The user account object in Active Directory contains several properties (attributes), such as canonical name, first name, middle name, last name, e-mail address, phone number, job title, department, country, etc. User attribute values can be set by an administrator or account operator. A user object in Active Directory can contain more than 250 attributes, of which only six attributes are required (must be set when creating a user account in Active Directory). In this article, we will look at how to get the value of user attributes in AD using the ADUC console and using PowerShell.
You can use the Active Directory Users and Computers console (dsa.msc) to view user attribute values:
- Run the ADUC console and enable the Advanced Features option in the View menu;
- Expand the OU with users and open the properties of the user account;
- Go to the Attribute Editor tab;
- You will see a list of user attribute values (including custom AD attributes). Here you can copy or edit the value of any attribute;
- Using the Filter button, you can set whether to display all attributes or only filled ones.
You can get the user attribute value from Active Directory using PowerShell. To do this, you can use the Get-ADUser cmdlet from the Active Directory for Windows PowerShell module. Import the RSAT-AD-PowerShell module into your PowerShell session:
Import-Module ActiveDirectory
To get information about an Active Directory user account, run the command:
Get-ADUser b.jackson
By default, the Get-ADUser cmdlet only lists the user’s basic attributes:
- DistinguishedName.
- GivenName.
- Name.
- Surname.
- UserPrinc.
- ObjectClass.
- ObjectGUID.
- SamAccountName.
- SID.
- UserPrincipalName.
- Enabled.
To display the values of other user attributes, you must specify a list of them using the –Attributes parameter. For example, you want to display the user’s company name, department, job title, phone number, and last password change date in Active Directory. Run the following PowerShell command:
Get-ADUser b.jackson –Properties company, department, title, telephoneNumber, PwdLastSet
Please note that in addition to the main attributes, the list of properties displays new user attributes. You can show only the attributes you want, and also transform the value of some attribute with Select-Object:
Get-ADUser b.jackson –Properties company, department, title, telephoneNumber, PwdLastSet | Select-Object SamAccountName, Name, company, department, title, telephoneNumber,@{Name='PwdLastSet';Expression={[DateTime]::FromFileTime($_.PwdLastSet)}}
In this example, we use a custom transformation for the PwdLastSet attribute. It is stored in Active Directory as Windows NT time format, and to convert it to human-readable time format we use the Expression construct.
To display all user attributes in Active Directory, you need to specify an asterisk (*) in the Properties parameter:
Get-ADUser b.jackson –Properties *
With Get-ADUser, you can search for users with specific attribute values in Active Directory. For example, the following command will list all enabled user accounts whose name is John:
Get-ADUser -Filter {( Name -like "*John*") -and (Enabled -eq "true")} -Properties *
- Installing Active Directory Users and Computers (ADUC) Snap-in on Windows 11/10 - October 5, 2022
- How to Enable Root Login on Ubuntu? - October 1, 2022
- Fix: StartTLS is Required to Send Email - October 1, 2022
