Gets one or more Active Directory users.
Example: Get all of the properties for a specified user
Get-ADUser -Identity ravindra.sharma -Properties *
The acceptable values for parameters (-Identity) are:
A distinguished name
A GUID (objectGUID)
A security identifier (objectSid)
A SAM account name (sAMAccountName)
Example: Get all user accounts count
(Get-ADUser -Filter *).Count
Example: Get a User by User Principal Name (UPN)
Get-ADUser -Filter 'UserPrincipalName -eq "ravindra.sharma@rs.local"'
Example : Get a filtered list of users
Get-ADUser -Filter 'Name -like "*ravindra*"'
$OUpath = "ou=People,dc=rs,dc=local"
Get-ADUser -Filter * -SearchBase $OUpath
Example: Get All Disabled Users
Get-ADUser -Filter {Enabled -eq $false} -Properties DisplayName, Enabled
Example: Get All Enabled Users
Get-ADUser -Filter {Enabled -eq $true} -Properties DisplayName, Enabled
Example: Find All Locked-Out Users
Search-ADAccount -LockedOut | Select-Object Name,SamAccountName,UserPrincipalName,Enabled,LastLogonDate | Format-Table -AutoSize
Example: Unlock a Locked-Out User
Unlock-ADAccount -Identity ravindra.sharma
Example: Find Users Whose Password Never Expires
Get-ADUser -Filter * -Properties PasswordNeverExpires | Where-Object { $_.PasswordNeverExpires -eq $true }
Example: Find Users with Expired Passwords
Get-ADUser -Filter * -Properties "msDS-UserPasswordExpiryTimeComputed" | Select-Object Name, @{Name="ExpiryDate";Expression={[datetime]::FromFileTime($_."msDS-UserPasswordExpiryTimeComputed")}}
Example: Find Users Who Haven't Logged in for 30+ Days (inactive users)
$ThirtyDaysAgo = (Get-Date).AddDays(-30)
Get-ADUser -Filter * -Properties LastLogonDate | Where-Object { $_.LastLogonDate -lt $ThirtyDaysAgo }
Example: Find Users Whose Passwords Have Not Changed in the Last 90 Days
$NinetyDaysAgo = (Get-Date).AddDays(-90)
Get-ADUser -Filter * -Properties PasswordLastSet | Where-Object { $_.PasswordLastSet -lt $NinetyDaysAgo }
🔆🔆🔆🔆🔆
Security & Legacy AD User Queries
Example: Find Users with Passwords That Never Expire (Legacy Risk)
Why? Some legacy systems may have accounts with non-expiring passwords, which is a security risk.
Get-ADUser -Filter * -Properties PasswordNeverExpires | Where-Object { $_.PasswordNeverExpires -eq $true } | Select Name, SamAccountName, PasswordNeverExpires
Example: Find Users with Empty or NULL Passwords (Critical Risk)
Why? Accounts without passwords are a major security vulnerability.
Get-ADUser -Filter * -Properties PasswordLastSet | Where-Object { $_.PasswordLastSet -eq $null } | Select Name, SamAccountName
Example: Find Users with Weak Passwords (Reversible Encryption Enabled)
Why? Passwords stored using reversible encryption can be easily decrypted.
Get-ADUser -Filter * -Properties AllowReversiblePasswordEncryption | Where-Object { $_.AllowReversiblePasswordEncryption -eq $true } | Select Name, SamAccountName
Example: Find Disabled but Not Deleted Users (Legacy Accounts Risk)
Why? These accounts might still be used for lateral movement attacks
Get-ADUser -Filter {Enabled -eq $false} -Properties LastLogonDate | Select Name, SamAccountName, LastLogonDate
Example: Find Users with Admin Privileges (Privilege Creep)
Why? Over-privileged users increase security risks.
Get-ADUser -Filter * -Properties MemberOf | Where-Object { $_.MemberOf -match "CN=Domain Admins" } | Select Name, SamAccountName
Example: Find Users with Delegation Enabled (Kerberos Delegation Risk)
Why? Users with delegation rights can impersonate others, which is a risk if misconfigured.
Get-ADUser -Filter * -Properties TrustedForDelegation | Where-Object { $_.TrustedForDelegation -eq $true } | Select Name, SamAccountName
Example: Find Users with SPN (Kerberoasting Risk)
Why? Service Principal Names (SPN) can be used in Kerberoasting attacks.
Get-ADUser -Filter {ServicePrincipalName -ne $null} -Properties ServicePrincipalName | Select Name, ServicePrincipalName
Example: Find Users with SID History (SID Injection Risk)
Why? SID history can be exploited to escalate privileges.
Get-ADUser -Filter * -Properties SIDHistory | Where-Object { $_.SIDHistory -ne $null } | Select Name, SamAccountName, SIDHistory
🔆🔆🔆🔆🔆