Get-ADUser Filter OU – List Users from a Specific OU. Do you need a quick and efficient way to list all the users that belong to a specific Organizational Unit (OU) in Active Directory (AD)? Look no further than the Get-ADUser commandlet.
This versatile PowerShell cmdlet has a Filter parameter that determines which users in an OU (or any other AD container) you want to return.
Moreover, you also decide which properties of the users to show. Even customize the properties instead of using the default AD user properties.
This article covers the different ways to use Get-ADUser with its Filter parameter to list users from a specific OU or from multiple OUs.
However, you require an OU’s distinguishedName (DN) to run the Get-ADUser command. So, before I show you the wonders of the Get-ADUser, I discuss the steps to find an OU’s DN with Windows PowerShell.
Let’s continue reading the article Get-ADUser Filter OU – List Users from a Specific OU.
How to Find the DN of an Organizational Unit
If you need to find the DN of all OUs in your Active Directory Forest, run the Get-ADOrganizationalUnit command. Here is a sample command for a reference.
(Get-ADOrganizationalUnit -Filter *).DistinguishedName
When I ran the command in my test AD Forest, it returned the DN of three OUs, including the DN of the default “Domain Controllers” OU. But since the “Domain Controllers,” OU does not contain users but Domain Controllers (in other words, computers), you wouldn’t search this OU for users.
So, to return all OUs in your Forest but exclude the Domain Controllers OU, modify the last command as shown below:
(Get-ADOrganizationalUnit -Filter {name -notlike "Domain Controllers"}).DistinguishedName
The last command excludes the Domain Controllers OU. In my AD Forest, it returned two OUs instead of three.
Before you move on from this section, there is one more scenario in which you may find an OUs DN. Instead of returning ALL OUs in your forest, you may return a specific OU.
In the last command, I used the “notlike” operator. If I modify the operator to “like,” I specify the name of the specific OU I want to return its DistinguishedName.
Find the modified command that returns the DN of “Writers” OU below.
(Get-ADOrganizationalUnit -Filter {name -like "writers"}).DistinguishedName
Use Get-ADUser to List Users in an OU
In the following subsections, I show you different ways to use the Get-ADUser command with its Filter parameter to list users from Specific or multiple OUs.
Find All Users in a Specific OU with Get-ADUser
In this first example, I want to list all users in the “Writers” OU. The first step is to find the DN of the “Writers” OU.
I did this in the last section with the command below.
(Get-ADOrganizationalUnit -Filter {name -like "writers"}).DistinguishedName
However, to simplify the script, I save the command’s result in a variable I call $OU. The last command now looks like this…
$OU =(Get-ADOrganizationalUnit -Filter {name -like "writers"}).DistinguishedName
Finally, I list all users in the OU using the command below.
Get-ADUser -SearchBase $OU -Filter *
The command uses the SearchBase parameter of the Get-ADUser command to specify the DN of the OU, which I previously saved in the $OU variable. Combining the two commands creates a 2-line script shown below:
$OU =(Get-ADOrganizationalUnit -Filter {name -like "writers"}).DistinguishedName
Get-ADUser -SearchBase $OU -Filter *
My screenshot below shows the result of the script in test AD Forest. The script returned the correct information. I have uploaded a screenshot of the users in the “Writers” OU in ADUC (Active Directory Users and Computers).
Try our Active Directory OU Reporting Tools
Try us out for Free, Access to all features. – 200+ AD Report templates Available. Easily customise your own AD reports.
Find Specific Users in a Specific OU with Get-ADUser
The last example was about finding ALL the users in an OU. But, sometimes, you may receive a task to report on a user in a particular OU.
We would modify the Filter parameter in the Get-ADUser command from the last example to do that. For your reference, here is the final script from the previous example.
$OU =(Get-ADOrganizationalUnit -Filter {name -like "writers"}).DistinguishedName
Get-ADUser -SearchBase $OU -Filter *
To return a user whose name is “Anthony Raj,” I modify the second part of the script as shown below.
$OU =(Get-ADOrganizationalUnit -Filter {name -like "writers"}).DistinguishedName
Get-ADUser -SearchBase $OU -Filter {name -eq "Anthony Raj"}
The difference between the Get-ADUser command above and the previous one is that I included some filter conditions instead of using the asterisks (*) wildcard in the Filter parameter.
Here is the filter condition…
{name -eq "Anthony Raj"}
Since “name” is one of the properties of Active Directory users, this filter condition tells Get-ADUser to return only a user whose name is “Anthony Raj.” When I execute the commands in my text AD Forest, it returns one user.
To run the entire script in one go, I copied it into PowerShell ISE instead of using the Windows PowerShell console. If you’ve not used it before, PowerShell ISE is the scripting environment for Windows PowerShell.
Here is the screenshot of the last script in my AD Forest. The upper part of ISE has the script I executed, while the lower part shows the script and the results.
List Users from Multiple OUs with Get-ADUser and its Filter Parameter
So far, we’ve been exploring the scenario where you need to find AD users from one OU. But what if you have to find users from more than one OU?
One option to find each OU and run the Get-ADUser command with that OU as the reference. Doing this for 2, 3, or 4 OUs is manageable, but what if your AD environment has up to 30 or more Organizational Units?
The good news is that you create a script that iterates all the OUs, run the Get-ADUser command on each of them, then list the users in all the OUs.
First step is to get a list of all the OUs in your AD Forest. As I mentioned in previous examples, for ease of scripting, it is better to save the result of the command in a variable – I call the variable $OUs.
$OUs = (Get-ADOrganizationalUnit -Filter {name -notlike "Domain Controllers"}).DistinguishedName
Then, to list all users in all the OUs saved in my $OUs variable, I use the ForEach statement loop to iterate through the OUs, then run the Get-ADUser and Filter using the asterisks (*) wildcard.
ForEach ($OU in $OUs) {
Get-ADUser -SearchBase $OU -Filter *
}
The entire script is shown below. Line 1 is the command that saves the DN of all OUs in the $OUs variable.
Then, line 2 initiates the ForEach statement loop. In each loop, ForEach creates a new variable, $OU. You use any name for this variable in your script as far as you use the same variable name in the Get-ADUser command in line 3.
Then, in line 3, the ForEach statement executes the Get-ADUser command using the $OU variable as the SearchBase parameter. Finally, since we’re returning all users in the OUs, our Filter parameter uses the asterisks wildcard – which instructs the Get-ADUser command to return all items.
$OUs = (Get-ADOrganizationalUnit -Filter {name -notlike "Domain Controllers"}).DistinguishedName
ForEach ($OU in $OUs) {
Get-ADUser -SearchBase $OU -Filter *
}
Here is the result of this script in my AD Forest – I ran the script in PowerShell ISE. As you see, it returns multiple users.
Note that some of the results are not shown due to the limitation of the console area.
List Specific User Properties from OUs with Get-ADUser
We have returned the default properties from the Get-ADUser command in all the examples I have discussed in this article. However, the default properties do not necessarily meet real life reporting needs.
Moreover, it contains some information that you may not need. So, how do you return the properties of the AD user (s) you need?
By pipping the Get-ADUser cmdlet to the Select-Object cmdlet. The Select-Object cmdlet is one of the most versatile cmdlets in PowerShell, as shown in the remaining part of this article.
Continuing from my last example, I modify my previous script to return the following properties of the AD user – GivenName, Surname, SamAccountName, and Enabled.
$OUs = (Get-ADOrganizationalUnit -Filter {name -notlike "Domain Controllers"}).DistinguishedName
ForEach ($OU in $OUs) {
Get-ADUser -SearchBase $OU -Filter * | Select-Object GivenName, Surname, SamAccountName, Enabled
}
I have shown the screenshot of the result below. You would agree that this last script produces a more appealing result!
Firstly, it displays the result in a table instead of a list. Secondly, it shows only the properties that are relevant to me.
Modify the script to include any other property you wish to return. If you’re unsure what properties are available in a command, pipe the output of that command to the Get-Member cmdlet. In this instance, to see all properties (and Methods) available in the Get-ADUser command, I use the command below.
Get-ADUser -SearchBase $OU -Filter * | Get-Member
Return Custom User Properties for Users in OUs with Get-ADUser and Select-Object
We have made some progress using the Get-ADUser command to list AD users in OUs by considering different scenarios. In the last example, we made the report friendlier.
However, our report retained the default names of the user properties – GivenName, Surname, SamAccountName, and Enabled. If you send a report with these headers to someone in HR, SamAccountName may not sound like English to them!
So, how about we modify the report to use headers that anybody understands and relates to? The Select-Object cmdlet helps us achieve this.
I use Select-Object to create custom properties using the syntax below:
Select-Object @{Name='New Header';Expression={$_.defaultproperty}}
In the syntax above, ‘New Header’ is the friendly header I want to use in my report. Similarly, $_.defaultproperty is the default property returned by the Get-ADUser command.
With this in mind, I now modify my script from the last example as shown below.
$OUs = (Get-ADOrganizationalUnit -Filter {name -notlike "Domain Controllers"}).DistinguishedName
$report = ForEach ($OU in $OUs) {
Get-ADUser -SearchBase $OU -Filter * | Select-Object `
@{Name='First Name';Expression={$_.GivenName}},
Surname,
@{Name='UserName?';Expression={$_.Enabled}}
}
$report | Format-Table
In the script, I saved the results generated by the ForEach statement in the $reports variable. Then, in line 8, I piped the results into the Format-Table cmdlet to ensure that PowerShell displays the result in a table.
Looking closely at the script, you note that I did not customize the Surname property – see line 5. This demonstrates that you retain some properties and customize others as required.
If you run the last script, you should receive results with the following headers – “First Name”, “Surname”, and “UserName?” – see my result below.
Export AD Users in an OU to CSV
In this final example, I show you how to export the report generated by the Get-ADUser command and customized with Select-Object to a CSV file. To add this final task to the script, remove Format-Table and pipe the $report variable to Export-CSV.
In addition to adding the path to save the CSV file, I also included another parameter to the Export-CSV command – NoTypeInformation. This removes any Type information that PowerShell includes into Export-CSV by default.
$OUs = (Get-ADOrganizationalUnit -Filter {name -notlike "Domain Controllers"}).DistinguishedName
$report = ForEach ($OU in $OUs) {
Get-ADUser -SearchBase $OU -Filter * | Select-Object `
@{Name='First Name';Expression={$_.GivenName}},
Surname,
@{Name='UserName?';Expression={$_.Enabled}}
}
$report | Export-Csv E:\ADReports\UsersAllOUs.CSV -NoTypeInformation
Get-ADUser Filter OU – List Users from a Specific OU Conclusion
Any Windows SysAdmin that wants to standout and indeed work more efficiently must know her way around PowerShell. With PowerShell you can use it to automate any Windows task, including Active Directory.
The Get-ADUser cmdlet is an “everyday use” cmdlet that belongs to the Active Directory PowerShell module. So, it is no surprise that Windows SysAdmins want to learn how to use it.
This is why this guide focussed on using the Get-ADUser with its Filter parameter to list users from an OU in Active Directory. I believe that I covered all possible scenarios for using this cmdlet to list users in Active Directory Organizational Units.
Try InfraSOS for FREE
Invite your team and explore InfraSOS features for free
- Free 15-Days Trial
- Easy Setup
- Full Access to Enterprise Plan
