Skip to main content

PowerShell Get-ADUser: Complete Guide to Query AD Users

β€’ 4 min read
powershell active-directory get-aduser user-management ad-cmdlets tutorial

PowerShell Get-ADUser: Complete Guide to Query Active Directory Users

Overview

The Get-ADUser cmdlet is one of the most essential PowerShell cmdlets for Active Directory administration. It allows you to search for and retrieve user objects from Active Directory with powerful filtering and property selection capabilities. Whether you’re looking up a single user or querying thousands of users with complex criteria, Get-ADUser is your go-to command.

Key Benefits:

  • Query users by identity, name, email, or custom properties
  • Filter results using LDAP filters or PowerShell conditions
  • Return specific properties to reduce data overhead
  • Integrate with other cmdlets for bulk operations
  • Export results to CSV, JSON, or other formats

Prerequisites:

  • PowerShell 5.1 or later
  • Active Directory PowerShell module installed
  • Administrator or sufficient AD permissions

Syntax

Get-ADUser -Identity <ADUser> [-Properties <string[]>] [-Filter <string>] [-SearchBase <string>] [-ResultSetSize <int>]
```powershell

### Basic Syntax Examples
```powershell
# Get specific user by username
Get-ADUser -Identity jsmith

# Get specific user by distinguished name
Get-ADUser -Identity "CN=John Smith,OU=Users,DC=contoso,DC=com"

# Get all users in domain
Get-ADUser -Filter * -Properties *

# Find users by email
Get-ADUser -Filter "mail -like '*@contoso.com'"
```powershell

---

## Key Parameters

### Identity
Specifies the Active Directory user object to retrieve.

```powershell
# By username (SAM account name)
Get-ADUser -Identity jsmith

# By email/UPN
Get-ADUser -Identity john.smith@contoso.com

# By distinguished name
Get-ADUser -Identity "CN=John Smith,OU=Users,DC=contoso,DC=com"

# By SID
Get-ADUser -Identity "S-1-5-21-123456789-123456789-123456789-1234"
```powershell

### Filter
Specifies an LDAP filter to search for users matching criteria.

```powershell
# Users whose name contains "smith"
Get-ADUser -Filter "name -like '*smith*'"

# Enabled users only
Get-ADUser -Filter "enabled -eq $true"

# Users with email domain
Get-ADUser -Filter "mail -like '*@contoso.com'"

# Users in specific department
Get-ADUser -Filter "department -eq 'IT'"
```powershell

### Properties
Specifies which Active Directory attributes to retrieve. Default returns minimal properties.

```powershell
# Get all properties
Get-ADUser jsmith -Properties *

# Get specific properties
Get-ADUser jsmith -Properties EmailAddress, Department, Title, Manager

# Common properties to retrieve
Get-ADUser jsmith -Properties EmailAddress, EmployeeID, PhoneNumber, Title, Office, Department, Manager, LastLogonDate
```powershell

### SearchBase
Specifies the distinguished name of the Active Directory container to search within.

```powershell
# Search only in specific OU
Get-ADUser -Filter "enabled -eq $true" -SearchBase "OU=Marketing,OU=Users,DC=contoso,DC=com"

# Limits scope and improves performance on large domains
Get-ADUser -Filter "title -like '*Manager*'" -SearchBase "OU=Management,DC=contoso,DC=com"
```powershell

### ResultSetSize
Specifies maximum number of results to return. Default is unlimited.

```powershell
# Get only first 100 users
Get-ADUser -Filter "enabled -eq $true" -ResultSetSize 100

# Get only first 1000 to avoid timeout on very large queries
Get-ADUser -Filter * -ResultSetSize 1000
```powershell

---

## Examples

### Example 1: Get Specific User by Username

```powershell
Get-ADUser -Identity jsmith -Properties EmailAddress, Department, Title
```powershell

**Output:**
```powershell
DistinguishedName : CN=John Smith,OU=Users,DC=contoso,DC=com
Enabled           : True
GivenName         : John
Name              : John Smith
ObjectClass       : user
ObjectGUID        : a1b2c3d4-e5f6-7890-abcd-ef1234567890
SamAccountName    : jsmith
SID               : S-1-5-21-123456789-123456789-123456789-5678
Surname           : Smith
UserPrincipalName : john.smith@contoso.com
EmailAddress      : john.smith@contoso.com
Department        : IT
Title             : Systems Administrator
```powershell

### Example 2: Find All Enabled Users

```powershell
Get-ADUser -Filter "enabled -eq $true" -Properties EmailAddress, LastLogonDate | Select-Object Name, EmailAddress, LastLogonDate
```powershell

**Output:**
```powershell
Name         EmailAddress            LastLogonDate
----         ----                    ----
John Smith   john.smith@contoso.com  1/15/2026 9:30:00 AM
Sarah Jones  sarah.jones@contoso.com 1/15/2026 2:15:00 PM
Mike Davis   mike.davis@contoso.com  1/14/2026 4:45:00 PM
```powershell

### Example 3: Search by Email Domain

```powershell
Get-ADUser -Filter "mail -like '*@contoso.com'" -Properties EmailAddress, Department
```powershell

**Output:**
```powershell
DistinguishedName : CN=John Smith,OU=Users,DC=contoso,DC=com
Name              : John Smith
EmailAddress      : john.smith@contoso.com
Department        : IT

DistinguishedName : CN=Sarah Jones,OU=Users,DC=contoso,DC=com
Name              : Sarah Jones
EmailAddress      : sarah.jones@contoso.com
Department        : HR
```powershell

### Example 4: Find Users in Specific Department

```powershell
Get-ADUser -Filter "department -eq 'IT'" -Properties Title, Manager | Format-Table Name, Title, Manager -AutoSize
```powershell

**Output:**
```powershell
Name       Title                     Manager
----       -----                     -------
John Smith Systems Administrator     CN=Bob Wilson,OU=Users,DC=contoso,DC=com
Mike Davis Network Administrator     CN=Bob Wilson,OU=Users,DC=contoso,DC=com
Lisa Chen  IT Support Specialist     CN=John Smith,OU=Users,DC=contoso,DC=com
```powershell

### Example 5: Find Inactive Users (Not Logged In 30 Days)

```powershell
$date = (Get-Date).AddDays(-30)
Get-ADUser -Filter "lastLogonDate -lt '$date'" -Properties LastLogonDate | Select-Object Name, LastLogonDate
```powershell

**Output:**
```powershell
Name           LastLogonDate
----           ----
Old Account    12/5/2025 3:20:00 PM
Unused User    11/28/2025 10:15:00 AM
Test Account   11/1/2025 2:30:00 PM
```powershell

### Example 6: Export Users to CSV

```powershell
Get-ADUser -Filter "enabled -eq $true" -Properties EmailAddress, Department, Title, PhoneNumber |
Export-Csv -Path "C:\Exports\ActiveUsers.csv" -NoTypeInformation
```powershell

Creates a CSV file with all active users and their details.

### Example 7: Find Users with Empty Email Field

```powershell
Get-ADUser -Filter "mail -notlike '*'" -Properties EmailAddress | Select-Object Name, EmailAddress
```powershell

**Output:**
```powershell
Name              EmailAddress
----              ----
Unprovisioned1
Test Account
Old User
```powershell

### Example 8: Search in Specific OU

```powershell
Get-ADUser -Filter "enabled -eq $true" -SearchBase "OU=Marketing,OU=Departments,DC=contoso,DC=com" -Properties Department, Title
```powershell

Returns only enabled users from the Marketing department OU.

### Example 9: Find Users with Manager

```powershell
Get-ADUser -Filter "manager -ne `$null" -Properties Manager | Select-Object Name, Manager | Format-Table -AutoSize
```powershell

**Output:**
```powershell
Name       Manager
----       -------
John Smith CN=Bob Wilson,OU=Users,DC=contoso,DC=com
Sarah Jones CN=Bob Wilson,OU=Users,DC=contoso,DC=com
Mike Davis CN=John Smith,OU=Users,DC=contoso,DC=com
```powershell

### Example 10: Combine Multiple Filters with Where-Object

```powershell
Get-ADUser -Filter "enabled -eq $true" -Properties Department, Title |
Where-Object { $_.Title -like "*Manager*" -and $_.Department -eq "IT" }
```powershell

Finds IT department users with "Manager" in their title.

---

## Common Use Cases

### Check if User Exists
```powershell
$user = Get-ADUser -Filter "samAccountName -eq 'jsmith'" -ErrorAction SilentlyContinue
if ($user) {
    Write-Host "User found: $($user.Name)"
} else {
    Write-Host "User not found"
}
```powershell

### Get User's Manager Information
```powershell
$user = Get-ADUser jsmith -Properties Manager
$manager = Get-ADUser -Identity $user.Manager -Properties Title
Write-Host "User: $($user.Name)"
Write-Host "Manager: $($manager.Name) - $($manager.Title)"
```powershell

### Count Users by Department
```powershell
Get-ADUser -Filter "enabled -eq $true" -Properties Department |
Group-Object -Property Department |
Select-Object Name, Count |
Sort-Object Count -Descending
```powershell

### Find Users Missing Required Properties
```powershell
Get-ADUser -Filter "enabled -eq $true" -Properties EmailAddress, PhoneNumber, Title |
Where-Object { -not $_.EmailAddress -or -not $_.Title } |
Select-Object Name, EmailAddress, Title
```powershell

### Get All User Properties for One User
```powershell
Get-ADUser jsmith -Properties * | Get-Member -MemberType Property | Select-Object Name
```powershell

---

## Common Errors & Fixes

### Error: "Cannot find a user with identity 'xyz'"
**Cause:** User doesn't exist or identity format is incorrect
**Fix:** Verify username exists, use -Filter instead, or check case sensitivity

```powershell
# Check if user exists
Get-ADUser -Filter "samAccountName -eq 'jsmith'"

# Try filter instead of identity
Get-ADUser -Filter "name -like '*john smith*'"
```powershell

### Error: "Attribute mailNickname is not available"
**Cause:** Attribute name is incorrect or doesn't exist
**Fix:** Use correct attribute name: use `mail` not `mailNickname`

```powershell
# Incorrect
Get-ADUser jsmith -Properties mailNickname

# Correct
Get-ADUser jsmith -Properties mail
```powershell

### Error: "The server could not be contacted"
**Cause:** No domain controller connection
**Fix:** Ensure AD module is loaded and you're on domain network

```powershell
# Load AD module
Import-Module ActiveDirectory

# Specify domain controller
Get-ADUser -Identity jsmith -Server "dc01.contoso.com"
```powershell

---

## Best Practices

### βœ… Performance Tips
1. **Specify properties needed** - Don't use `-Properties *` unless necessary
```powershell
# Good - get only needed properties
Get-ADUser jsmith -Properties EmailAddress, Department

# Avoid - retrieves all attributes (slower)
Get-ADUser jsmith -Properties *
```powershell

2. **Use SearchBase for large domains** - Limits scope and improves speed
```powershell
# Good - search only in specific OU
Get-ADUser -Filter "enabled -eq $true" -SearchBase "OU=Users,DC=contoso,DC=com"
```powershell

3. **Set ResultSetSize for large queries** - Prevents timeout
```powershell
# Good - limit results
Get-ADUser -Filter * -ResultSetSize 5000 | ...
```powershell

### βœ… Accuracy Tips
1. **Use exact identity match when possible** - Faster and more accurate
2. **Verify filter syntax** - Test filters before using in automation
3. **Check permissions** - Ensure account has read access to user objects

### ❌ Common Mistakes to Avoid
- **Using partial matches when exact match exists** - Slower
- **Not specifying properties** - Returns unnecessary data
- **Assuming users exist** - Always verify with -ErrorAction SilentlyContinue
- **Using deprecated ADSI syntax** - Use modern Get-ADUser instead

---

## Related Commands

- **[Get-ADComputer](/powershell-get-adcomputer)** - Query computer objects
- **[Get-ADGroup](/powershell-get-adgroup)** - Query group objects
- **[New-ADUser](/powershell-new-aduser)** - Create new users
- **[Set-ADUser](/powershell-set-aduser)** - Modify user properties
- **[Remove-ADUser](/powershell-remove-aduser)** - Delete users
- **Disable-ADAccount** - Disable user accounts

---

## FAQs

**Q: How do I get all user properties?**
A: Use `-Properties *` but be aware this is slower. Better to specify only needed properties.

```powershell
Get-ADUser jsmith -Properties *
```powershell

**Q: Can I search by multiple criteria?**
A: Yes, use Where-Object to combine multiple conditions.

```powershell
Get-ADUser -Filter "enabled -eq $true" -Properties Department |
Where-Object { $_.Department -eq "IT" -or $_.Department -eq "HR" }
```powershell

**Q: How do I get the user's manager name (not DN)?**
A: Get the Manager DN first, then query that user.

```powershell
$user = Get-ADUser jsmith -Properties Manager
$manager = Get-ADUser -Identity $user.Manager
$manager.Name
```powershell

**Q: Can I search by partial email address?**
A: Yes, use wildcard in -Filter with -like operator.

```powershell
Get-ADUser -Filter "mail -like '*john*@contoso.com'"
```powershell

**Q: How do I exclude disabled users?**
A: Use enabled filter.

```powershell
Get-ADUser -Filter "enabled -eq $true"
```powershell

**Q: Can I search across multiple domains?**
A: You need to query each domain separately or specify domain controller.

```powershell
Get-ADUser -Filter "name -like '*smith*'" -Server "domain1.contoso.com"
Get-ADUser -Filter "name -like '*smith*'" -Server "domain2.contoso.com"
```powershell

---

## See Also

- **Complete PowerShell Guide** - Overview of AD automation
- **[Active Directory Users Guide](/active-directory-users)** - User management concepts
- **Complete Active Directory Guide** - AD fundamentals
- **[PowerShell Bulk AD Operations](/powershell-bulk-ad-operations)** - Bulk user operations

---

**Last Updated:** February 6, 2026
**Difficulty Level:** Intermediate
**Reading Time:** 12 minutes

Related Articles

PowerShell Add-ADGroupMember: Add Users to AD Groups Complete Guide

Master PowerShell Add-ADGroupMember cmdlet. Learn to add users, computers, and groups to Active Directory security groups. Includes 10+ examples and best practices.

PowerShell Bulk AD Operations: Automate User & Group Management

Master bulk Active Directory operations with PowerShell. Learn to automate user creation, bulk modifications, and group management. Includes 10+ practical examples and scripts.

PowerShell Get-ADComputer: Complete Guide to Query AD Computers

Master PowerShell Get-ADComputer cmdlet. Learn to query Active Directory computers by name, OS, status, and properties. Includes 8+ examples, parameters, and best practices.