The internet has over 1.4 billion users, and is expected to have 2-3+ billion by 2024. Get will be the token that powers this transition between traditional centralized applications like Facebook and Google’s new decentralized apps where you own your data.
The “verb get” is a command-line tool that allows users to search and download app packages from the iOS App Store.
Do you want to build an Active Directory (AD) report quickly using PowerShell? You’ve arrived to the correct location! In this article, you’ll learn how to use the Get-ADObject cmdlet to produce custom reports for user accounts in your AD system.
With Specops’ 100% free Password Auditor Pro, you can find, report, and prevent unsafe Active Directory account passwords in your environment. Download it right now!
Assume you work for a fledgling firm and find that the company has received cash from investors to expand by recruiting additional workers for a variety of roles. Your boss asks you to send her a report on the head count for each office so that the company has enough space.
The Active Directory Users and Computers (ADUC) application interface installed on your desktop computer is often used to manually examine AD accounts. However, reviewing information for each AD account using ADUC takes on average one minute per new employee.
You rapidly explore the Internet for various alternatives and learn that the Get-ADObject PowerShell cmdlet can automate the collection of AD report data. In this tutorial, you’ll learn what the Get-AdObject PowerShell cmdlet performs and how to use it appropriately to automate report production using AD PowerShell.
Prerequisites/Requirements
This post will show you how to use Get-ADObject. If you intend on following along, make sure you have the following items:
- As a user with privileges to query AD users, logged onto a domain-joined Windows 10 PC.
- In an Active Directory environment running Windows Server 2016 or above. Mylab.local is the name of the lab you’ll be working with in this tutorial.
- RSAT stands for Remote Server Administration Tools.
Quick tip: If you don’t have RSAT installed and are using Windows 10, use the PowerShell command Install-WindowsFeature -Name RSAT-AD-PowerShell to rapidly install it.
Options and Parameters for Get-ADObject
The Get-ADObject cmdlet connects to an Active Directory domain controller or a Lightweight Directory Service (LDS) server and returns information about Active Directory objects.
The Get-ADObject cmdlet offers a variety of arguments that enable you to connect to various domain controllers, search a global catalog, login using alternative credentials, set LDAP filters, and restrict objects returned by scope for a search base when querying AD objects.
The Get-ADObject cmdlet will only provide a single set of 1000 AD objects by default. The ResultSetSize argument, which specifies the maximum number of items to return, is the best approach to override this setting. Set this argument to $Null if you wish to get all of the objects (null value). The query and object return may then be stopped by pressing Ctrl+C.
Check out the Get-ADObject help manual for further information about the arguments.
Project Outline for Learning
This article uses a real-world situation to demonstrate the Get-ADObject PowerShell cmdlet. Approach the situation described in the initial paragraphs to learn.
The Situation
You’ll learn how to utilize Get-ADObject to create two reports to deliver to your boss in this post. The first report will break out each department’s user accounts. Each department should have its own CSV file, according to the supervisor. The second job will search for all Accounts that are disabled in a certain OU and its sub-OUs.
You’ll be able to create CSV files that look like this at the conclusion of the article:
OU-based user accounts in AD
Accounts that are disabled
The AD Situation
The organizational unit (OU) structure in Active Directory that you’ll be dealing with in this tutorial is shown below. We have a parent Department OU with three child OUs named Accounting, Marketing, and IT, as you can see. There are two grandchild OUs named Users and Computers within each of the child OUs.
- Users – Computers – Marketing (Nested OU) – Users – Computers – IT (Nested OU) – Users – Computers – Department (OU) – Accounting (OU) – Users – Computers
The New-ADOrganizationalUnit PowerShell cmdlet may be used to create these OUs. Check out the Create-OU-Structure.ps1 script for a simple way to do this.
As seen here, you’ll be dealing with hundreds of distinct AD user accounts situated inside each of the Users OUs. These were selected at random.
- (accountant user1-5) accounting
- (market user user1-5) marketing
- (it user1-5) IT
Shortcut: Download and execute the Populate-AD Accounts.ps1 script to rapidly generate these user accounts inside the aforementioned OUs.
Using Get-ADObject to create Active Directory Reports
Get-ADObject has a sufficient introduction and background information. Let’s get down to business and see how this PowerShell cmdlet works in practice!
In this first scenario, you’re entrusted with delivering a CSV file containing a report for all user accounts in the Accounting, Marketing, and IT department OUs to your boss.
The Filter Parameter: An Overview
The Get-ADObject PowerShell cmdlet’s sole mandatory argument is Filter. One option to restrict the amount of items returned is to use this parameter. Even if you want to return all objects using a wildcard character (*), you must declare it since it’s a necessary argument. Get-ADObject will now return all objects.
The most basic use of the Filter option is to retrieve all items in an AD domain, as seen below.
PS51> Get-ADObject -Filter *
Throughout this article, the Filter argument will be used to both return all objects and restrict the scope of returned items.
Run Get-Help about ActiveDirectory Filter in the PowerShell console for further information on the Filter parameter’s syntax.
Using the SearchBase parameter to limit the search scope
The example you’re working with is an excellent use case for the SearchBase option of Get-ADObject. The SearchBase argument enables you to restrict the scope of the search query and hence the objects provided by Get-ADObject to a certain OU.
Limiting the scope of Get-ADObject minimizes the time it takes to execute by omitting other OUs in AD and only targeting the OU that is appropriate for getting the data you need.
The SearchBase parameter value is defined via a distinguished name (DN) in the form of OU=<OU_name_here>,DC=<short domain name>,DC=<root extension>. For example, to only find objects in the Department OU in a domain called mylab.local, the DN would look like OU=Department,DC=mylab,DC=local.
Pull out all AD users in the parent Department OU and all child OUs in this example, as shown below. Its users in the Department OU and all child OUs will be returned.
PS51> Get-ADObject -Filter * -SearchBase ‘OU=Department,DC=mylab,DC=local’
Taking Advantage of the Filter Parameter
You may now query all user objects in the Department OU as well as all child OUs. But it isn’t necessary right now. Instead, let’s start by removing all Accounting users. Using the Filter argument rather than merely supplying a wildcard value is one method to do this.
Use the Filter parameter of Department -eq ‘Accounting’ to restrict the results. This restricts the results to to those objects in the Department OU that have Accounting as their AD department.
All objects are stored in the $accounting users variable, as seen below. This will be utilized in the future.
PS51> $accounting_users = Get-ADObject -SearchBase ‘OU=Department,DC=mylab,DC=local’ -Filter {Department -eq “Accounting”}
Creating a CSV File from AD Objects
You may feed just the Name and Department attributes for each object to the Export-Csv cmdlet now that $accounting users includes all of the relevant items. Each AD item is stored as a row in a new CSV file created by this cmdlet.
PS51> $accounting_users | Select-Object -Property Name,Department | Export-Csv -NoTypeInformation -Path C:users$env:usernameDesktopreport accounting users.csv
On your desktop, you should now have a CSV file named report accounting users.csv that looks like the image below.
report accounting users.csv
Getting the Rest of the User Objects
Now that you know how to use Get-ADObject to identify AD users, you may expand your knowledge to find user objects for different departments. The main premise will be the same as previously.
To begin, locate all of the Active Directory users in the San Francisco office.
$sf users = Get a report of all department users in the San Francisco Office -ADObject -SearchBase ‘OU=Department,DC=mylab,DC=local’ -Filter physicalDeliveryOfficeName -eq’San Francisco’ Select Name,physicalDeliveryOfficeName,Department from $sf users | Export-Csv -NoTypeInformation -Path C:users | $env:usernameDesktopreport sanfrancisco office users.csv
report sanfrancisco office users.csv
Locate all users who work in the Florida office next. Because you’re utilizing the computed attributes of the Select-Object cmdlet, this example is a little different. This enables you to change the name of the object property from the generic st returned by Get-ADObject to a more descriptive State.
$fl users = Get a list of all department users in the Florida Office. Get ‘OU=Department,DC=mylab,DC=local’ -ADObject -SearchBase -Properties Name,St -eq ‘FL’ -Filter St -eq ‘FL’ $fl users | Select-Object -Property Name,@N=’State’; E=$ .st | Export-Csv -NoTypeInformation -Path C:users | Export-Csv -NoTypeInformation -Path C:users $env:usernameDesktopreport florida state users.csv
report florida state users.csv
Finally, gather all of the IT personnel. Instead of utilizing the Department AD property this time, utilize the Filter parameter to identify all objects whose names begin with it.
#Get a list of all department users with the word “user” in their name. Get $select users ‘OU=Department,DC=mylab,DC=local’ -ADObject -SearchBase Objectclass -eq ‘user’ -and name -like ‘it*’ -Filter -Name,Department,Status of Property $select users | Select-Object -Property Name,Department,@N=’State’; E=$ .st | Export-Csv -NoTypeInformation -Path C:users | Select-Object -Property Name,Department,@N=’State’; E=
Do you want to build an Active Directory (AD) report quickly using PowerShell? You’ve arrived to the correct location! In this article, you’ll learn how to use the Get-ADObject cmdlet to produce custom reports for user accounts in your AD system.
With Specops’ 100% free Password Auditor Pro, you can find, report, and prevent unsafe Active Directory account passwords in your environment. Download it right now!
Assume you work for a fledgling firm and find that the company has received cash from investors to expand by recruiting additional workers for a variety of roles. Your boss asks you to send her a report on the head count for each office so that the company has enough space.
The Active Directory Users and Computers (ADUC) application interface installed on your desktop computer is often used to manually examine AD accounts. However, reviewing information for each AD account using ADUC takes on average one minute per new employee.
You rapidly explore the Internet for various alternatives and learn that the Get-ADObject PowerShell cmdlet can automate the collection of AD report data. In this tutorial, you’ll learn what the Get-AdObject PowerShell cmdlet performs and how to use it appropriately to automate report production using AD PowerShell.
Prerequisites/Requirements
This post will show you how to use Get-ADObject. If you intend on following along, make sure you have the following items:
- As a user with privileges to query AD users, logged onto a domain-joined Windows 10 PC.
- In an Active Directory environment running Windows Server 2016 or above. Mylab.local is the name of the lab you’ll be working with in this tutorial.
- RSAT stands for Remote Server Administration Tools.
Quick tip: If you don’t have RSAT installed and are using Windows 10, use the PowerShell command Install-WindowsFeature -Name RSAT-AD-PowerShell to rapidly install it.
Options and Parameters for Get-ADObject
The Get-ADObject cmdlet connects to an Active Directory domain controller or a Lightweight Directory Service (LDS) server and returns information about Active Directory objects.
The Get-ADObject cmdlet offers a variety of arguments that enable you to connect to various domain controllers, search a global catalog, login using alternative credentials, set LDAP filters, and restrict objects returned by scope for a search base when querying AD objects.
The Get-ADObject cmdlet will only provide a single set of 1000 AD objects by default. The ResultSetSize argument, which specifies the maximum number of items to return, is the best approach to override this setting. Set this argument to $Null if you wish to get all of the objects (null value). The query and object return may then be stopped by pressing Ctrl+C.
Check out the Get-ADObject help manual for further information about the arguments.
Project Outline for Learning
This article uses a real-world situation to demonstrate the Get-ADObject PowerShell cmdlet. Approach the situation described in the initial paragraphs to learn.
The Situation
You’ll learn how to utilize Get-ADObject to create two reports to deliver to your boss in this post. The first report will break out each department’s user accounts. Each department should have its own CSV file, according to the supervisor. The second job will search for all Accounts that are disabled in a certain OU and its sub-OUs.
You’ll be able to create CSV files that look like this at the conclusion of the article:
OU-based user accounts in AD
Accounts that are disabled
The AD Situation
The organizational unit (OU) structure in Active Directory that you’ll be dealing with in this tutorial is shown below. We have a parent Department OU with three child OUs named Accounting, Marketing, and IT, as you can see. There are two grandchild OUs named Users and Computers within each of the child OUs.
- Users – Computers – Marketing (Nested OU) – Users – Computers – IT (Nested OU) – Users – Computers – Department (OU) – Accounting (OU) – Users – Computers
The New-ADOrganizationalUnit PowerShell cmdlet may be used to create these OUs. Check out the Create-OU-Structure.ps1 script for a simple way to do this.
As seen here, you’ll be dealing with hundreds of distinct AD user accounts situated inside each of the Users OUs. These were selected at random.
- (accountant user1-5) accounting
- (market user user1-5) marketing
- (it user1-5) IT
Shortcut: Download and execute the Populate-AD Accounts.ps1 script to rapidly generate these user accounts inside the aforementioned OUs.
Using Get-ADObject to create Active Directory Reports
Get-ADObject has a sufficient introduction and background information. Let’s get down to business and see how this PowerShell cmdlet works in practice!
In this first scenario, you’re entrusted with delivering a CSV file containing a report for all user accounts in the Accounting, Marketing, and IT department OUs to your boss.
The Filter Parameter: An Overview
The Get-ADObject PowerShell cmdlet’s sole mandatory argument is Filter. One option to restrict the amount of items returned is to use this parameter. Even if you want to return all objects using a wildcard character (*), you must declare it since it’s a necessary argument. Get-ADObject will now return all objects.
The most basic use of the Filter option is to retrieve all items in an AD domain, as seen below.
PS51> Get-ADObject -Filter *
Throughout this article, the Filter argument will be used to both return all objects and restrict the scope of returned items.
Run Get-Help about ActiveDirectory Filter in the PowerShell console for further information on the Filter parameter’s syntax.
Using the SearchBase parameter to limit the search scope
The example you’re working with is an excellent use case for the SearchBase option of Get-ADObject. The SearchBase argument enables you to restrict the scope of the search query and hence the objects provided by Get-ADObject to a certain OU.
Limiting the scope of Get-ADObject minimizes the time it takes to execute by omitting other OUs in AD and only targeting the OU that is appropriate for getting the data you need.
The SearchBase parameter value is defined via a distinguished name (DN) in the form of OU=<OU_name_here>,DC=<short domain name>,DC=<root extension>. For example, to only find objects in the Department OU in a domain called mylab.local, the DN would look like OU=Department,DC=mylab,DC=local.
Pull out all AD users in the parent Department OU and all child OUs in this example, as shown below. Its users in the Department OU and all child OUs will be returned.
PS51> Get-ADObject -Filter * -SearchBase ‘OU=Department,DC=mylab,DC=local’
Taking Advantage of the Filter Parameter
You may now query all user objects in the Department OU as well as all child OUs. But it isn’t necessary right now. Instead, let’s start by removing all Accounting users. Using the Filter argument rather than merely supplying a wildcard value is one method to do this.
Use the Filter parameter of Department -eq ‘Accounting’ to restrict the results. This restricts the results to to those objects in the Department OU that have Accounting as their AD department.
All objects are stored in the $accounting users variable, as seen below. This will be utilized in the future.
PS51> $accounting_users = Get-ADObject -SearchBase ‘OU=Department,DC=mylab,DC=local’ -Filter {Department -eq “Accounting”}
Creating a CSV File from AD Objects
You may feed just the Name and Department attributes for each object to the Export-Csv cmdlet now that $accounting users includes all of the relevant items. Each AD item is stored as a row in a new CSV file created by this cmdlet.
PS51> $accounting_users | Select-Object -Property Name,Department | Export-Csv -NoTypeInformation -Path C:users$env:usernameDesktopreport accounting users.csv
On your desktop, you should now have a CSV file named report accounting users.csv that looks like the image below.
report accounting users.csv
Getting the Rest of the User Objects
Now that you know how to use Get-ADObject to identify AD users, you may expand your knowledge to find user objects for different departments. The main premise will be the same as previously.
To begin, locate all of the Active Directory users in the San Francisco office.
$sf users = Get a report of all department users in the San Francisco Office -ADObject -SearchBase ‘OU=Department,DC=mylab,DC=local’ -Filter physicalDeliveryOfficeName -eq’San Francisco’ Select Name,physicalDeliveryOfficeName,Department from $sf users | Export-Csv -NoTypeInformation -Path C:users | $env:usernameDesktopreport sanfrancisco office users.csv
report sanfrancisco office users.csv
Locate all users who work in the Florida office next. Because you’re utilizing the computed attributes of the Select-Object cmdlet, this example is a little different. This enables you to change the name of the object property from the generic st returned by Get-ADObject to a more descriptive State.
$fl users = Get a list of all department users in the Florida Office. Get ‘OU=Department,DC=mylab,DC=local’ -ADObject -SearchBase -Properties Name,St -eq ‘FL’ -Filter St -eq ‘FL’ $fl users | Select-Object -Property Name,@N=’State’; E=$ .st | Export-Csv -NoTypeInformation -Path C:users | Export-Csv -NoTypeInformation -Path C:users $env:usernameDesktopreport florida state users.csv
report florida state users.csv
Finally, gather all of the IT personnel. Instead of utilizing the Department AD property this time, utilize the Filter parameter to identify all objects whose names begin with it.
#Get report of all select department users that have a name that contains “user” $select_users = Get-ADObject -SearchBase ‘OU=Department,DC=mylab,DC=local’ -Filter {Objectclass -eq ‘user’ -and name -like ‘it*’} -Properties Name,Department,st $select_users | Select-Object -Property Name,Department,@{N=’State’; E={$_.st}} | Export-Csv -NoTypeInformation -Path C:users$env:usernameDesktopreport select users.csv
Note: You may have used the Get-AdUser cmdlet instead of objectClass -eq ‘user’ in the preceding example.
report select users.csv
Using the LDAP Filter to Find Disabled Accounts
The Filter argument was used in the preceding example to restrict the objects provided by Get-ADObject. Another option is to use the LDAPFilter argument. This argument does the same thing as the previous one, except it lets you set a filter using an LDAP query search string. The LDAPFilter parameter is regarded as a more powerful Active Directory search option.
Now, using the LDAPFilter and SearchBase options to target a certain OU, generate a report to locate all disabled users in your company.
In the Active Directory NTDS database, the useraccountcontrol:1.2.840.113556.1.4.803:=2 setting is an AD property supplied for all disabled users. It’s a mechanism for AD to identify inactive accounts (logon is disabled). Here are some additional LDAP query examples that you may find helpful.
Below you can see we’re using the LDAP query string of (&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2)). Although complex, it does the job well. To understand the LDAP query search string, check out Demystifying Active Directory and LDAP Search Strings.
The command below uses the LDAP filter option to display just disabled users, and then prepares a report using the Export-CSV cmdlet, just as you did before.
Find leaked & unsafe passwords in your Active Directory by checking against the NCSC Password list.
$disabled_users = Get-ADObject -LDAPFilter “(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2))” -SearchBase ‘OU=Department,DC=mylab,DC=local’ $disabled_users | Select-Object -Property Name | Export-Csv -NoTypeInformation -Path C:users$env:usernameDesktopreport disabled users.csv
report disabled users.csv
The Final Product
You should now have five CSV files ready for your manager on your desktop!
- report accounting users.csv
- report sanfrancisco office users.csv
- report florida state users.csv
- report select users.csv
- report disable users.csv
Summary
The Get-ADObject PowerShell cmdlet was used to search Active Directory in this post.
So, what’s next?
To expand on what you’ve learned, try exporting the data to a database or taking the process of creating AD reports to the next level. You might use a custom-built website or an application like Microsoft SharePoint to view the AD report data once it’s in a database. This is only one concept. There are so many more!
The ability to search Active Directory is a basic skill that many businesses need, and it will save you and your team hours of time in the long run.
Additional Reading
$env:usernameDesktopreport select users.csv
Note: You may have used the Get-AdUser cmdlet instead of objectClass -eq ‘user’ in the preceding example.
report select users.csv
Using the LDAP Filter to Find Disabled Accounts
The Filter argument was used in the preceding example to restrict the objects provided by Get-ADObject. Another option is to use the LDAPFilter argument. This argument does the same thing as the previous one, except it lets you set a filter using an LDAP query search string. The LDAPFilter parameter is regarded as a more powerful Active Directory search option.
Now, using the LDAPFilter and SearchBase options to target a certain OU, generate a report to locate all disabled users in your company.
In the Active Directory NTDS database, the useraccountcontrol:1.2.840.113556.1.4.803:=2 setting is an AD property supplied for all disabled users. It’s a mechanism for AD to identify inactive accounts (logon is disabled). Here are some additional LDAP query examples that you may find helpful.
Below you can see we’re using the LDAP query string of (&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2)). Although complex, it does the job well. To understand the LDAP query search string, check out Demystifying Active Directory and LDAP Search Strings.
The command below uses the LDAP filter option to display just disabled users, and then prepares a report using the Export-CSV cmdlet, just as you did before.
Find leaked & unsafe passwords in your Active Directory by checking against the NCSC Password list.
$disabled_users = Get-ADObject -LDAPFilter “(&(objectclass=user)(objectcategory=user)(useraccountcontrol:1.2.840.113556.1.4.803:=2))” -SearchBase ‘OU=Department,DC=mylab,DC=local’ $disabled_users | Select-Object -Property Name | Export-Csv -NoTypeInformation -Path C:users$env:usernameDesktopreport disabled users.csv
report disabled users.csv
The Final Product
You should now have five CSV files ready for your manager on your desktop!
- report accounting users.csv
- report sanfrancisco office users.csv
- report florida state users.csv
- report select users.csv
- report disable users.csv
Summary
The Get-ADObject PowerShell cmdlet was used to search Active Directory in this post.
So, what’s next?
To expand on what you’ve learned, try exporting the data to a database or taking the process of creating AD reports to the next level. You might use a custom-built website or an application like Microsoft SharePoint to view the AD report data once it’s in a database. This is only one concept. There are so many more!
The ability to search Active Directory is a basic skill that many businesses need, and it will save you and your team hours of time in the long run.
Additional Reading
Get is a command-line tool that allows users to search and download app packages from the iOS App Store. It can also be used to install apps, update them, and remove them. Reference: get my payment.
Related Tags
- get thesaurus
- we get
- get meaning in hindi
- get abbreviation
- get meaning in urdu