desktop,DC=DOMAIN,DC=RU
  Division :
  DoesNotRequirePreAuth : False
  dSCorePropagationData : {12/31/1600 4:00:00 PM}
  EmailAddress : [email protected]
  EmployeeID :
  EmployeeNumber :
  Enabled : False
  Fax :
  GivenName :
  HomeDirectory :
  HomedirRequired : False
  HomeDrive :
  homeMDB : CN=Russia HO,CN=Offices
  SG,CN=InformationStore,CN=RUS-ML-02,CN=Servers,CN=Exchange Administrative Group
  (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Company,CN=Microsoft
  Exchange,CN=Services,CN=Configuration,DC=DOMAIN,DC=RU
  homeMTA : CN=Microsoft MTA,CN=RUS-ML-02,CN=Servers,CN=Exchange Administrative Group
  (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Company,CN=Microsoft
  Exchange,CN=Services,CN=Configuration,DC=DOMAIN,DC=RU
  HomePage :
  HomePhone :
  Initials :
  instanceType : 4
  isDeleted :
  KerberosEncryptionType : {None}
  LastBadPasswordAttempt :
  LastKnownParent :
  LastLogonDate : 6/7/2012 4:47:35 AM
  lastLogonTimestamp : 129835432554560428
  legacyExchangeDN : /o=Company/ou=Exchange Administrative Group
  (FYDIBOHF23SPDLT)/cn=Recipients/cn=Bychkov
  LockedOut : False
  LogonWorkstations :
  mail : [email protected]
  mailNickname : Bychkov
  Manager : CN=Administrator,OU=IT,OU=Russia,OU=Users,OU=My Users and
  Groups,DC=DOMAIN,DC=RU
  mDBUseDefaults : True
  MemberOf : {CN=Taxi,CN=Users,DC=DOMAIN,DC=RU,
  CN=TS_Users,OU=Security,OU=Groups,DC=DOMAIN,DC=RU,
  CN=WS-FUTURA_ADM,OU=Security,OU=Groups,DC=DOMAIN,DC=RU}
  MNSLogonAccount : False
  MobilePhone :
  Modified : 1/28/2014 6:30:40 AM
  modifyTimeStamp : 1/28/2014 6:30:40 AM
  msDS-SupportedEncryptionTypes : 0
  msDS-User-Account-Control-Computed : 8388608
  msExchHideFromAddressLists : True
  msExchHomeServerName : /o=Company/ou=Exchange Administrative Group
  (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=RUS-ML-02
  msExchMailboxGuid : {190, 164, 153, 18...}
  msExchMailboxSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
  msExchMailboxTemplateLink : CN=730,CN=ELC Mailbox Policies,CN=Company,CN=Microsoft
  Exchange,CN=Services,CN=Configuration,DC=DOMAIN,DC=RU
  msExchMDBRulesQuota : 256
  msExchPoliciesIncluded : {{1D2FFDEC-44A9-4E96-A1FD-0744A455AE4D},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}}
  msExchRecipientDisplayType : 1073741824
  msExchRecipientTypeDetails : 1
  msExchUserAccountControl : 0
  msExchUserCulture : ru-RU
  msExchVersion : 4535486012416
  Name : Nikolay Bychkov
  nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
  ObjectCategory : CN=Person,CN=Schema,CN=Configuration,DC=DOMAIN,DC=RU
  ObjectClass : user
  ObjectGUID : 3daeb58d-47f1-47a9-ad5b-bec5fd804ac0
  objectSid : S-1-5-21-516317273-842993208-2210532530-2418
  Office :
  OfficePhone :
  Organization :
  OtherName :
  PasswordExpired : True
  PasswordLastSet : 10/24/2011 5:06:59 AM
  PasswordNeverExpires : False
  PasswordNotRequired : False
  POBox :
  PostalCode :
  PrimaryGroup : CN=Domain Users,CN=Users,DC=DOMAIN,DC=RU
  primaryGroupID : 513
  PrincipalsAllowedToDelegateToAccount : {}
  ProfilePath :
  ProtectedFromAccidentalDeletion : False
  protocolSettings : {HTTP§1§1§§§§§§, OWA§1}
  proxyAddresses : {X400:C=RU;A= ;P=Company;O=Exchange;S=Bychkov;, SMTP:[email protected]
  pwdLastSet : 129639316194314373
  SamAccountName : Bychkov
  sAMAccountType : 805306368
  ScriptPath :
  sDRightsEffective : 0
  ServicePrincipalNames : {}
  SID : S-1-5-21-516317273-842993208-2210532530-2418
  SIDHistory : {}
  SmartcardLogonRequired : False
  State :
  StreetAddress :
  Surname :
  textEncodedORAddress : C=RU;A= ;P=Company;O=Exchange;S=Bychkov;
  Title :
  TrustedForDelegation : False
  TrustedToAuthForDelegation : False
  UseDESKeyOnly : False
  userAccountControl : 514
  userCertificate : {}
  UserPrincipalName : [email protected]
  uSNChanged : 18508
  uSNCreated : 17066
  whenChanged : 1/28/2014 6:30:40 AM
  whenCreated : 5/12/2010 4:20:23 AM
  PS C:\Users\Administrator> get-aduser komarova -properties *
  AccountExpirationDate :
  accountExpires :
  AccountLockoutTime :
  BadLogonCount :
  CannotChangePassword : False
  CanonicalName :
  Certificates : {}
  City :
  CN : Veronika Komarova
  codePage : 0
  Company :
  CompoundIdentitySupported : {}
  Country :
  countryCode : 0
  Created :
  Deleted :
  Department :
  Description :
  DisplayName : Veronika Komarova
  DistinguishedName : CN=Veronika Komarova,OU=Product Department,OU=Office,OU=Russia,OU=Users,OU=My
  Users and Groups,DC=DOMAIN,DC=RU
  Division :
  EmailAddress : [email protected]
  EmployeeID :
  EmployeeNumber :
  Fax :
  GivenName : Veronika
  HomeDirectory :
  HomeDrive :
  homeMDB : CN=Russia HO,CN=Offices
  SG,CN=InformationStore,CN=RUS-ML-02,CN=Servers,CN=Exchange Administrative Group
  (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Company,CN=Microsoft
  Exchange,CN=Services,CN=Configuration,DC=DOMAIN,DC=RU
  homeMTA : CN=Microsoft MTA,CN=RUS-ML-02,CN=Servers,CN=Exchange Administrative Group
  (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=Company,CN=Microsoft
  Exchange,CN=Services,CN=Configuration,DC=DOMAIN,DC=RU
  HomePage :
  HomePhone :
  Initials :
  instanceType :
  internetEncoding : 0
  isDeleted :
  KerberosEncryptionType : {}
  LastBadPasswordAttempt :
  LastKnownParent :
  LastLogonDate :
  legacyExchangeDN : /o=Company/ou=Exchange Administrative Group
  (FYDIBOHF23SPDLT)/cn=Recipients/cn=komarova
  LogonWorkstations :
  mail : [email protected]
  mailNickname : komarova
  Manager :
  mDBUseDefaults : True
  MemberOf : {}
  MobilePhone :
  Modified :
  msExchHomeServerName : /o=Company/ou=Exchange Administrative Group
  (FYDIBOHF23SPDLT)/cn=Configuration/cn=Servers/cn=RUS-ML-02
  msExchMailboxGuid : {166, 229, 120, 212...}
  msExchMailboxSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
  msExchMDBRulesQuota : 64
  msExchPoliciesIncluded : {{1D2FFDEC-44A9-4E96-A1FD-0744A455AE4D},{26491CFC-9E50-4857-861B-0CB8DF22B5D7}}
  msExchRecipientDisplayType : 1073741824
  msExchRecipientTypeDetails : 1
  msExchUserAccountControl : 0
  msExchUserCulture : ru-RU
  msExchVersion : 4535486012416
  Name : Veronika Komarova
  nTSecurityDescriptor : System.DirectoryServices.ActiveDirectorySecurity
  ObjectCategory : CN=Person,CN=Schema,CN=Configuration,DC=DOMAIN,DC=RU
  ObjectClass : user
  ObjectGUID : df8cdf8d-b0ff-4d0b-941e-3cd65d722394
  objectSid : S-1-5-21-516317273-842993208-2210532530-16161
  Office :
  OfficePhone :
  Organization :
  OtherName :
  PasswordLastSet :
  POBox :
  PostalCode :
  PrimaryGroup : CN=Domain Users,CN=Users,DC=DOMAIN,DC=RU
  primaryGroupID : 513
  PrincipalsAllowedToDelegateToAccount : {}
  ProfilePath :
  ProtectedFromAccidentalDeletion : False
  proxyAddresses : {smtp:[email protected], SMTP:[email protected]}
  SamAccountName : komarova
  sAMAccountType : 805306368
  ScriptPath :
  sDRightsEffective : 0
  ServicePrincipalNames : {}
  showInAddressBook : {CN=Default Global Address List,CN=All Global Address Lists,CN=Address Lists
  Container,CN=Company,CN=Microsoft
  Exchange,CN=Services,CN=Configuration,DC=DOMAIN,DC=RU, CN=All Users,CN=All
  Address Lists,CN=Address Lists Container,CN=Company,CN=Microsoft
  Exchange,CN=Services,CN=Configuration,DC=DOMAIN,DC=RU}
  SID : S-1-5-21-516317273-842993208-2210532530-16161
  SIDHistory : {}
  sn : Komarova
  State :
  StreetAddress :
  Surname : Komarova
  Title :
  userCertificate : {}
  UserPrincipalName : [email protected]

• Get-aduser help

  I am trying to get a set of specific users in an OU that are tied to a certain security group. I am wanting the name and the last password set date to try and keep up with password information. I have read-only rights to this domain so special tools don't
  work. Here is my query so far
  get-aduser -filter {Memberof -like "SNbio*"} -Searchbase 'OU=Users,OU=US,OU=Site,OU=Managed Objects,dc=company,dc=net' -properties Name,pwdLastSet
  Without the filter this works to show me all objects in the OU, but again I only want the ones that are members of a certain group to show. If anyone could help I would much appreciate it. 
  Christopher

  The disadvantage of that approach is that you are retrieving all users in the OU, not just the ones that are members of the group, and then filtering them out afterwards. It is more efficient to specify group membership as part of the search filter.
  Bill
  I didn't bother considering the efficiency, but I likely should have, as your suggestion is ultimately better, to include the calculated property. I tested both in my environment and I lost 19 milliseconds. I really could have used that extra time! I fully
  understand the impact this could have in an OU that was populated more so than my environment, and therefore, thank you for pointing this out.