Microsoft has put in a lot of effort into providing developers with a powerful, easy to use scripting tool in PowerShell scripting. And PowerShell scripting is not only used to manage Windows operating systems, Microsoft has also extended the capabilities of PowerShell to automate Azure tasks.
Before Microsoft introduced PowerShell, when interacting with Active Directory database you had to use VB Scripting language to fetch users, computer and other objects information. Developers not only were forced to deal with the pain of writing multiple lines of codes, you also had to make sure all of the related operating system components were working correctly so that the VB Script could work successfully.
PowerShell has reduced the overhead of scripting dramatically. When interacting with Active Directory you don’t need to write an excessive amount of code. Just using the Active Directory PowerShell cmdlets will provide the requested information. In this article we will provide a PowerShell script that you can use to prepare a report on Active Directory users.
PowerShell provides the Get-ADUser cmdlet, which can be used to fetch information about Active Directory users. The Get-ADUser cmdlet provides a number of different properties that you can combine with the Get-ADUser command to retrieve the information. For example, if you need to collect just the department and distinguished name of a user from the active directory, running the following command will do the trick:
Get-ADUser -Identity JohnThomas -Properties Department, DistinguishedName
This command will return the department and distinguished name of user JohnThomas. In case you need to fetch the department and distinguished name information for all users or users located in a particular organizational unit, you could use this PowerShell command:
Get-ADUser * -Properties Department, DistinguishedName -SearchBase "OU=Users, DC=Server, DC=Com"
As you can see in the above command, we are using a wildcard, “*”, to find all the users located in the “OU=Users, DC=Server, DC=Com” organizational unit. If you need to export the output to a CSV file, you can add the Export-CSV PowerShell cmdlet as shown in the command below:
Get-ADUser * -Properties Department, DistinguishedName -SearchBase "OU=Users, DC=Server, DC=Com" | Export-CSV C:TempUsersProp.CSV
While the above PowerShell command retrieves information about all users in a specified organizational unit, you might want to just export users whose department is “Sales” or “Finance,” and then save this output to a CSV file. In cases like this where you need to specify a condition for the PowerShell command, the use of PowerShell scripting is preferred.
Let’s look at how you can get only the users whose department property is set to “Sales.” By using the PowerShell script below you are going to generate a CSV file in C:Temp with the filename UserSales.CSV that will have all the user name, department, and distinguished name information.
$UserReport = "C:TempSalesUsers.CSV"
$STR = "User Name, Department, Distinguished Name"
Add-Content $UserReport $STR
$AllUsers = Get-ADUser * -Properties Department, DistinguishedName -SearchBase "OU=Users, DC=Server, DC=Com"
ForEach ($ThisUser in $AllUsers)
{
IF ($ThisUser.Department -eq "Sales")
{
$STR = $ThisUser.CN+",Sales,"+$ThisUser.DistinguishedName
Add-Content $UserReport $STR
}
}
Similarly, if you need to generate a report of all users in the Finance department, simply replacing “Sales” with “Finance” in the above script will do.
Let’s say you are in the process of standardizing your Active Directory user database and want to make sure all users in the organization have their Country code entered. What you can do is use the same script mentioned above and use the “Country” property of the user.
Below you’ll find a PowerShell script that will check the “Country” property of the users and then check if the Country property is blank. If the country property is blank the user will then be included in the generated CSV file.
$UserReport = "C:TempNoCountryUsers.CSV"
$STR = "User Name, Department, Distinguished Name"
Add-Content $UserReport $STR
$AllUsers = Get-ADUser * -Properties Country, Department, DistinguishedName -SearchBase "OU=Users, DC=Server, DC=Com"
ForEach ($ThisUser in $AllUsers)
{
IF ($ThisUser.Country -eq $NULL)
{
$STR = $ThisUser.CN+","+$ThisUsers.Department+","+$ThisUser.DistinguishedName
Add-Content $UserReport $STR
}
}
Conclusion
The Get-ADUser PowerShell cmdlet is a powerful cmdlet for quickly identifying users and their information in Active Directory. You can retrieve any user information using the Get-ADUser cmdlet.
In this tutorial, we provided some PowerShell commands using the Get-ADUser cmdlet and also provided PowerShell scripts that help collect user information based on various conditions and save this information to a CSV file for reporting purposes.
Nirmal Sharma is a MCSEx3, MCITP and Microsoft MVP in Directory Services. He specializes in directory services, Microsoft Azure, Failover clusters, Hyper-V, System Center and Exchange Servers, and has been involved with Microsoft technologies since 1994. In his spare time, he likes to help others and share some of his knowledge by writing tips and articles on various sites and contributing to Health Packs for ADHealthProf.ITDynamicPacks.Net solutions. Nirmal can be reached at nirmal_sharma@mvps.org.