Question on get-aduser and properties


  • I am fairly new to PowerShell and have gotten quite a bit of help browsing the Forums and asking questions.

    I have been working on getting Properties from get-aduser, and its bafflilng to me on the below examples.

    To find if a user account is enabled I have used:

    get-aduser -identity USERNAME | %{$_.enabled}

       This will return True or False

    To check if a user account is Locked I found this will return True or False

    (get-aduser -identity USERNAME -Properties LockedOut).LockedOut

    Why is this?  When I try

    get-aduser -identity USERNAME | %{$_.LockedOut}, it returns blank

    Subsequently if I try

    (get-aduser -identity USERNAME -Properties Enabled).Enabled, it returns blank.

    Friday, February 08, 2013 3:00 PM


All replies

  • Hi,

    Have a look at

    Search-ADAccount -AccountExpired


    Search-ADAccount -AccountDisabled

    I've looked at (get-aduser -identity USERNAME -Properties Enabled).Enabled works for me. get-aduser -identity USERNAME | %{$_.LockedOut} is blank for me because my account isn't locked ... but get-aduser -identity USERNAME | % {$_.Enabled} returns true

    Have you looked at get-aduser USERNAME | Get-Member ...I

    s there anything in particular you're trying to achieve or just understanding?



    Friday, February 08, 2013 4:35 PM
  • Thanks John,

    I may not have explained my question right.

    I am confused on why I have to use two different methods to pull a property out of get-aduser?  Both the Enabled and LockedOut properties return True or False.

    I am quickly finding out there are very many different ways to get something accomplished in Powershell.


    Friday, February 08, 2013 6:55 PM
  • You are right that there is often more than one way to accomplish a task in PowerShell. There is a fundamental difference between the Enabled and LockedOut properties exposed by Get-ADUser. Enabled is a default property, so it is returned whether you ask for it or not. LockedOut, however, is an extended property. It is only retrieved if you request it with the -Properties parameter.

    I find that the following always returns either True or False (unlike what you report):

    (Get-ADUser -Identity username -Properties Enabled).Enabled

    In fact, the following also always returns either True or False, because Enabled is a default property:

    (Get-ADUser -Identity username).Enabled

    If I request the LockedOut property, then again I always get either True or False:

    Get-ADUser -Identity username -Properties LockedOut | % {$_.LockedOut}

    I document the default properties exposed by many of the Get-AD* cmdlets here:

    I never found documentation on the extended properties, so for Get-ADUser I document them here:

    Richard Mueller - MVP Directory Services

    Saturday, February 09, 2013 3:04 AM