none
Question on get-aduser and properties

    Question

  • I am fairly new to PowerShell and have gotten quite a bit of help browsing the Forums and asking questions.

    I have been working on getting Properties from get-aduser, and its bafflilng to me on the below examples.

    To find if a user account is enabled I have used:

    get-aduser -identity USERNAME | %{$_.enabled}

       This will return True or False

    To check if a user account is Locked I found this will return True or False

    (get-aduser -identity USERNAME -Properties LockedOut).LockedOut

    Why is this?  When I try

    get-aduser -identity USERNAME | %{$_.LockedOut}, it returns blank

    Subsequently if I try

    (get-aduser -identity USERNAME -Properties Enabled).Enabled, it returns blank.

    Friday, February 08, 2013 3:00 PM

Answers

All replies

  • Hi,

    Have a look at

    Search-ADAccount -AccountExpired

    and

    Search-ADAccount -AccountDisabled

    I've looked at (get-aduser -identity USERNAME -Properties Enabled).Enabled works for me. get-aduser -identity USERNAME | %{$_.LockedOut} is blank for me because my account isn't locked ... but get-aduser -identity USERNAME | % {$_.Enabled} returns true

    Have you looked at get-aduser USERNAME | Get-Member ...I

    s there anything in particular you're trying to achieve or just understanding?

    Thanks,

    John

    Friday, February 08, 2013 4:35 PM
  • Thanks John,

    I may not have explained my question right.

    I am confused on why I have to use two different methods to pull a property out of get-aduser?  Both the Enabled and LockedOut properties return True or False.

    I am quickly finding out there are very many different ways to get something accomplished in Powershell.

    Chris

    Friday, February 08, 2013 6:55 PM
  • You are right that there is often more than one way to accomplish a task in PowerShell. There is a fundamental difference between the Enabled and LockedOut properties exposed by Get-ADUser. Enabled is a default property, so it is returned whether you ask for it or not. LockedOut, however, is an extended property. It is only retrieved if you request it with the -Properties parameter.

    I find that the following always returns either True or False (unlike what you report):

    (Get-ADUser -Identity username -Properties Enabled).Enabled

    In fact, the following also always returns either True or False, because Enabled is a default property:

    (Get-ADUser -Identity username).Enabled

    If I request the LockedOut property, then again I always get either True or False:

    Get-ADUser -Identity username -Properties LockedOut | % {$_.LockedOut}

    I document the default properties exposed by many of the Get-AD* cmdlets here:

    http://social.technet.microsoft.com/wiki/contents/articles/12031.active-directory-powershell-ad-module-properties.aspx

    I never found documentation on the extended properties, so for Get-ADUser I document them here:

    http://social.technet.microsoft.com/wiki/contents/articles/12037.active-directory-get-aduser-default-and-extended-properties.aspx


    Richard Mueller - MVP Directory Services

    Saturday, February 09, 2013 3:04 AM
  • For me, Get-Aduser is returning information for some accounts but not others even though they are actively used accounts.  In the following picture, both accounts are enabled and actively used but only one is showing the Enabled attribute.  It doesn't matter if I explicitly ask for it either (Get-Aduser userid -Properties Enabled)

    Friday, September 04, 2015 7:29 PM
  • Ricc, I've never seen a user object with no value for Enabled. Can you report the value of the userAccountControl attribute for such a user? For example:

    Get-ADUser -Identity "jsmith" -Properties userAccountControl

    Or, you can look at the value reported on the "Attribute Editor" tab of the user properties in ADUC. PowerShell will retrieve the value of userAccountControl in decimal. ADUC shows it in hexadecimal (in Windows Server 2008 and above).

    Richard Mueller - MVP Directory Services

    Friday, September 04, 2015 8:12 PM
  • Ricc

    The Enabled property exposed by the Get-ADUser cmdlet returns True or False based on the value of the userAccountControl attribute of the user, which is a flag attribute. The value is an integer where each bit represents a different setting, like ADS_UF_PASSWD_NOTREQD, ADS_UF_PASSWD_CANT_CHANGE, or ADS_UF_ACCOUNTDISABLE. The last is used by the Enabled property. The proper way to retrieve the setting is to retrieve the integer value of userAccountControl and binary AND this with a bit mask appropriate for the setting. The bit mask for ADS_UF_ACCOUNTDISABLE is 2. If (userAccountControl -band 2) is non-zero (True), then the account is disabled and Enabled should be False. If (userAccountControl -band 2) is zero (False), then the account is enabled and Enabled will be True.

    The system requires that userAccountControl have an integer value. It cannot be missing or null. As such, the binary AND of this value with 2 will always be either True or False. The result cannot be missing or null. That is why I requested the integer value of the userAccountControl attribute for your problem user. I want to make sure you have not found a bug in the Enabled property of Get-ADUser.

    Also, are any other properties besides Enabled missing?


    Richard Mueller - MVP Directory Services

    Monday, September 07, 2015 5:18 PM
  • Ricc,

    My guess now is that there is a problem with the permissions for the userAccountControl attribute. The account you use lacks permission to read userAccountControl.

    In ADUC view the properties of a problem user, select the "Security" tab, then "Advanced" and look at "Effective permissions". Near the bottom you will see read and write "userAccountControl".

    Then on the "Security" tab in "Advanced", select a trustee (user or group) and click "Edit". Again, under "Properties" you will find "userAccountControl". I suspect that your domain account cannot read userAccountControl. This would explain why the Enabled PowerShell property is missing.


    Richard Mueller - MVP Directory Services

    Friday, September 11, 2015 9:43 PM
  • Thanks for the information Richard!

    Ricc, we experienced the same issue here a month or so ago.  A colleague was not able to get the enabled value for some users.  I could run the exact same command and get the value for every user.  Both of our accounts are domain admins.  I ran PowerShell as my account from his RDP session and it also worked fine.  I found that his admin account was in a test OU where we test GPO's.  After his account was moved out of that OU he was able to get the enabled value for all accounts, same as me.  I never went back and looked to see what GPO's were applied to that OU at the time, so I still do not know what actually caused the problem.

    Jason

    Thursday, September 17, 2015 8:22 PM
  • Thanks for the information Richard!

    Ricc, we experienced the same issue here a month or so ago.  A colleague was not able to get the enabled value for some users.  I could run the exact same command and get the value for every user.  Both of our accounts are domain admins.  I ran PowerShell as my account from his RDP session and it also worked fine.  I found that his admin account was in a test OU where we test GPO's.  After his account was moved out of that OU he was able to get the enabled value for all accounts, same as me.  I never went back and looked to see what GPO's were applied to that OU at the time, so I still do not know what actually caused the problem.

    Jason


    Good info.  Look high, look low, look under the bed.  This kind of thing can be a challenge.  Look for difference (as you did) and suspect everything.

    \_(ツ)_/

    Thursday, September 17, 2015 9:44 PM
  • Hello Ricc,

    I had the same issue. "Enabled" and "useraccountcontrol" where missing from the output on some accounts but not on others. When looking into ADUC I could see the values correctly. It turned out that I had to run PS with administrative privileges (right click - "Run as Administrator"). After that all values where shown correctly.

    Regards

    Harry

    • Proposed as answer by HarryNew Friday, November 27, 2015 11:38 AM
    Thursday, November 26, 2015 11:22 AM