Each of the PowerShell Active Directory module cmdlets, like Get-ADUser and Get-ADComputer, displays a default set of properties for all objects retrieved. You can specify other properties with the -Properties parameter, but the default set will always be included. There is another set of extended properties that can be specified. In addition, any Active Directory attribute appropriate to the class of objects can be included by specifying the LDAPDisplayName of the attribute in the -Properties parameter.

Both the default and extended properties are really methods. They return values based on the actual Active Directory attributes of the objects, converted in many cases for display. This article defines the different types of properties and documents the default properties for many of the cmdlets that come with the Active Directory module in PowerShell Version 2.0. This article does not document the Active Directory attributes that apply to each class of object.




Properties Parameter

Most of the Get-AD* cmdlets support the -Properties parameter. If the -Properties parameter is not included, only the default properties are retrieved. With this parameter you can specify default properties, extended properties, or the LDAPDisplayName of any Active Directory attribute appropriate for the class of object. Many, but not all, of these properties and attributes can also be assigned values using the corresponding Set-AD* cmdlet.

↑ Return to Top


Default Properties

For convenience, the Active Directory Get-AD* cmdlets always return a default set of properties. In many cases these correspond to mandatory attributes so they will always have values. These property names do not always match the LDAPDisplayName of the corresponding Active Directory attribute. For example, the SID property is in the default set for Get-ADUser and Get-ADComputer, but there is no such attribute in Active Directory. The SID property will be the value of the objectSID attribute, which is a byte array, converted into the familiar string format.

↑ Return to Top


Extended Properties

Many Active Directory Get-AD* cmdlets also support extended properties. These are only retrieved if they are specified in the -Properties parameter of the cmdlet. Many extended properties can also be assigned values using the corresponding Set-AD* cmdlet. Again, the names of these properties may or may not match the LDAPDisplayName of the corresponding Active Directory attribute.

↑ Return to Top


Active Directory Attributes

In addition, you can use the -Properties parameter to specify the LDAPDisplayName of any Active Directory attribute appropriate for the class of object. If the attribute value cannot be displayed, such as nTSecurityDescriptor, then the class definition is displayed. If you attempt to retrieve the tokenGroups attribute (a multi-valued operational attribute that is an array of group SID values) an error is raised. Also, if you request an Active Directory attribute, and the object retrieved has no value for that attribute, then the attribute will not be included in the results. This differs from the behavior when you request an extended property. In that case, if the object retrieved has no value assigned to the extended property, it will be shown with a blank (missing) value.

If you specify -Properties *, the Get-AD* cmdlets that support this parameter will retrieve all default and extended attributes, whether or not they have values, plus all Active Directory attributes that have values, plus the isDeleted attribute. However, if you specify the isDeleted attribute in the -Properties parameter, this attribute is not included in the results unless it has a value. For this reason (and because the initial letter in the name is displayed in lower case), the author considers isDeleted to not be an extended property.

When you specify -Properties * with any Get-AD* cmdlet, if the initial letter of any property name is upper case, it is either a default or extended property. If the initial letter is lower case, the property corresponds to an Active Directory attribute.

↑ Return to Top


Base Properties

All of the Get-AD* and Search-AD* cmdlets also provide two base properties.

Property Syntax Description
propertyCount 32-bit integer The number of properties retrieved for the object
propertyNames collection The names of the properties retrieved for the object

These two base properties are themselves not included in the count or collection of names. Base properties are original properties of the .NET Framework object, as defined for the object class. These two properties are not included when you display the object, but you can always retrieve their values explicitly.

The values of these two properties do not need to be the same for all objects retrieved by the cmdlet. As noted above, Active Directory attributes are only retrieved if they have a value assigned to the object in AD. Default and any extended properties requested in the -Properties parameter are always included in the collection. Finally, note that the Get-Member cmdlet does not reveal base properties unless you use the -Force parameter.

↑ Return to Top


Get-ADUser

The default properties retrieved by the Get-ADUser cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.

Property Syntax R/RW lDAPDisplayName
DistinguishedName String (DN) R distinguishedName
Enabled Boolean RW userAccountControl (bit mask Not 2)
GivenName String RW givenName
Name String R cn (Relative Distinguished Name)
ObjectClass String R objectClass, most specific value
ObjectGUID Guid R objectGUID converted to string
SamAccountName String RW sAMAccountName
SID Sid R objectSID converted to string
Surname String RW sn
UserPrincipalName String RW userPrincipalName

The default and extended properties retrieved by the Get-ADUser cmdlet are documented in the following Wiki article:
Active Directory: Get-ADUser Default and Extended Properties

↑ Return to Top


Get-ADComputer

The default properties retrieved by the Get-ADComputer cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.

Property Syntax R/RW lDAPDisplayName
DistinguishedName String (DN) R distinguishedName
DNSHostName String RW dNSHostName
Enabled Boolean RW userAccountControl (bit mask Not 2)
Name String R cn (Relative Distinguished Name)
ObjectClass String R objectClass, most specific value
ObjectGUID Guid R objectGUID converted to string
SamAccountName String RW sAMAccountName
SID Sid R objectSID converted to string
UserPrincipalName String RW userPrincipalName

The default and extended properties retrieved by the Get-ADComputer cmdlet are documented in the following Wiki article:
Active Directory: Get-ADComputer Default and Extended Properties

↑ Return to Top


Get-ADGroup

The default properties retrieved by the Get-ADGroup cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.

Property Syntax R/RW lDAPDisplayName
DistinguishedName String (DN) R distinguishedName
GroupCategory String RW groupType (bit mask 2147483648)
GroupScope String RW groupType (bit mask 1, 2, 4, or 8)
Name String R cn (Relative Distinguished Name)
ObjectClass String R objectClass, most specific value
ObjectGUID Guid R objectGUID converted to string
SamAccountName String RW sAMAccountName
SID Sid R objectSID converted to string

The default and extended properties retrieved by the Get-ADGroup cmdlet are documented in the following Wiki article:
Active Directory: Get-ADGroup Default and Extended Properties

↑ Return to Top


Get-ADObject

The default properties retrieved by the Get-ADObject cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.

Property Syntax R/RW lDAPDisplayName
DistinguishedName String (DN) R distinguishedName
Name String R Name (Relative Distinguished Name)
ObjectClass String R objectClass, most specific value
ObjectGUID Guid R objectGUID converted to string

The default and extended properties retrieved by the Get-ADObject cmdlet are documented in the following Wiki article:
Active Directory: Get-ADObject Default and Extended Properties

↑ Return to Top


Get-ADOrganizationalUnit

The default properties retrieved by the Get-ADOrganizationalUnit cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.

Property Syntax R/RW lDAPDisplayName
City String RW l
Country String RW c (2 character abbreviation)
DistinguishedName String (DN) R distinguishedName
LinkedGroupPolicyObjects ADCollection R gPLink
ManagedBy String (DN) RW managedBy
Name String R ou (Relative Distinguished Name)
ObjectClass String R objectClass, most specific value
ObjectGUID Guid R objectGUID converted to string
PostalCode String RW postalCode
State String RW st
StreetAddress String RW streetAddress

The default and extended properties retrieved by the Get-ADOrganizationalUnit cmdlet are documented in the following Wiki article:
Active Directory: Get-ADOrganizationalUnit Default and Extended Properties

↑ Return to Top


Get-ADGroupMember

The default properties retrieved by the Get-ADGroupMember cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.

Property Syntax R/RW lDAPDisplayName
DistinguishedName String (DN) R distinguishedName
Name String R cn (Relative Distinguished Name)
ObjectClass String R objectClass, most specific value
ObjectGUID Guid R objectGUID converted to string
SamAccountName String RW sAMAccountName
SID Sid R objectSID converted to string

The Get-ADGroupMember cmdlet does not expose any extended properties, and does not support the -Properties parameter.

↑ Return to Top


Get-ADForest

The default properties retrieved by the Get-ADForest cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on, or how it is determined.

Property Syntax R/RW lDAPDisplayName
ApplicationPartitions ADCollection R
DN's of Application NC's
CrossForestReferences ADCollection R
DN's of crossRef objects
DomainNamingMaster String R
fSMORoleOwner of crossRefContainer object
Domains ADCollection R
DNS names of domains
ForestMode String RW
msDS-Behavior-Version of crossRefContainer object
GlobalCatalogs ADCollection R
DNS names of GC's
Name String R
DNS name of forest
PartitionsContainer String (DN) R
DN of crossRefContainer object
RootDomain String R
DNS name of root domain
SchemaMaster String R
fSMORoleOwner of Schema Container
Sites ADCollection R
Names of sites in cn=Sites container
SPNSuffixes ADCollection RW
msDS-SPNSuffixes
UPNSuffixes ADCollection RW
msDS-UPNSuffixes

The Get-ADForest cmdlet does not expose any extended properties, and does not support the -Properties parameter.

↑ Return to Top


Get-ADDomain

The default properties retrieved by the Get-ADDomain cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on, or how it is determined.

Property Syntax R/RW lDAPDisplayName
AllowedDNSSuffixes ADCollection RW
msDS-AllowedDNSSuffixes
ChildDomains ADCollection R
dnsRoot of crossRef objects where trustParent is DN of domain
ComputersContainer String (DN) R
DN of Computers container
DeletedObjectsContainer String (DN) R
DN of Deleted Objects container
DistinguishedName String (DN) R distinguishedName
DNSRoot String R
dnsRoot
DomainControllersContainer String (DN) R
DN of Domain Controllers OU
DomainMode String RW
msDS-Behavior-Version of domain NC root object
DomainSID Sid R objectSID converted to string
ForeignSecurityPrincipalsContainer String (DN) R
DN of ForeignSecurityPrincipals container
Forest String R
DNS name of forest
InfrastructureMaster String R
fSMORoleOwner of Infrastructure container
LastLogonReplicationInterval Int64 RW
msDS-LogonTimeSyncInterval
LinkedGroupPolicyObjects ADCollection R
gPLink
LostAndFoundContainer String (DN) R
DN of LostAndFound container
ManagedBy String (DN) RW
managedBy
Name String R
dc (Relative Distinguished Name)
NetBIOSName String R
nETBIOSName of crossRef object
ObjectClass String R objectClass, most specific value
ObjectGUID Guid R objectGUID converted to string
ParentDomain String R
dsnRoot of crossRef object where nCName is trustParent of domain crossRef
PDCEmulator String R
fSMORoleOwner of Domain object
QuotasContainer String (DN) R
DN of NTDS Quotas container
ReadOnlyReplicaDirectoryServers ADCollection R

ReplicaDirectoryServers ADCollection R

RIDMaster String R
fSMORoleOwner of rIDManager class object
SubordinateReferences ADCollection R
subRefs
SystemsContainer String (DN) R
DN of Systems container
UsersContainer String (DN) R
DN of Users container

The Get-ADDomain cmdlet does not expose any extended properties, and does not support the -Properties parameter.

↑ Return to Top


Get-ADDomainController

The default properties retrieved by the Get-ADDomainController cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on, or how it is determined.

Property Syntax R/RW lDAPDisplayName
ComputerObjectDN String (DN) R distinguishedName
DefaultPartition String (DN) R DN of default partition
Domain String R DNS name of domain
Enabled Boolean R userAccountControl (bit mask Not 2)
Forest String R DNS name of forest
HostName String R dNSHostName
InvocationId Guid R invocationID of cn=NTDS Settings object
IPv4Address Ip R/RW
IPv6Address Ip R/RW
IsGlobalCatalog Boolean R options (bit mask 1) of nTDSDSA object
IsReadOnly Boolean R objectCategory of nTDSDSA object
LdapPort Int32 R
Name String R cn (Relative Distinguished Name)
NTDSSettingsObjectDN String (DN) R DN of NTDS Settings container
OperatingSystem String R operatingSystem
OperatingSystemHotfix String R operatingSystemHotFix
OperatingSystemServicePack String R operatingSystemServicePack
OperatingSystemVersion String R operatingSystemVersion
OperationMasterRoles ADCollection R FSMO roles
Partitions ADCollection R DN's of partitions in Partitions container
ServerObjectDN String (DN) R DN of object in Servers container
ServerObjectGuid Guid R objectGUID of object in Servers container
Site String R/RW Site container where server object resides
SslPort Int32 R

The Get-ADDomainController cmdlet does not expose any extended properties, and does not support the -Properties parameter. Also, there is no Set-ADDomainController cmdlet.

↑ Return to Top


Get-ADRootDSE

The default properties retrieved by the Get-ADRootDSE cmdlet are documented below. They are all attributes of the RootDSE object (or Root Directory Service Entry). The RootDSE object is required of all LDAP compliant directories and exposes properties characteristic of the directory. The column labeled "R/RW" documents whether the attribute is Read-Only (R) or Read-Write (RW). Two attributes are RW, but there is no Set-ADRootDSE cmdlet. The last column describes the attribute of the RootDSE object.

Attribute Syntax R/RW Description
configurationNamingContext String (DN) R DN of Configuration Container
currentTime DateTime R Current Time on DC in UTC
defaultNamingContext String (DN) R DN of Domain of DC
dnsHostName String R DNS Address of DC
domainControllerFunctionality Integer R DC Functional Level
domainFunctionality Integer R Domain Functional Level
dsServiceName String (DN) R DN of NTDS Settings Object of DC
forestFunctionality Integer R Forest Functional Level
highestCommittedUSN Int64 R Highest USN on DC
isGlobalCatalogReady Boolean RW If GC Fully Operational
isSynchronized Boolean RW If DC Fully Synchronized
ldapServiceName String R SPN for LDAP Server
namingContexts ADCollection R DN's of all Naming Contexts
rootDomainNamingContext String (DN) R DN of Root Domain in Forest
schemaNamingContext String (DN) R DN of Schema Container
serverName String (DN) R DN of DC
subschemaSubentry String (DN) R DN of subSchema Object
supportedCapabilities ADCollection R Capabilties Supported by DC
supportedControl ADCollection R OID's for Extension Controls
supportedLDAPPolicies ADCollection R Names of Supported Policies
supportedLDAPVersion Int32 R LDAP Versions Supported by DC
supportedSASLMechanisms ADCollection R Mechanisms Supported for SASL

The Get-ADRootDSE cmdlet supports the -Properties parameter, but there is only one extended property. This is the supportedExtension attribute, a multi-valued (ADCollection) read-only attribute. The values are OID's for supported extensions.

↑ Return to Top


Search-ADAccount

The default properties retrieved by the Search-ADAccount cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.

Property Syntax R/RW lDAPDisplayName
AccountExpirationDate DateTime RW accountExpires, converted to local time
DistinguishedName String (DN) R distinguishedName
Enabled Boolean RW userAccountControl (bit mask Not 2)
LastLogonDate DateTime R lastLogonTimeStamp, converted to local time
LockedOut Boolean RW msDS-UserAccount-Control-Computed (bit mask 16)
Name String R cn (Relative Distinguished Name)
ObjectClass String R objectClass, most specific value
ObjectGUID Guid R objectGUID converted to string
PasswordExpired Boolean RW msDS-User-Account-Control-Computed (bit mask 8388608)
PasswordNeverExpires Boolean RW userAccountControl (bit mask 32)
SamAccountName String RW sAMAccountName
SID Sid R objectSID converted to string
UserPrincipalName String RW userPrincipalName

The Search-ADAccount cmdlet does not expose any extended properties, and does not support the -Properties parameter.

↑ Return to Top


Get-ADOptionalFeature

The default properties retrieved by the Get-ADOptionalFeature cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on. The attributes are those of the Optional Feature objects, for example "cn=Recycle Bin Feature". These are objects of class msDS-OptionalFeature located in the container "cn=Optional Features,cn=Directory Service, cn=Windows NT, cn=Services, cn=Configuration,dc=mydomain,dc=com", where the domain is mydomain.com.

Property Syntax R/RW lDAPDisplayName
DistinguishedName String (DN) R distinguishedName
EnabledScopes ADCollection R DN's of Partitions
FeatureGUID GUID R msDS-OptionalFeatureGUID
FeatureScope ADCollection R msDS-OptionalFeatureFlags (bit masks 1, 2, and 8)
IsDisableable Boolean R msDS-OptionalFeatureFlags (bit mask 4)
Name String R name
ObjectClass String R objectClass, most specific value
ObjectGUID GUID R objectGUID converted to string
RequiredDomainMode Integer R msDS-RequiredDomainBehaviorVersion
RequiredForestMode Integer R msDS-RequiredForestBehaviorVersion

The default and extended properties retrieved by the Get-ADOptionalFeature cmdlet are documented in the following Wiki article:
Active Directory: Get-ADOptionalFeature Default and Extended Properties

↑ Return to Top


Get-ADFineGrainedPasswordPolicy

The default properties retrieved by the Get-ADFineGrainedPasswordPolicy cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute of the Fine-Grained Password Policy object that the property is based on. These are objects of class msDS-PasswordSettings located in the container "cn=Password Settings Container,cn=System,dc=mydomain,dc=com", where the domain is mydomain.com.

Property Syntax R/RW lDAPDisplayName
AppliesTo ADCollection RW msDS-PSOAppliesTo
ComplexityEnabled Boolean RW msDS-PasswordComplexityEnabled
DistinguishedName String (DN) R distinguishedName
LockoutDuration TimeSpan RW msDS-LockoutDuration
LockoutObservationWindow TimeSpan RW msDS-lockoutObservationWindow
LockoutThreshold Integer RW msDS-lockoutThreshold
MaxPasswordAge TimeSpan RW msDS-MaximumPasswordAge
MinPasswordAge TimeSpan RW msDS-MinimumPasswordAge
MinPasswordLength Integer RW msDS-MinimumPasswordLength
Name String R cn (Relative Distinguished Name)
ObjectClass String R objectClass, most specific value
ObjectGUID Guid R objectGUID, converted to string
PasswordHistoryCount Integer RW msDS-PasswordHistoryLength
Precedence Integer RW msDS-PasswordSettingsPrecedence
ReversibleEncryptionEnabled Boolean RW msDS-PasswordReverisbleEncryptionEnabled

The default and extended properties retrieved by the Get-ADFineGrainedPasswordPolicy cmdlet are documented in the following Wiki article:
Active Directory: Get-ADFineGrainedPasswordPolicy Default and Extended Properties

↑ Return to Top


Get-ADServiceAccount

The default properties retrieved by the Get-ADServiceAccount cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute of the Service Account object that the property is based on. These are objects of class msDS-ManagedServiceAccount located in the container "cn=Managed Service Accounts,dc=mydomain,dc=com", where the domain is mydomain.com.

Property Syntax R/RW lDAPDisplayName
DistinguishedName String (DN) R distinguishedName
Enabled Boolean RW userAccountControl (bit mask not 2)
HostComputers ADCollection RW msDS-HostServiceAccountBL
Name String R cn (Relative Distinguished Name)
ObjectClass String R objectClass, most specific value
ObjectGUID Guid R objectGUID, converted to string
SamAccountName String RW sAMAccountName
SID String R objectSID converted to string
UserPrincipalName String RW userPrincipalName

The default and extended properties retrieved by the Get-ADServiceAccount cmdlet are documented in the following Wiki article:
Active Directory: Get-ADServiceAccount Default and Extended Properties

↑ Return to Top


NOTES

  1. The Get-Help cmdlet seems to indicate that the default properties distinguishedName, ObjectCategory, ObjectClass, and SID are read-write. However, the corresponding Active Directory attributes can only be modified by the system, so they are shown as Read-Only in the above tables. The same has been done for the DomainSID property of Get-ADDomain and the Domain and Forest properties of Get-ADDomainController.
  2. The Name property is revealed by the Get-Help cmdlet as Read-Only. This property cannot be modified directly. However, you can rename the object, which will modify the Name property. You can use the Rename-ADObject cmdlet to rename Active Directory objects.
  3. All properties based on the userAccountControl attribute in the tables above refer to a bit mask. The userAccountControl attribute is a 32-bit integer where each bit corresponds to a different setting. To check if a specific bit is set, you "OR" the userAccountControl value with the bit mask. A non-zero result means the bit is set.
  4. The Syntax "ADCollection" in the above tables means the corresponding Active Directory attribute is multi-valued. The Get-AD* cmdlets retrieve these properties as arrays.
  5. Some Active Directory attributes are not replicated to all Domain Controllers. A different value is saved on every Domain Contoller. The AD Modules only retrieve these attributes from one Domain Controller. Use the -Server parameter to specify which Domain Controller.
  6. Some Active Directory attributes are operational (also called constructed). That means that the value is not actually saved in Active Directory, but is calculated on request based on other attributes. Most of these attributes, such as canonicalName and primaryGroupToken, can be retrieved by the AD modules. However, an error is raised if you attempt to retrieve the tokenGroups attribute.
  7. If you request the objectSID attribute, which is a byte array in Active Directory, the value is displayed in the familiar friendly format, beginning with the string "S-1-5-21". This is the only known case where the PowerShell AD cmdlets convert the value of an AD attribute (not a default or extended property) for display (implying that code is invoked).

↑ Return to Top


See Also

↑ Return to Top