Use PowerShell to Find Non-Default User Properties in AD

Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell and the Active Directory module provider to find non-default AD DS user properties.

Hey, Scripting Guy! Question Hey, Scripting Guy! I need to find information about users such as office location, and phone number that is not returned by the Active Directory module provider by default. How do I do this?


Hey, Scripting Guy! Answer Hello DP,

Microsoft Scripting Guy, Ed Wilson, is here. Today is what is officially called the calm after the storm. Massive thunderstorms ripped through Charlotte last night, knocking out power and phones. Hey, that is OK; but dude, I lost my Internet connection in the process. Major bummer. With battery backups, a generator, and what-not, I can handle bad weather—as long as it does not knock out my Internet connection. I do not have a backup ISP provider. Hey, where I live, I was lucky to get the one I have. Oh, well.

Guess what? I was just told that Windows PowerShell MVP and honorary Scripting Guy, Sean Kearney, will be presenting at Microsoft TechEd in New Orleans and in Madrid. Way to go Sean! By the way, there are two more days until the $300 discount expires.

Note   This is the third in a series of blog postings about using the Active Directory module provider. The first blog is an overview called Playing with the AD: Drive for Fun and Profit. The second blog is Find Active Directory User Information with the PowerShell Provider, in which I talk about how to use the Windows PowerShell provider to find user information in Active Directory.

Quick review

To create the Charlotte: PSDrive (points to the Charlotte organizational unit or OU), I ran the following commands. (Obviously, you need to change the commands to point to an OU and a domain that exist on your system.)

PS C:\> ipmo activedirectory

PS C:\> New-PSDrive -Name charlotte -PSProvider activedirectory -Root "AD:\ou=charlot



Name           Used (GB)     Free (GB) Provider      Root

----           ---------     --------- --------      ----

charlotte                              ActiveDire... //RootDSE/ou=charlotte,dc=ia...


PS C:\> sl charlotte:

PS charlotte:\>

Getting properties of the user

I might think that to easily see all of the information associated with the Ed Wilson user, I can pipe the output to the Format-List (fl is an alias) cmdlet as shown here.

PS charlotte:\> dir | ? name -match 'ed wilson' | fl *

The command and the output associated with the command are shown in the image that follows.

Image of command output

The problem with this approach is that only four properties of the user return. The four default properties are DistinguishedName, Name, ObjectClass, and ObjectGUID. However, a quick look in Active Directory Users and Computers reveals that there are many more attributes and values available. This is shown here.

Image of menu

What about Get-ADUser?

Due to performance reasons, the Get-ADUser cmdlet does not return all properties of a user object. It returns the following properties:

PS C:\> Get-ADUser 'cn=ed wilson,ou=charlotte,dc=iammred,dc=net' | select -expand propertynames











Therefore, if I want to access additional attributes and their associated values, I need to specifically request the attributes I desire. Unfortunately, the attribute names bear little relationship to the names that appear in Active Directory Users and Computers. The best way to find the required attributes is to use ADSI Edit. In modern versions of ADSI Edit, there is a view that shows only attributes that contain values.
Consequently, it is fairly easy to match the actual name of the Active Directory attribute and the name that appears in Active Directory Users and Computers.

Note   In my Windows PowerShell 3.0 Step by Step book, I have a chapter that includes screenshots that map the Active Directory Users and Computers interface to the actual AD Attribute names.

The ADSI Edit property sheet for the Ed Wilson user object is shown here.

Image of menu

Use Get-ItemProperty to get other attributes

So what is the trick to obtaining additional attributes from the user object beyond the four default properties returned by Get-Item? One approach is to use the Get-ItemProperty cmdlet. This technique is shown here where I retrieve the city (lower case L) attribute for the user.

PS charlotte:\> Get-ItemProperty -Path '.\CN=ed wilson' -Name l

l            : Charlotte

PSPath       : Microsoft.ActiveDirectory.Management\ActiveDirectory:://RootDSE/CN=ed


PSParentPath : Microsoft.ActiveDirectory.Management\ActiveDirectory:://RootDSE/ou=Ch


PSChildName  : CN=ed wilson

PSDrive      : charlotte

PSProvider   : Microsoft.ActiveDirectory.Management\ActiveDirectory

Use Get-Item to get other attributes

I do not have to use the Get-ItemProperty cmdlet to retrieve other attributes from a user object. I can use the Get-Item cmdlet and type in an array of attributes in the Properties parameter. This technique is shown here where I add in the city (l) and the phone number (telephoneNumber) to the command.

PS charlotte:\> get-item -Path "cn=ed wilson" -Properties l, telephonenumber


PSPath             : Microsoft.ActiveDirectory.Management\ActiveDirectory:://RootDSE

                     /cn=ed wilson,ou=charlotte,dc=iammred,dc=net

PSParentPath       : Microsoft.ActiveDirectory.Management\ActiveDirectory:://RootDSE


PSChildName        : cn=ed wilson

PSDrive            : charlotte

PSProvider         : Microsoft.ActiveDirectory.Management\ActiveDirectory

PSIsContainer      : True

distinguishedName  : cn=ed wilson,ou=charlotte,dc=iammred,dc=net

l                  : Charlotte

name               : ed wilson

objectClass        : user

objectGUID         : bb10b5a2-58d7-4f8a-ab10-2ee84fc7cb58

telephoneNumber    : 555-555-1212

PropertyNames      : {distinguishedName, l, name, objectClass...}

AddedProperties    : {}

RemovedProperties  : {}

ModifiedProperties : {}

PropertyCount      : 7

Use Get-Item and retrieve all of the attributes

I can also use a wildcard character (*) to retrieve all of the attributes for my user object. The command is shown here.

PS charlotte:\> get-item -Path "cn=ed wilson" -Properties *

The command and its associated output are shown in the following image.

Image of command output

DP, that is all there is to using the Active Directory module provider to find information about users. Active Directory Week will continue tomorrow when I will talk about modifying user attributes.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy 

Comments (11)

  1. Anonymous says:

    Very helpful article. Nice to know how to use the base PowerShell cmdlets out of the box. Especially when there is a freeze in deployments to our production boxes and cannot install the AD cmdlets!

  2. tonyr says:

    how about Get-ADUser –Filter ' name -like "*username*"'  -prop *

  3. Ed Wilson says:

    @Tonyr that will definitely work. Thanks for sharing.

  4. jkavanagh58 says:

    Very useful but get-aduser's Properties parameter would seem to work the same way

  5. Ed Wilson says:

    @Jkavanagh58 Of course it would work the same way — my point this week is to show how to use the ActiveDirectory provider (in fact if you have Get-ADUser cmdlet you automatically have this AD: drive). The cool thing about Windows PowerShell is that it lets you work the way that you want to do. So if you enjoy using the specialized cmdlets from the ActiveDirectory module that is fine. But my point this week is that you can also do much of the same thing by using the *item cmdlets and therefore you do not need to learn any new cmdlets if you do not want to do so. It is all about choices and you can therefore work the way it is most natural for you to do so.

  6. Ben says:

    Confusing article, you start off talking about Get-ADUser, then digress to Get-Item and Get-ItemProperty

  7. Big_John says:

    It's only confusing if you don't read the article properly

  8. B says:

    I was able to review the status of many users looking at the LastLogonTimestamp attribute, but I have found one user (who is an active user, and has been for many years) where there is no LastLogonTimestamp value for them. Any idea what might be causing that?

  9. Dan Potter says:

    *all : still displays default property set. No luck in finding all 300 some user attributes.

Skip to main content