Windows

Two PowerShell scripts for retrieving user info from Active Directory

Obtaining user object information via Active Directory Users And Computers is fine for the one-time use, but it falls short for batch tasks. These two scripts make it easy to pull user information via PowerShell.

One of the enhancements for Windows Server 2008 R2 is the Active Directory Module for PowerShell. This PowerShell environment has a number of commands that are optimized for Active Directory, including features not available through the Active Directory Users And Computers (ADUC) interface, such as the Active Directory Recycle Bin.

The day-to-day administration of user account objects is frequently done in ADUC, but many tasks require administrators to retrieve user information for export. There are plenty of command-line tools for flat dumps, exports, and best practices. (See 10 ways to benchmark your Active Directory environment.) But the new Active Directory Module for PowerShell is the most powerful tool available for the administrator today. Here are a couple of PowerShell scripts to retrieve user information that will help you gain visibility and enforce account policies.

Note: This article is also available as a PDF download.

Script 1: Show user accounts with a non-expiring password

The following PowerShell script will show user accounts with the password set to not expire, sorted by the user name, object class (user, computer, etc.), and UPN fields:

Search-ADAccount -PasswordNeverExpires | FT Name,  ObjectClass, UserPrincipalName
The output will list user accounts that do not have a password expiration, as shown in Figure A.

Figure A

Script 2: Display phone number values for all user accounts

Many organizations use Active Directory as a telephone directory. But there are usually some phone numbers that are unaccounted for. The following script will show the phone number value for the usernames of all user accounts:

Get-AdUser -Filter * -Properties OfficePhone | FT OfficePhone,UserPrincipalName
Each user and office phone number is displayed with this command, as shown in Figure B.

Figure B

More resources

The Active Directory Module for PowerShell provides an incredible realm for managing all aspects of Active Directory. The following resources can help you springboard additional Active Directory user management with PowerShell:

About

Rick Vanover is a software strategy specialist for Veeam Software, based in Columbus, Ohio. Rick has years of IT experience and focuses on virtualization, Windows-based server administration, and system hardware.

6 comments
Sambab
Sambab

volentib666
volentib666

Guess I'm stuck with the ADUC and GPMC...

randall.cohen
randall.cohen

Which powershell add-on was loaded to get the commands used? My system doesn't recognize Get-AdUser as "the name of a cmdlet, function, script file, or operable program"

neilb
neilb

Those of us who have been using PowerShell since its days as Monad would recommend Quest AD tools as that works nicely on Windows 2003. :)

ray.clune
ray.clune

import-module activedirectory

Editor's Picks