Reputation: 2061
Extract AD User information via ADSI
How can I get these properties for a user via ADSI LDAP, these are the properties from Get-ADUser, I need the equivalent for ADSI.
- Enabled
- PasswordNeverExpires
- PasswordExpired
- Name
- SamAccountName
- PasswordLastSet
My objective is to query the entire domain for all users and get these attributes.
I tried with the Get-ADUser cmdlet and it timed out when querying for the users.
Get-ADUser -Filter * -Properties enabled,PasswordNeverExpires,passwordexpired,Name,SamAccountName,mail,passwordlastset -server sc |
where {$_.Enabled -eq "True"} |
where { $_.PasswordNeverExpires -eq $false } |
where { $_.passwordexpired -eq $false } |
Select Name,SamAccountName,mail,
@{l='PasswordExpires';e={$_.passwordlastset+(Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge}},
@{l='DaystoExpire';e={(New-TimeSpan -Start (get-date) -end ($_.passwordlastset+(Get-ADDefaultDomainPasswordPolicy).MaxPasswordAge)).days}}
The above command works on a couple of users but if I query a large set of users it gives invalid enumeration context.
Upvotes: 2
Views: 26674
Answers (2)
Reputation: 200273
The properties SamAccountName, Name, and Mail correspond to AD attributes of the same name. PasswordLastSet is derived from the attribute pwdLastSet. The other 3 properties (Enabled, PasswordNeverExpires, and PasswordExpired) are flags in the userAccountControl attribute.
Use an adsisearcher object with an LDAP query to search AD for user objects, then build custom objects with the desired properties:
$ACCOUNTDISABLE = 0x000002
$DONT_EXPIRE_PASSWORD = 0x010000
$PASSWORD_EXPIRED = 0x800000
$searcher = [adsisearcher]"(&(objectClass=user)(objectCategory=person))"
$searcher.FindAll() | % {
$user = [adsi]$_.Properties.adspath[0]
New-Object -Type PSCustomObject -Property @{
SamAccountName = $user.sAMAccountName[0]
Name = $user.name[0]
Mail = $user.mail[0]
PasswordLastSet = [DateTime]::FromFileTime($_.Properties.pwdlastset[0])
Enabled = -not [bool]($user.userAccountControl[0] -band
$ACCOUNTDISABLE)
PasswordNeverExpires = [bool]($user.userAccountControl[0] -band
$DONT_EXPIRE_PASSWORD)
PasswordExpired = [bool]($user.userAccountControl[0] -band
$PASSWORD_EXPIRED)
}
}
With that said, why do you want to go to all this trouble instead of simply using Get-ADUser to the same end?
Import-Module ActiveDirectory
$attributes = 'SamAccountName', 'Name', 'Mail', 'PasswordLastSet', 'Enabled',
'PasswordNeverExpires', 'PasswordExpired'
Get-ADUser -Filter * -Properties $attributes | select $attributes
Upvotes: 10
Reputation: 18747
You can use Get-Item over the AD:\ Powershell drive, this cmdlet accepts the -properties argument to retrieve the designated list of properties. Using an asterisk causes the cmdlet to retrieve all properties. An example:
get-aduser -filter "sAMAccountName -like '*'" | % { get-item "AD:\$($_.distinguishedName)" -properties enabled,PasswordNeverExpires,passwordexpired,Name,SamAccountName,mail,passwordlastset }
EDIT: For calculated properties, including "Enabled", "Password never expires" etc, Get-ADUser can also accept -properties argument, so the code is just this:
get-aduser -filter "sAMAccountName -like '*'" -properties enabled,PasswordNeverExpires,passwordexpired,Name,SamAccountName,mail,passwordlastset
An asterisk also works fine.
Upvotes: 2
Related Questions
- Get AD group members with ADSI - Powershell
- How to extract all users information from Active Directory
- Get-ADUser Powershell Parameter
- Piping AD-User Information to CSV
- Pull User Info From AD
- Getting AD Group Membership ADSI using PowerShell
- How to get more data from Get-ADuser with powershell
- Get the domain name of the user of ADSI object?
- How can I Get ADUser
- Pull Active Directory user information