Each of the PowerShell Active Directory Modules, like Get-ADUser and Get-ADComputer, displays a default set of properties for all objects retrieved. You can specify other properties with the -Properties parameter, but the default set will always be included. There is another set of extended properties that can be specified. In addition, any Active Directory attribute appropriate to the class of objects can be included by specifying the LDAPDisplayName of the attribute in the -Properties parameter.

 

Work in progress

 
Both the default and extended properties are really methods. They return values based on the actual Active Directory attributes of the objects, converted in some cases for display. This article documents the default and extended properties for many of the cmdlets that come with the Active Directory module in PowerShell Version 2.0. This article does not document the Active Directory attributes that apply to each class of object.

Properties Parameter

All of the Get-AD* cmdlets support the -Properties parameter. If the -Properties parameter is not included, only the default properties are retrieved. You can specify default properties, extended properties, or the LDAPDisplayName of any Active Directory attribute appropriate for the class of object. Many, but not all, of these properties and attributes can also be assigned values using the corresponding Set-AD* cmdlet.

Default Properties

For convenience, the Active Directory Get-AD* cmdlets always return a default set of properties. In many cases these correspond to mandatory attributes so they will always have values. These property names do not always match the LDAPDisplayName of the corresponding Active Directory attribute. For example, the SID property is in the default set for Get-ADUser and Get-ADComputer, but there is no such attribute in Active Directory. The SID property will be the objectSID attribute, which is a byte array, converted into a string.

Extended Properties

Each Active Directory Get-AD* cmdlet also supports extended properties. These are only retrieved if they are specified in the -Properties parameter of the cmdlet. Many can also be assigned values using the corresponding Set-AD* cmdlet. Again, the names of these properties may or may not match the LDAPDisplayName of the corresponding Active Directory attribute.

Active Directory Attributes

In addition, you can specify the LDAPDisplayName of any Active Directory attribute appropriate for the class of object with the -Properties parameter. If the attribute value cannot be displayed, such as nTSecurityDescriptor, then the class definition is displayed.

Get-ADUser

The default properties retrieved by the Get-ADUser cmdlet are documented below. The column labled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.

Property	Syntax	R/RW	lDAPDisplayName
DistinguishedName	String (DN)	R	distinguishedName
Enabled	Boolean	RW	userAccountControl (bit mask Not 2)
GivenName	String	RW	givenName
Name	String	R	cn (Relative Distinguished Name)
ObjectClass	String	R	objectClass, most specific value
ObjectGUID	Guid	R	objectGUID converted to string
SamAccountName	String	RW	sAMAccountName
SID	Sid	R	objectSID converted to string
Surname	String	RW	sn
UserPrincipalName	String	RW	userPrincipalName

Get-ADComputer

Get-ADGroup

Get-ADObject

Get-ADOrganizationalUnit