All of the Get-AD* cmdlets support the -Properties parameter. If the -Properties parameter is not included, only the default properties are retrieved. You can specify default properties, extended properties, or the LDAPDisplayName of any Active Directory attribute appropriate for the class of object. Many, but not all, of these properties and attributes can also be assigned values using the corresponding Set-AD* cmdlet.
For convenience, the Active Directory Get-AD* cmdlets always return a default set of properties. In many cases these correspond to mandatory attributes so they will always have values. These property names do not always match the LDAPDisplayName of the corresponding Active Directory attribute. For example, the SID property is in the default set for Get-ADUser and Get-ADComputer, but there is no such attribute in Active Directory. The SID property will be the objectSID attribute, which is a byte array, converted into a string.
Each Active Directory Get-AD* cmdlet also supports extended properties. These are only retrieved if they are specified in the -Properties parameter of the cmdlet. Many can also be assigned values using the corresponding Set-AD* cmdlet. Again, the names of these properties may or may not match the LDAPDisplayName of the corresponding Active Directory attribute.
In addition, you can specify the LDAPDisplayName of any Active Directory attribute appropriate for the class of object with the -Properties parameter. If the attribute value cannot be displayed, such as nTSecurityDescriptor, then the class definition is displayed.
The default properties retrieved by the Get-ADUser cmdlet are documented below. The column labled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.