In my last post, I reviewed the New-ADUser cmdlet and demonstrated the different parameters you could use to create a new user. Now let’s look at the Get-ADUser and Set-ADUser cmdlets and see how we can use them to retrieve and set attributes for Active Directory users.


With the Get-ADUser command, you can perform a search in Active Directory for a single user object or multiple user objects. We’ll start with the former scenario. Launch Windows PowerShell ISE and enter the Get-ADUser command with the parameter -Identity, followed by a user you would like to search for.

Get-ADUser -Identity “arpazik”

When you run your syntax, PowerShell will search Active Directory for a user with the SAM account name arpazik.


Note that Active Directory will only run a search in the domain your computer is a member of. For example, if you have a root domain and a tree domain that your computer is joined to, the Get-ADUser cmdlet will only run a search through that domain.

Now let’s take a look at the latter scenario. Say you want to get a list of all the users with the same last name. This time you will need to include a filter operator in your syntax specifying to only get users who have the same last name, which in my case is Pazik.

Get-ADUser -Filter {Surname -EQ “Pazik”}

The -Identity parameter was not included in our syntax because we are getting the identity of multiple users, not just one. When I run my syntax PowerShell will then search Active Directory for all users that have the surname or last name of Pazik, and return the results.


Performing searches with the Get-ADUser cmdlet will almost certainly require you to use filter operators to include or exclude data. I’ve listed the acceptable filter operators for this cmdlet below.

  • -eq —- Equal to
  • -le —- Lexicographically less than or equal to
  • -ge —- Lexicographically greater than or equal to
  • -ne —- Not equal to
  • -lt —- Lexicographically less than
  • -gt —- Lexicographically greater than
  • -approx —- Approximately equal to
  • -bor —- Bitwise or
  • -band —- Bitwise and
  • -recursivematch —- Uses LDAP_MATCHING_RULE_IN_CHAIN
  • -like —- Similar to -eq and supports wildcard (*) comparisons
  • -notlike —- Not like and supports wildcard (*) comparisons

Since you most likely will be searching for users with similar properties or attributes, the -eq and -like filter operators are going to be used more frequently than the others. There will be some situations however where the -lt and -gt. If you wanted to get all the users who have not changed their password since January 1st, 2017 you would need to use the -le operator.

$PwdLastChanged = New-Object System.DateTime(2017, 1, 1)

Get-ADUser -Filter {passwordLastSet -LE $PwdLastChanged}

This will retrieve a list of all users who have not changed their password since January 1st, 2017.


Pretty neat, yeah? To actually see when the user last changed their password we need to add the -Properties parameter with the attributes Name and PasswordLastSet to our syntax. We can also add the Sort and FT parameters to clean up our output and make it  bit easier to read. The final result allows for the output of organization, informative data.


In my final post of this series, I will be discussing the Set-ADUser and Remove-ADUser cmdlets and the parameters available with each.




Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s