The user account object in Active Directory contains several properties (attributes), such as canonical name, first name, middle name, last name, e-mail address, phone number, job title, department, country, etc.
An administrator or account operator User attribute values. A user object in Active Directory can contain more than 250 attributes, of which only six attributes are required (must be set when creating a user account in Active Directory).
In this article, we will look at how to get the value of user attributes in AD using the ADUC console and PowerShell.
Using the Active Directory Users and Computers (GUI)
You can use the Active Directory Users and Computers snap-in (ADUC) to view user attribute values. This method is convenient when viewing the attributes of a few users one by one.
- On your domain controller or a computer with RSAT installed, run the dsa.msc command to launch ADUC.
- Enable the Advanced Features option in the View menu.
- Locate or search the user from a specific AD OU or domain root. Open the properties of the user account.
- Click the Attribute Editor tab. You’ll see the list of user attributes in this tab, including custom attributes. Here, you can edit and copy each user attribute value individually.
- You can also filter the attributes to show only those with values. Click Filter → Show only attributes that have values.
As convenient as ADUC is, you can only view the attributes of one user at a time. There’s no bulk viewer or export functionality.
Using the DSGET USER Command
DSGET is a command-line tool that ships with Windows Servers (2003+). Its purpose is to display Active Directory objects. To display user-specific attributes, the command to use is:
dsget user <UserDN> [-attribute1] [-attribute2] ...
You can find the list of attributes this command can display from this link.
For example, this command gets the user’s SamAccountName, DisplayName, and UserPrincipalName attribute values.
dsget user 'CN=Christopher Wilson,OU=Users,OU=California,OU=USA,DC=theitbros,DC=com' -display -samid -upn
The DSGET USER command does not support wildcards, so you can only view the attributes of one user at a time. But its UserDN argument accepts input from the pipeline, which means you can pass the user’s distinguished name from the pipeline as a result of another command, like DSQUERY USER.
For example, the below command searches for the user cwilson and passes the output to the dsget user command.
dsquery user -samid cwilson | dsget user -display -samid -upn -disabled -canchpwd
To get all users’ attributes, use this command instead.
dsquery user | dsget user -display -samid -upn -disabled -canchpwd
Sadly, the DSGET USER command does not have a built-in export-to-file function. But you can redirect the output to the file using the standard redirect operators, such as > and >>.
Check out our article on how to import/export Active Directory users with CSVDE?
Using the Get-ADUser PowerShell Cmdlet
You can get the user attribute value from Active Directory using PowerShell. To do this, you can use the Get-ADUser cmdlet from the PowerShell Active Directory module.
- First, import the ActiveDirectory module.
Import-Module ActiveDirectory
To get information about an Active Directory user account, run the command:
Get-ADUser -Identity <user identity>
By default, the Get-ADUser cmdlet only lists the user’s primary attributes as follows:
- DistinguishedName
- Enabled
- GivenName
- Name
- ObjectClass
- ObjectGUID
- SamAccountName
- SamAccountName
- SID
- Surname
- UserPrincipalName
To display the values of other user attributes, you must specify a list of them using the -Properties parameter.
For example, you want to display the user’s company name, department, job title, phone number, and last password change date in Active Directory. Run the following PowerShell command:
Get-ADUser cwilson –Properties company, department, title, telephoneNumber, PwdLastSet
Please note that the list of properties, in addition to the main attributes, displays new user attributes. You can show only the attributes you want and also transform the value of some attributes with Select-Object:
Get-ADUser cwilson -Properties company, department, title, telephoneNumber, PwdLastSet |
Select-Object SamAccountName, Name, company, department, title, telephoneNumber,
@{Name = 'PwdLastSet'; Expression = { [DateTime]::FromFileTime($_.PwdLastSet) } }
In this example, we use a custom transformation for the PwdLastSet attribute. It is stored in Active Directory in Windows NT time format, and to convert it to human-readable time format, we use the Expression construct.
To display all user attributes in Active Directory, you need to specify an asterisk (*) in the Properties parameter:
Get-ADUser cwilson -Properties *
With Get-ADUser, you can search for users with specific attribute values in Active Directory. For example, the following command will list all enabled user accounts whose name is Christopher:
Get-ADUser -Filter {( Name -like "*Christopher*") -and (Enabled -eq "true")} -Properties *
And since you’re working in PowerShell, you can export the results to a CSV, JSON, XML, HTML, and TEXT file.
Conclusion
Viewing and exporting user attributes in Active Directory is typical in an administrator’s daily routine. Knowing which tools to use for the right purpose, or perhaps a combination of two or more, can significantly improve a seemingly mundane task.
There’s an endless list of tools to accomplish the same result, but we only covered the native tools to get user attributes from Active Directory in this post. Which one is your favorite?
