Get-ADUser is a PowerShell cmdlet used to retrieve information about an Active Directory user account.

-Filter

The -Filter parameter lets you retrieve users based on specific criteria. The default filter is essentially *, which returns all users if no specific filter is given.

Get-ADUser
    -Filter <String>
    [-AuthType <ADAuthType>]
    [-Credential <PSCredential>]
    [-Properties <String[]>]
    [-ResultPageSize <Int32>]
    [-ResultSetSize <Int32>]
    [-SearchBase <String>]
    [-SearchScope <ADSearchScope>]
    [-Server <String>]
    [<CommonParameters>]

Parameters Explained:

  • -Filter <String>: Specifies the search criteria for users. Example: -Filter "Name -like '*John*'" finds all users with “John” in their name.
  • -AuthType <ADAuthType>: Specifies the authentication type (Negotiate or Basic) used for the query.
  • -Credential <PSCredential>: Allows you to provide alternate credentials when querying Active Directory.
  • -Properties <String[]>: Specifies additional attributes to retrieve beyond the default ones, such as EmailAddress, Department, or Title. Using * retrieves all properties.
  • -ResultPageSize <Int32>: Sets the page size for queries to reduce memory usage in large AD environments.
  • -ResultSetSize <Int32>: Limits the number of results returned. Default is unlimited.
  • -SearchBase <String>: Limits the search to a specific container or OU. Example: "OU=IT,DC=example,DC=com".
  • -SearchScope <ADSearchScope>: Scope of search: Base (current object only), OneLevel (only immediate children), or Subtree (entire subtree).
  • -Server <String>: Specifies the domain controller to query. Can be a server name, FQDN, or IP address.
  • [<CommonParameters>]: Standard PowerShell parameters like -Verbose, -ErrorAction, -WarningAction, etc.

The filter uses PowerShell syntax with operators like -eq, -ne, -like, -notlike. Always enclose the filter expression in quotes. Example:

  1. Get all users (default filter):
Get-ADUser -Filter *
  1. Get users with a specific last name:
Get-ADUser -Filter "Surname -eq 'Zaid'"
  1. Get users with email addresses:
Get-ADUser -Filter "EmailAddress -like '*@domain.com'"

-Identity

specifies which user account to look up. It can be:

  • SamAccountName
  • UPN
  • DistinguishedName
  • GUID or SID

used when you know the exact user you want to retrieve. It is more efficient than using -Filter for a single user.

Get-ADUser
    [-Identity] <ADUser>
    [-AuthType <ADAuthType>]
    [-Credential <PSCredential>]
    [-Partition <String>]
    [-Properties <String[]>]
    [-Server <String>]
    [<CommonParameters>]

Parameters Explained:

  • -Identity <ADUser>: Specifies the exact user to retrieve. Can be the username, Distinguished Name (DN), GUID, or SID.
  • -AuthType <ADAuthType>: Specifies the authentication type to use for the query (Negotiate or Basic).
  • -Credential <PSCredential>: Allows you to provide alternate credentials when querying Active Directory.
  • -Partition <String>: Specifies the AD naming context/partition (default is the domain). Useful in multi-domain forests.
  • -Properties <String[]>: Specifies additional attributes to retrieve beyond the default ones, such as EmailAddress, Department, or Title. Using * retrieves all properties.
  • -Server <String>: Specifies the domain controller to query. Can be a server name, FQDN, or IP address.
  • [<CommonParameters>]: Standard PowerShell parameters like -Verbose, -ErrorAction, -WarningAction, etc.
  1. Get a user by username (samAccountName):
Get-ADUser -Identity sakujo
  1. Get a user and additional properties:
Get-ADUser -Identity sakujo -Properties EmailAddress, Department