Use PowerShell to Find Non-Default User Properties in AD

Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell and the Active Directory module provider to find non-default AD DS user properties.

Hey, Scripting Guy! Question Hey, Scripting Guy! I need to find information about users such as office location, and phone number that is not returned by the Active Directory module provider by default. How do I do this?

—DP

Hey, Scripting Guy! Answer Hello DP,

Microsoft Scripting Guy, Ed Wilson, is here. Today is what is officially called the calm after the storm. Massive thunderstorms ripped through Charlotte last night, knocking out power and phones. Hey, that is OK; but dude, I lost my Internet connection in the process. Major bummer. With battery backups, a generator, and what-not, I can handle bad weather—as long as it does not knock out my Internet connection. I do not have a backup ISP provider. Hey, where I live, I was lucky to get the one I have. Oh, well.

Guess what? I was just told that Windows PowerShell MVP and honorary Scripting Guy, Sean Kearney, will be presenting at Microsoft TechEd in New Orleans and in Madrid. Way to go Sean! By the way, there are two more days until the $300 discount expires.

Note   This is the third in a series of blog postings about using the Active Directory module provider. The first blog is an overview called Playing with the AD: Drive for Fun and Profit. The second blog is Find Active Directory User Information with the PowerShell Provider, in which I talk about how to use the Windows PowerShell provider to find user information in Active Directory.

Quick review

To create the Charlotte: PSDrive (points to the Charlotte organizational unit or OU), I ran the following commands. (Obviously, you need to change the commands to point to an OU and a domain that exist on your system.)

PS C:\> ipmo activedirectory

PS C:\> New-PSDrive -Name charlotte -PSProvider activedirectory -Root “AD:\ou=charlot

te,dc=iammred,dc=net”

 

Name           Used (GB)     Free (GB) Provider      Root

—-           ———     ——— ——–      —-

charlotte                              ActiveDire… //RootDSE/ou=charlotte,dc=ia…

 

PS C:\> sl charlotte:

PS charlotte:\>

Getting properties of the user

I might think that to easily see all of the information associated with the Ed Wilson user, I can pipe the output to the Format-List (fl is an alias) cmdlet as shown here.

PS charlotte:\> dir | ? name -match ‘ed wilson’ | fl *

The command and the output associated with the command are shown in the image that follows.

Image of command output

The problem with this approach is that only four properties of the user return. The four default properties are DistinguishedName, Name, ObjectClass, and ObjectGUID. However, a quick look in Active Directory Users and Computers reveals that there are many more attributes and values available. This is shown here.

Image of menu

What about Get-ADUser?

Due to performance reasons, the Get-ADUser cmdlet does not return all properties of a user object. It returns the following properties:

PS C:\> Get-ADUser ‘cn=ed wilson,ou=charlotte,dc=iammred,dc=net’ | select -expand propertynames

DistinguishedName

Enabled

GivenName

Name

ObjectClass

ObjectGUID

SamAccountName

SID

Surname

UserPrincipalName

Therefore, if I want to access additional attributes and their associated values, I need to specifically request the attributes I desire. Unfortunately, the attribute names bear little relationship to the names that appear in Active Directory Users and Computers. The best way to find the required attributes is to use ADSI Edit. In modern versions of ADSI Edit, there is a view that shows only attributes that contain values.
Consequently, it is fairly easy to match the actual name of the Active Directory attribute and the name that appears in Active Directory Users and Computers.

Note   In my Windows PowerShell 3.0 Step by Step book, I have a chapter that includes screenshots that map the Active Directory Users and Computers interface to the actual AD Attribute names.

The ADSI Edit property sheet for the Ed Wilson user object is shown here.

Image of menu

Use Get-ItemProperty to get other attributes

So what is the trick to obtaining additional attributes from the user object beyond the four default properties returned by Get-Item? One approach is to use the Get-ItemProperty cmdlet. This technique is shown here where I retrieve the city (lower case L) attribute for the user.

PS charlotte:\> Get-ItemProperty -Path ‘.\CN=ed wilson’ -Name l

l            : Charlotte

PSPath       : Microsoft.ActiveDirectory.Management\ActiveDirectory:://RootDSE/CN=ed

                wilson,ou=Charlotte,DC=Iammred,DC=net

PSParentPath : Microsoft.ActiveDirectory.Management\ActiveDirectory:://RootDSE/ou=Ch

               arlotte,DC=Iammred,DC=net

PSChildName  : CN=ed wilson

PSDrive      : charlotte

PSProvider   : Microsoft.ActiveDirectory.Management\ActiveDirectory

Use Get-Item to get other attributes

I do not have to use the Get-ItemProperty cmdlet to retrieve other attributes from a user object. I can use the Get-Item cmdlet and type in an array of attributes in the Properties parameter. This technique is shown here where I add in the city (l) and the phone number (telephoneNumber) to the command.

PS charlotte:\> get-item -Path “cn=ed wilson” -Properties l, telephonenumber

 

PSPath             : Microsoft.ActiveDirectory.Management\ActiveDirectory:://RootDSE

                     /cn=ed wilson,ou=charlotte,dc=iammred,dc=net

PSParentPath       : Microsoft.ActiveDirectory.Management\ActiveDirectory:://RootDSE

                     /ou=charlotte,dc=iammred,dc=net

PSChildName        : cn=ed wilson

PSDrive            : charlotte

PSProvider         : Microsoft.ActiveDirectory.Management\ActiveDirectory

PSIsContainer      : True

distinguishedName  : cn=ed wilson,ou=charlotte,dc=iammred,dc=net

l                  : Charlotte

name               : ed wilson

objectClass        : user

objectGUID         : bb10b5a2-58d7-4f8a-ab10-2ee84fc7cb58

telephoneNumber    : 555-555-1212

PropertyNames      : {distinguishedName, l, name, objectClass…}

AddedProperties    : {}

RemovedProperties  : {}

ModifiedProperties : {}

PropertyCount      : 7

Use Get-Item and retrieve all of the attributes

I can also use a wildcard character (*) to retrieve all of the attributes for my user object. The command is shown here.

PS charlotte:\> get-item -Path “cn=ed wilson” -Properties *

The command and its associated output are shown in the following image.

Image of command output

DP, that is all there is to using the Active Directory module provider to find information about users. Active Directory Week will continue tomorrow when I will talk about modifying user attributes.

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy