PowerShell offers several cmdlets you can use to perform almost all Active Directory operations that you usually perform using tools such as Active Directory Users and Computers and Active Directory Sites and Services. There are many Active Directory PowerShell cmdlets available that support predefined parameters you can utilize to query specific information in the Active Directory. For example, the Get-ADUser PowerShell cmdlet is designed specifically to retrieve user information from Active Directory and also supports predefined parameters such as “-AccountExpiring” parameter, which can be used to return accounts that are expiring in the Active Directory, and the “-AccountExpired” parameter, which can be used if you wish to retrieve accounts that have already expired in the AD domain. The Get-ADObject PowerShell is a powerful cmdlet you can use to search any object information in the Active Directory. Though it doesn’t provide any predefined parameterd, it provides a powerful way to explore information in the Active Directory. This article explains some of the useful examples of the Get-ADObject PowerShell cmdlet and how using Get-ADObject PowerShell cmdlet can help you reduce the time it takes to search for information in the Active Directory.
Get-ADObject: 3 common parameters
The three common parameters supported by Get-ADObject are “-Identity”, “-Filter” and “-LDAPFilter.” The “-Identity” parameter can be used to fetch information about a specific Active Directory object such as an Active Directory site. You need to specify the object distinguished name or GUID with “-Identity” parameter as shown in the command below:
Get-ADObject –Identity “CN=Server1” –Server “TechGenixDC1.TechGenix.com” | Export-CSV C:\Temp\ServerInfo.CSV -NoType
The above command list all the properties of object specified after the “-Identity” parameter. Since you have specified an object name, Get-ADObject knows that it needs to retrieve all properties for a specific object from the Active Directory database.
The “-Filter” parameter can be used to search for specific objects. The string that you use after the “-Filter” parameter must be a PowerShell expression. A PowerShell expression uses “-like”, “-eq”, “-not”, “-and,” and so on. For example, when searching only for deleted objects in the Active Directory using the “-Filter” parameter, you will execute this PowerShell command:
Get-ADObject –Filter IsDeleted –eq $True | Export-CSV C:\Temp\DeletedObjectsOnly.CSV –NoType
The above command retrieves all deleted objects in the Active Directory, including user and computer accounts, and saves the result in C:\Temp\DeletedObjectsOnly.CSV file. Let’s say you would like to fetch accounts that have been deleted but have not been recycled yet. You can use the command below with two PowerShell expressions so it helps you retrieve required information:
Get-ADObject –Filter IsDeleted –eq $True –and –not (IsRecycled –eq $True) | Export-CSV C:\Temp\DeletedObjectsAndNotRecycled.CSV –NoType
The “-LDAPFilter” parameter is quite similar to “-Filter” parameter except you will be required to use Active Directory schema attribute to fetch the required information. For example, when searching for all Active Directory sites in the Active Directory, you will need to use the “ObjectClass” schema attribute. The PowerShell command below lists all Active Directory objects for which ObjectClass is set to “Site.”
Get-ADObject –LDAPFilter “(ObjectClass=Site)” –SearchBase “CN=Configuration,DC=TechGenix,DC=Com” | Export-CSV C:\Temp\AllADSites.CSV –NoType
The above command retrieves all Active Directory sites with all properties associated with each Active Directory and saves the information in C:\Temp\AllADSites.CSV file. In case you would like to return the list of organizational units created in the Active Directory, you will need to specify the “ObjectCategory” as “OrganizationalUnit” as it is indicated in the PowerShell command below:
Get-ADObject –LDAPFilter “(ObjectCategory=OrganizationalUnit)” –SearchBase “DC=TechGenix,DC=Com” | Export-CSV C:\Temp\AllOUs.CSV –NoType
The “-LDAPFilter” can be quite complex and requires working knowledge with LDAP strings before someone can be proficient enough to retrieve the required information using Get-ADObject. For example, the PowerShell command below only lists the computer objects for which the Primary Group is “Domain Controllers” security group.
Get-ADObject –LDAPFilter “(&ObjectCategory=Computer)(PrimaryGroupID=515)” –SearchBase “DC=TechGenix,DC=Com” | Export-CSV C:\Temp\AllCompsWithPrimaryID515.CSV –NoType
Similarly, in case you need to retrieve only Global Groups from the Active Directory, you will use this command:
Get-ADObject –LDAPFilter “(GroupType:1.2.840.113522.214.171.1243:=2)” –SearchBase “DC=TechGenix,DC=Com” | Export-CSV C:\Temp\AllGlobalGroups.CSV –NoType
Each Active Directory object is associated with an ObjectClass and ObjectCategory. Once you know the ObjectClass or ObjectCategory for an object, it will be much easier to retrieve the required information using “-LDAPFilter” of Get-ADObject PowerShell cmdlet. Similarly, Active Directory maintains system attributes for each object that defines the state of an object. For example, a deleted object will always have “IsDeleted” property set to “$True”.
Take it out for a spin
While the Get-ADObject PowerShell cmdlet doesn’t provide any specific parameter to look for specific information, it does provide “-Filter” and “-LDAPFilter” parameters that are capable of fetching any information from the Active Directory. See if it works for you.
Photo credit: Shutterstock