Querying AD Objects¶
Active Directory (AD) is a directory service designed to store information about users, computers, groups, organizational units, and many other identity‑related objects. PowerShell provides a dedicated module—installed through RSAT—that exposes a rich set of cmdlets for querying these objects in a structured, predictable way. Understanding how to retrieve and filter AD objects is essential for any administrator who wants to automate identity management or analyze directory data at scale.
This section explains how AD objects are structured, how PowerShell retrieves them, and how to construct clear, efficient queries that return exactly the information you need.
1. Understanding AD Objects and the Directory Structure¶
Active Directory organizes information into a hierarchical structure. At the highest level, the directory contains:
- Domains — administrative boundaries containing all objects
- Organizational Units (OUs) — containers used to group objects logically
- Objects — users, groups, computers, service accounts, and more
Each object has:
- A distinguished name (DN) that identifies its location in the directory
- A set of attributes, such as
sAMAccountName,mail,memberOf, orlastLogonDate - A schema class, such as
user,group, orcomputer
PowerShell interacts with these objects through cmdlets that map directly to AD classes.
2. The Active Directory PowerShell Module¶
Once RSAT is installed, the ActiveDirectory module becomes available. It provides cmdlets such as:
Get-ADUserGet-ADGroupGet-ADComputerGet-ADOrganizationalUnitGet-ADObject
Each cmdlet retrieves a specific type of object, and each supports filtering, property selection, and scoping.
Before querying AD, import the module:
Import-Module ActiveDirectory
If the module loads successfully, you can begin querying the directory.
3. Querying Users¶
Users are one of the most common AD objects to query. PowerShell provides a dedicated cmdlet for this purpose.
Retrieving a single user¶
Get-ADUser -Identity "enrico"
Here:
Identityaccepts a username, distinguished name, GUID, or SID.- The cmdlet returns a user object with a default set of properties.
Retrieving additional properties¶
By default, AD cmdlets return only a subset of attributes. To retrieve more:
Get-ADUser -Identity "enrico" -Properties mail, lastLogonDate
This returns the user object with the specified attributes included.
Filtering users¶
Get-ADUser -Filter "Enabled -eq 'True'"
The -Filter parameter uses a PowerShell‑like syntax interpreted by the AD provider.
This example retrieves all enabled user accounts.
Filtering by OU¶
Get-ADUser -Filter * -SearchBase "OU=Sales,DC=contoso,DC=com"
This restricts the search to a specific organizational unit.
4. Querying Groups¶
Groups are essential for managing permissions and access control.
Retrieving a group¶
Get-ADGroup -Identity "Domain Admins"
Retrieving group members¶
Get-ADGroupMember -Identity "Domain Admins"
This returns users, groups, and service accounts that belong to the group.
Filtering groups¶
Get-ADGroup -Filter "GroupCategory -eq 'Security'"
This retrieves all security groups in the domain.
5. Querying Computers¶
Computer objects represent domain‑joined machines.
Retrieving a computer¶
Get-ADComputer -Identity "PC-01"
Retrieving additional properties¶
Get-ADComputer -Identity "PC-01" -Properties OperatingSystem, LastLogonDate
This is useful for inventory and compliance tasks.
Filtering computers¶
Get-ADComputer -Filter "OperatingSystem -like '*Windows 11*'"
This retrieves all Windows 11 machines.
6. Querying Organizational Units (OUs)¶
OUs are containers used to organize objects and apply Group Policy.
Retrieving all OUs¶
Get-ADOrganizationalUnit -Filter *
Filtering OUs by name¶
Get-ADOrganizationalUnit -Filter "Name -like '*Servers*'"
This retrieves OUs whose names contain “Servers”.
7. Querying Generic AD Objects with Get-ADObject¶
Some objects do not fit neatly into the user/group/computer categories.
Get-ADObject provides a more general interface.
Example: retrieving all service connection points¶
Get-ADObject -Filter "ObjectClass -eq 'serviceConnectionPoint'"
Example: retrieving deleted objects (if the Recycle Bin is enabled)¶
Get-ADObject -Filter * -IncludeDeletedObjects
This is useful for recovery and auditing scenarios.
8. Working with Filters and Search Bases¶
Filtering is one of the most important aspects of querying AD.
Using Filter¶
The filter is evaluated by the domain controller, making it efficient.
Get-ADUser -Filter "Department -eq 'Finance'"
Using LDAPFilter¶
For complex queries, you can use LDAP syntax:
Get-ADUser -LDAPFilter "(mail=*@contoso.com)"
LDAP filters are powerful but require precise syntax.
Using SearchBase¶
This parameter restricts the search to a specific part of the directory tree:
Get-ADUser -Filter * -SearchBase "OU=IT,DC=contoso,DC=com"
This improves performance and ensures predictable results.
9. Practical Administrative Scenarios¶
Finding inactive user accounts¶
Get-ADUser -Filter * -Properties lastLogonDate |
Where-Object { $_.lastLogonDate -lt (Get-Date).AddDays(-90) }
Listing all domain controllers¶
Get-ADDomainController -Filter *
Retrieving all members of a nested group¶
Get-ADGroupMember -Identity "Helpdesk" -Recursive
Finding computers that have not logged in recently¶
Get-ADComputer -Filter * -Properties lastLogonDate |
Where-Object { $_.lastLogonDate -lt (Get-Date).AddDays(-60) }
10. Summary¶
Querying Active Directory objects is one of the most important skills for Windows administrators. PowerShell provides a dedicated module that allows you to:
- Retrieve users, groups, computers, OUs, and generic AD objects
- Filter results efficiently using server‑side queries
- Retrieve additional attributes beyond the defaults
- Scope searches to specific OUs or domains
- Build inventory, auditing, and compliance workflows
By mastering these techniques, you gain the ability to explore and analyze your directory environment with precision, enabling automation and insight at scale.