none
Pull All User Attributes with PowerShell RRS feed

  • Question

  • Okay, when I go into ADUC and open up the Attribute Editor for a User I see something like 300 attributes. Many are blank or unused, that's fine. I need to pull that full list with Powershell. I don't care whether they are blank or null or whatever, I want a list of every attribute available in my directory. I've tried several different queries with different tools. Get-ADUser is the most comprehensive at 100 attributes returned.

    Get-ADUser username -Properties * | Select *
    This isn't all of them. For example the "Audio" Attribute doesn't show up. But as soon as I put a value in Audio it does show up. So I know that the CMDLET has access to the attributes it just isn't showing them to me. Is there a flag/switch I'm missing that will show everything? Is there a different CMDLET I should be using?

    Thanks much for the help in advance.

    Monday, July 22, 2013 4:37 PM

Answers

  • I see what you are saying but even without it still doesn't show all ~300 Attributes.
    The way Active Directory work is, if an attribute(**) is unused, it is not recorded in the object at all.  That is, an object only bears attributes that have a non-null value (*empty string is a non-null value).

    You can keep trying all day but in the end AD will only return attributes that are used.

    If you just want a list of attributes that are associated with a particular class, you can query the schema for the class and look for the associated attributes, or simply find it in MSDN:

    http://msdn.microsoft.com/en-us/library/windows/desktop/ms683980(v=vs.85).aspx

    The above shows the list of possible attributes associated with the user class.

    (**) The only part I'm not sure is how it treats mandatory attributes if they're null.  E.g. no samAccountName for a user object.
    • Marked as answer by MU IT Tuesday, July 23, 2013 3:31 PM
    Tuesday, July 23, 2013 5:18 AM

All replies

  • Do you need to add that select command in there? 

    if you're using select on an object it will always create a noteproperty of the name you put in:

    get-aduser Jason -properties * | select -property FakeProperty
    
    _______
    
    FakeProperty
    ------------
    {}

    Regardless, if the user has the property you're looking for it should display.

    Hope that helps! Jason

    • Proposed as answer by AJC111 Friday, December 2, 2016 4:52 PM
    Monday, July 22, 2013 4:55 PM
  • I see what you are saying but even without it still doesn't show all ~300 Attributes.
    • Edited by MU IT Monday, July 22, 2013 5:08 PM typo
    Monday, July 22, 2013 5:02 PM
  • Hi,

    Run below command we could see all properties that could be read out by Get-ADUser command.

    Get-ADUser -Filter * -Properties * | Get-Member -MemberType property

    Regards,

    Yan Li

    If you have any feedback on our support, please click here .


    Cataleya Li
    TechNet Community Support


    Tuesday, July 23, 2013 5:17 AM
    Moderator
  • I see what you are saying but even without it still doesn't show all ~300 Attributes.
    The way Active Directory work is, if an attribute(**) is unused, it is not recorded in the object at all.  That is, an object only bears attributes that have a non-null value (*empty string is a non-null value).

    You can keep trying all day but in the end AD will only return attributes that are used.

    If you just want a list of attributes that are associated with a particular class, you can query the schema for the class and look for the associated attributes, or simply find it in MSDN:

    http://msdn.microsoft.com/en-us/library/windows/desktop/ms683980(v=vs.85).aspx

    The above shows the list of possible attributes associated with the user class.

    (**) The only part I'm not sure is how it treats mandatory attributes if they're null.  E.g. no samAccountName for a user object.
    • Marked as answer by MU IT Tuesday, July 23, 2013 3:31 PM
    Tuesday, July 23, 2013 5:18 AM
  • Ah! Thanks AverageJoeofToronto, that makes sense. I need to do my own query as I'm doing an experiment to see how schema changes with the install and uninstall of an exchange server. So I need to see my schema specifically as online forums are conflicting in regards  to what uninstalling exchange does to the Schema. Thanks sir, I'll look into doing  a schema query on the User Class.
    Tuesday, July 23, 2013 3:31 PM
  • I'm a bit late to this post, but here's a bit of a hack solution.

    It first pulls back a list of all users, then from that finds all of the used properties on each user, then combines this to get a list of all of the properties that your company is using (i.e. for any user), then outputs all of these properties for all users (i.e. even where it's null for a user).

    It also does the same for computers.


    clear-host
    $searchBase = 'OU=MyOU,DC=myDomain,DC=myCompany,DC=com'
    $users_fn = ("c:\temp\AllAdExport_Users_{0:yyyyMMdd_HHmmss}.csv" -f (get-date))
    $computers_fn = ("c:\temp\AllAdExport_Computers_{0:yyyyMMdd_HHmmss}.csv" -f (get-date))
    
    "collecting user info"
    $allUsers = get-aduser -Filter {enabled -eq $true} -SearchBase $searchBase -SearchScope Subtree -Properties *
    "collecting user property info"
    $allProperties =  $allUsers | %{ $_.psobject.properties | select Name } | select -expand Name -Unique | sort 
    "exporting users"
    $allUsers | select $allProperties | export-csv $users_fn -NoTypeInformation
    
    "collecting computer info"
    $allComputers = get-adcomputer -Filter {enabled -eq $true} -SearchBase $searchBase -SearchScope Subtree -Properties *
    "collecting computer property info"
    $allProperties =  $allComputers | %{ $_.psobject.properties | select Name } | select -expand Name -Unique | sort 
    "exporting computers"
    $allComputers | select $allProperties | export-csv $computers_fn -NoTypeInformation
    


    Thursday, November 19, 2015 4:27 PM
  • Yan Li_, 

    I am new to PowerShell.  I want to learn PowerShell so I can move away from updating Objects via the Attribute Editor GUI in Active Directory Users and Computer. 

    I would like to display all Attributes for one Object.  I tried to do this by changing the PowerShell command you posted to the following:

    Get-ADUser -Identity "test02" -Filter * -Properties * | Get-Member -MemberType property

    However, I always get an error.

    T.J.

     


    • Edited by tjcreek55 Tuesday, November 29, 2016 5:45 PM
    Tuesday, November 29, 2016 5:44 PM
  • Remove -Filter *
    Tuesday, November 29, 2016 5:58 PM
  • Vincent,

    Thank you! Removing –Filter * gave me a LONG list of the Object Properties for test02. 

    So, I ran the following command to update the EmployeeID Attribute for the Object test02:

    Set-ADUser -Identity "test02" -EmployeeID "test02"

    When I ran the following command, PowerShell does display a LOT of properties.  One of them is EmployeeID.  However, it does not tell me what is the EmployeeID is for the test02 Object.  How do I display this?  Below is what is displayed.

    EmployeeID                           Property   System.String EmployeeID {get;set;}

    T.J.


    • Edited by tjcreek55 Tuesday, November 29, 2016 6:19 PM
    Tuesday, November 29, 2016 6:18 PM
  • Create a new thread in the PowerShell forum instead of this.
    Tuesday, November 29, 2016 6:27 PM
  • Thank you!!!  Works great.  New to PS, so I couldn't figure out how to get all the properties.  Still Learning.
    Saturday, December 17, 2016 10:55 PM
  • Its not exporting CSV. Its giving out me error 

    Could not find a part of the path 'C:\temp\AllAdExport_Users_20190110_143212.csv'

    Any help on this will be much appreciated
    • Edited by Abhinav7264 Thursday, January 10, 2019 8:24 PM
    Thursday, January 10, 2019 8:24 PM
  • I know this is a little late, however I think that I have a good way to get the properties for adusers:

       1 $ad=New-Object System.DirectoryServices.DirectorySearcher
       2 $ad.PageSize = 100000
       3 $ad.Filter="(&(objectCategory=person)(objectClass=user))"
       4 $ad.FindAll()|ft * properties -wrap

    Thursday, January 30, 2020 12:26 AM
  • This is an old thread, but occasionally people ask this question. How can you document all attributes of a given AD object, whether the attribute has a value or not? Most methods fail for the reason given early in this thread. The Active Directory database does not have any entry for any attributes that are not assigned values. No matter how you query for the object, you can never find attributes that are not set.

    The only method that works is to query the AD Schema for the attributes that apply to the class of object. There are methods to retrieve a collection of all mandatory and optional parameters that apply to the class, plus the syntax of each, and if it is multi-valued. Then code can document each attribute, including most values.

    This is not an easy task. It requires considerable code and testing. Because the question keeps getting raised, I developed a PowerShell script for the task. The issues are explained in this Wiki article, which includes a link to the PowerShell script. The Wiki is linked here:

    https://social.technet.microsoft.com/wiki/contents/articles/52617.active-directory-document-all-attributes-of-specified-active-directory-object.aspx

    The PowerShell script to document all attributes of a specified AD object is here:

    https://gallery.technet.microsoft.com/Document-all-Attributes-of-1ac5a80c


    Richard Mueller - MVP Enterprise Mobility (Identity and Access)

    Thursday, January 30, 2020 1:11 AM
  • Cool. This reported all the attributes including the extension attributes
    Friday, July 3, 2020 2:01 PM