Querying Active Directory (AD) is a fundamental task for any Windows administrator. Whether I need to generate a report, audit user accounts, or automate a task, PowerShell’s Get-ADUser cmdlet is the most powerful and flexible tool for the job.

This guide will walk through everything I learned to get started with Get-ADUser, from basic queries to advanced filtering and exporting results to a CSV file.

Prerequisites

Before I can use Get-ADUser, I need to have the Active Directory module for PowerShell installed. This is part of the Remote Server Administration Tools (RSAT).

On a Windows Server: I can install it using the “Add Roles and Features” wizard or with this PowerShell command (as Administrator): 

Install-WindowsFeature -Name "RSAT-AD-PowerShell"

On a Windows 10/11 Client:

  1. Go to Settings > Apps > Optional features.
  2. Click Add a feature.
  3. Search for and install “RSAT: Active Directory Domain Services and Lightweight Directory Services Tools”.

Once installed, I can load the module into my PowerShell session: 

Import-Module ActiveDirectory

1. Basic Get-ADUser Usage

Getting a Single User

The simplest use of Get-ADUser is to retrieve information about a single user. I do this using the -Identity parameter, which can accept a username, distinguished name, or GUID.

# Get a user by their SamAccountName
Get-ADUser -Identity "jdoe"

Getting All Users

To get all users in my domain, I can use the -Filter * parameter.

# This can be slow in large environments!
Get-ADUser -Filter *

2. Filtering Users with -Filter

The real power of Get-ADUser comes from the -Filter parameter, which allows me to find users based on specific criteria. The filter uses a special syntax similar to a PowerShell Where-Object clause.

Here are some common filter examples:

Find users by name: 

# Find users with the last name "Smith"
Get-ADUser -Filter 'Surname -eq "Smith"'

# Find users whose first name starts with "J"
Get-ADUser -Filter 'GivenName -like "J*"'

Find users in a specific OU: To search in a specific Organizational Unit (OU), I use the -SearchBase parameter. 

Get-ADUser -Filter * -SearchBase "OU=Sales,DC=mydomain,DC=com"

Find enabled or disabled users: 

# Find all enabled users
Get-ADUser -Filter 'Enabled -eq $true'

# Find all disabled users
Get-ADUser -Filter 'Enabled -eq $false'

3. Selecting Specific Properties with -Properties

By default, Get-ADUser only returns a small set of common properties. To get more information, I need to request it with the -Properties parameter.

# Get a user and include their EmailAddress and Department
Get-ADUser -Identity "jdoe" -Properties EmailAddress, Department

I can then use Select-Object to display only the properties I need.

Get-ADUser -Identity "jdoe" -Properties EmailAddress, Department | Select-Object Name, EmailAddress, Department

Example Output: 

Name      EmailAddress      Department
----      ------------      ----------
John Doe  [email protected] Sales

4. Exporting Results to a CSV File

One of the most common use cases for Get-ADUser is to generate reports. The easiest way to do this is to export the results to a CSV file, which can be opened in Excel.

This example finds all enabled users in the “Sales” OU, selects their name, email address, and department, and exports the results to a CSV file.

# Find all enabled users in the Sales OU
$users = Get-ADUser -Filter 'Enabled -eq $true' -SearchBase "OU=Sales,DC=mydomain,DC=com" -Properties EmailAddress, Department

# Select the desired properties
$report = $users | Select-Object Name, SamAccountName, EmailAddress, Department

# Export the results to a CSV file
$report | Export-Csv -Path "C:\Reports\SalesUsers.csv" -NoTypeInformation

Write-Host "Report has been saved to C:\Reports\SalesUsers.csv"

The -NoTypeInformation switch removes the #TYPE header from the CSV file, making it cleaner and easier to work with in Excel.

5. Advanced Example: A Practical Script

Let’s combine these concepts into a practical script similar to the one in the original post. This script finds all users whose account name starts with “PS”, extracts a numeric ID from their account name, and exports the results.

# Define the search parameters
$searchBase = "CN=Users,DC=mydomain,DC=com"

# Query AD for users starting with "PS*"
try {
    $users = Get-ADUser -Filter 'SamAccountName -like "PS*"' -SearchBase $searchBase -Properties GivenName, Surname

    if ($null -eq $users) {
        Write-Warning "No accounts starting with 'PS*' found in $searchBase"
        exit
    }

    # Process the results to create a custom report
    $results = $users | Select-Object @{
        Name = 'AccountNumber'
        Expression = {
            if ($_.SamAccountName -match '\d+$') {
                $matches[0] # Extract trailing digits
            } else {
                "N/A"
            }
        }
    }, SamAccountName, GivenName, Surname | Sort-Object -Property AccountNumber

    # Display the results in the console
    $results | Format-Table -AutoSize

    # Export the results to a CSV file
    $results | Export-Csv -Path "AD_PS_Users.csv" -NoTypeInformation
    Write-Host "Results exported to AD_PS_Users.csv"
}
catch {
    Write-Error "An error occurred while querying Active Directory: $_"
}

Conclusion

The Get-ADUser cmdlet is an indispensable tool for any Windows administrator. By mastering its -Filter, -SearchBase, and -Properties parameters, I can efficiently find, audit, and manage user accounts in my Active Directory environment.

I started with simple queries, gradually added complexity, and always remembered to pipe my results to Export-Csv to create powerful and automated reports.