The Active Directory PowerShell module provides many cmdlets used to retrieve values from Active Directory objects. The cmdlets include Get-ADUser, Get-ADComputer, and Get-ADObject. These cmdlets can retrieve the values of many PowerShell properties of the AD objects. This article documents which PowerShell properties are exposed by which cmdlets.

Some users expect that since a PowerShell property (such as Enabled) is exposed by one cmdlet (such as Get-ADUser) that the same property can be retrieved by another cmdlet (such as Get-ADObject) when the same class of AD object is involved. But even if Get-ADObject retrieves user objects, it cannot retrieve the Enabled property of the users. The table of properties and cmdlets in this article should help. Not all Active Directory cmdlets are documented here. But the ones with the most properties in common are included.

PowerShell Properties and AD Attributes

The PowerShell AD cmdlets can retrieve the values of most AD attributes, when specified by the lDAPDisplayName in the -Properties parameter. In addition, supported PowerShell properties can be retrieved. These are property methods, meaning there is generally code to convert the corresponding AD attribute into a more friendly format.

Some properties are just copies of the corresponding attribute. For example, the EmailAddress PowerShell property is simply a copy of the mail attribute of users in AD. Other properties require code to convert the value. For example, the objectSID AD attribute is a byte array, but the SID PowerShell property converts this into the friendly string format.

The names of some of the PowerShell properties are the same as the corresponding AD attribute. For example, the PowerShell ObjectGUID property converts the objectGUID AD attribute, which is a byte array, into the friendly GUID format. In other cases, the names are different, even though the values are the same. The PowerShell Fax property is identical to the facsimileTelephoneNumber AD attribute of users.

↑ Return to Top

Default and Extended Properties

Each AD module cmdlet supports a collection of default properties. These are always retrieved by the cmdlet for every object returned. Many cmdlets also support extended properties, which must be requested with the -Properties parameter of the cmdlet. If the cmdlet does not support any extended properties, then it does not support the -Properties parameter.

↑ Return to Top

Table of PowerShell Properties

The following table documents the PowerShell properties exposed by each of the listed Active Directory cmdlets. A bold red "D" means that the property is a default. An "E" means an extended property. Otherwise, the property is not supported by the cmdlet.

In order to have the cmdlet names fit in the table, they are abbreviated as follows:

  • User = Get-ADUser
  • Computer = Get-ADComputer
  • Group = Get-ADGroup
  • Object = Get-ADObject
  • OU = Get-ADOrganizationalUnit
  • ServiceAccount = Get-ADServiceAccount
  • Account = Search-ADAccount
PowerShell Property User Computer Group Object OU ServiceAccount Account
AccountExpirationDate E E E D
AccountLockoutTime E E E
AccountNotDelegated E E E
AllowReversiblePasswordEncryption E E E
BadLogonCount E E E
CannotChangePassword E E E
CanonicalName E E E E E E
Certificates E E E
ChangePasswordAtLogon E
City E D
Company E
Country E D
Created E E E E E E
Deleted E E E E E E
Department E
Description E E E E E E
DisplayName E E E E E E
DistinguishedName D D D D D D D
Division E
DNSHostName D
DoesNotRequirePreAuth E E E
EmailAddress E
EmployeeID E
EmployeeNumber E
Enabled D D D D
Fax E
GivenName D
GroupCategory D
GroupScope D
HomeDirectory E
HomeDirRequired E E E
HomeDrive E
HomePage E E E E
HomePhone E
HostComputers D
Initials E
IPv4Address E
IPv6Address E
LastBadPasswordAttempt E E E
LastKnownParent E E E E E E
LastLogonDate E E E D
LinkedGroupPolicyObjects D
Location E
LockedOut E E E D
LogonWorkstations E
ManagedBy E E D
Manager E
MemberOf E E E E
Members E
MNSLogonAccount E E E
MobilePhone E
Modified E E E E E E
Name D D D D D D D
ObjectCategory E E E E E E
ObjectClass D D D D D D D
ObjectGUID D D D D D D D
Office E
OfficePhone E
OperatingSystem E
OperatingSystemHotFix E
OperatingSystemServicePack E
OperatingSystemVersion E
Organization E
OtherName E
PasswordExpired E E E D
PasswordLastSet E E E
PasswordNeverExpires E E E D
PasswordNotRequired E E E
PostalCode E D
PrimaryGroup E E E
ProfilePath E
ProtectedFromAccidentalDeletion E E E E E E
SamAccountName D D D D
ScriptPath E
ServiceAccount E D
ServicePrincipalNames E E E
SIDHistory E E E E
SmartcardLogonRequired E
State E D
StreetAddress E D
Surname D
Title E
TrustedForDelegation E E E
TrustedToAuthForDelegation E E E
UseDESKeyOnly E E E
UserPrincipalName D D D D

↑ Return to Top

See Also

↑ Return to Top

Other Resources

↑ Return to Top