Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell and the Active Directory module provider to find non-default AD DS user properties.
Hey, Scripting Guy! I need to find information about users such as office location, and phone number that is not returned by the Active Directory module provider by default. How do I do this?
—DP
Hello DP,
Microsoft Scripting Guy, Ed Wilson, is here. Today is what is officially called the calm after the storm. Massive thunderstorms ripped through Charlotte last night, knocking out power and phones. Hey, that is OK; but dude, I lost my Internet connection in the process. Major bummer. With battery backups, a generator, and what-not, I can handle bad weather—as long as it does not knock out my Internet connection. I do not have a backup ISP provider. Hey, where I live, I was lucky to get the one I have. Oh, well.
Guess what? I was just told that Windows PowerShell MVP and honorary Scripting Guy, Sean Kearney, will be presenting at Microsoft TechEd in New Orleans and in Madrid. Way to go Sean! By the way, there are two more days until the $300 discount expires.
Note This is the third in a series of blog postings about using the Active Directory module provider. The first blog is an overview called Playing with the AD: Drive for Fun and Profit.The second blog is Find Active Directory User Information with the PowerShell Provider, in which I talk about how to use the Windows PowerShell provider to find user information in Active Directory.
Quick review
To create the Charlotte: PSDrive (points to the Charlotte organizational unit or OU), I ran the following commands. (Obviously, you need to change the commands to point to an OU and a domain that exist on your system.)
PS C:\> ipmo activedirectory
PS C:\> New-PSDrive -Name charlotte -PSProvider activedirectory -Root "AD:\ou=charlot
te,dc=iammred,dc=net"
Name Used (GB) Free (GB) Provider Root
---- --------- --------- -------- ----
charlotte ActiveDire... //RootDSE/ou=charlotte,dc=ia...
PS C:\> sl charlotte:
PS charlotte:\>
Getting properties of the user
I might think that to easily see all of the information associated with the Ed Wilson user, I can pipe the output to the Format-List (fl is an alias) cmdlet as shown here.
PS charlotte:\> dir | ? name -match 'ed wilson' | fl *
The command and the output associated with the command are shown in the image that follows.
The problem with this approach is that only four properties of the user return. The four default properties are DistinguishedName, Name, ObjectClass, and ObjectGUID. However, a quick look in Active Directory Users and Computers reveals that there are many more attributes and values available. This is shown here.
What about Get-ADUser?
Due to performance reasons, the Get-ADUser cmdlet does not return all properties of a user object. It returns the following properties:
PS C:\> Get-ADUser 'cn=ed wilson,ou=charlotte,dc=iammred,dc=net' | select -expand propertynames
DistinguishedName
Enabled
GivenName
Name
ObjectClass
ObjectGUID
SamAccountName
SID
Surname
UserPrincipalName
Therefore, if I want to access additional attributes and their associated values, I need to specifically request the attributes I desire. Unfortunately, the attribute names bear little relationship to the names that appear in Active Directory Users and Computers. The best way to find the required attributes is to use ADSI Edit. In modern versions of ADSI Edit, there is a view that shows only attributes that contain values.
Consequently, it is fairly easy to match the actual name of the Active Directory attribute and the name that appears in Active Directory Users and Computers.
Note In my Windows PowerShell 3.0 Step by Step book, I have a chapter that includes screenshots that map the Active Directory Users and Computers interface to the actual AD Attribute names.
The ADSI Edit property sheet for the Ed Wilson user object is shown here.
Use Get-ItemProperty to get other attributes
So what is the trick to obtaining additional attributes from the user object beyond the four default properties returned by Get-Item? One approach is to use the Get-ItemProperty cmdlet. This technique is shown here where I retrieve the city (lower case L) attribute for the user.
PS charlotte:\> Get-ItemProperty -Path '.\CN=ed wilson' -Name l
l : Charlotte
PSPath : Microsoft.ActiveDirectory.Management\ActiveDirectory:://RootDSE/CN=ed
wilson,ou=Charlotte,DC=Iammred,DC=net
PSParentPath : Microsoft.ActiveDirectory.Management\ActiveDirectory:://RootDSE/ou=Ch
arlotte,DC=Iammred,DC=net
PSChildName : CN=ed wilson
PSDrive : charlotte
PSProvider : Microsoft.ActiveDirectory.Management\ActiveDirectory
Use Get-Item to get other attributes
I do not have to use the Get-ItemProperty cmdlet to retrieve other attributes from a user object. I can use the Get-Item cmdlet and type in an array of attributes in the Propertiesparameter. This technique is shown here where I add in the city (l) and the phone number (telephoneNumber) to the command.
PS charlotte:\> get-item -Path "cn=ed wilson" -Properties l, telephonenumber
PSPath : Microsoft.ActiveDirectory.Management\ActiveDirectory:://RootDSE
/cn=ed wilson,ou=charlotte,dc=iammred,dc=net
PSParentPath : Microsoft.ActiveDirectory.Management\ActiveDirectory:://RootDSE
/ou=charlotte,dc=iammred,dc=net
PSChildName : cn=ed wilson
PSDrive : charlotte
PSProvider : Microsoft.ActiveDirectory.Management\ActiveDirectory
PSIsContainer : True
distinguishedName : cn=ed wilson,ou=charlotte,dc=iammred,dc=net
l : Charlotte
name : ed wilson
objectClass : user
objectGUID : bb10b5a2-58d7-4f8a-ab10-2ee84fc7cb58
telephoneNumber : 555-555-1212
PropertyNames : {distinguishedName, l, name, objectClass...}
AddedProperties : {}
RemovedProperties : {}
ModifiedProperties : {}
PropertyCount : 7
Use Get-Item and retrieve all of the attributes
I can also use a wildcard character (*) to retrieve all of the attributes for my user object. The command is shown here.
PS charlotte:\> get-item -Path "cn=ed wilson" -Properties *
The command and its associated output are shown in the following image.
DP, that is all there is to using the Active Directory module provider to find information about users. Active Directory Week will continue tomorrow when I will talk about modifying user attributes.
I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.
Ed Wilson, Microsoft Scripting Guy