PowerShell script to display information about Active Directory users

• Author
• Recent Posts

Mike Kanakos

Mike Kanakos is a Cloud and Datacenter Microsoft MVP, tech blogger and PowerShell community leader. He writes about infrastructure management and cloud automation. You can follow Mike on his blog https://www.commandline.ninja or on Twitter at @MikeKanakos.

Latest posts by Mike Kanakos (see all)

• Export and import to and from Excel with the PowerShell module ImportExcel - Thu, Apr 21 2022
• Getting started with the PSReadLine module for PowerShell - Thu, Feb 24 2022
• SecretsManagement module for PowerShell: Save passwords in PowerShell - Tue, Dec 22 2020

In my example, we're going to create a tool that displays the most common fields needed to help employees who are calling into the helpdesk for assistance and display that info in a simple, easy-to-read output. I am going to walk you through building this script piece by piece and then present the final solution at the end of this article.

My goal is make it simple to display all the relevant the Active Directory fields related to user account status, account expiration, password status, as well as when they last set their password and when it will expire. I would also like to know if the account is locked out. Finally, I also need to display the common employee info fields (name, address, department, manager, title, etc.). The tool also needs to be simple for my helpdesk staff to use since they sometimes deal with a large volume of calls.

Of course, you can just run Get-ADUser to retrieve information about Active Directory users. However, you usually can't expect helpdesk staff to be typing in super-long commands like the one below to get the info they need.

get-aduser username -Properties * | Select-Object GivenName, Surname, SamAccountName, Manager, DisplayName, ` 
City, EmailAddress, EmployeeID, Enabled, Department, OfficePhone, MobilePhone, LockedOut, LockOutTime, AccountExpirationDate, ` 
PasswordExpired, PasswordLastSet, Title

The block of code above produces the following output:

Looking up employee info with Get ADUser

This syntax works fine and gets us most of what we need without a ton of work. Overall, this is close to what I am looking to achieve. We could stop right here and call it a day, and for many people this would a usable solution. However, it isn't the most elegant solution, and more importantly, the output above is missing the password-expiration date, and the manager field is not easily readable. I think we can do better.

I certainly wouldn't expect someone to type in all that data over and over. We're close, but we must make it simple to type. Also, when I look at these fields, I see two sets of data: employee information and account status information. But the fields are not organized in any way, and the output is just a long table.

Let's address the two problem fields first. The manager field is not formatted as I would prefer: I would like to see first name and last name. We can fix this by doing a lookup on the manager's name and returning the manager's SAMAccountName. I used SAMAccountName because the DisplayName is listed as Last name, First name. This is not what I wanted, but you may like this field better for your version of this script.

I am using Get-ADUser a second time to look up the SamAccountName of the manager and then I am saving that value to a variable named $Manager.

$Manager = ((Get-ADUser $Employee.manager).samaccountname)

The password expiration is tricky because it's a special field that isn't easy to find if you don't know what you’re looking for and the value is not in a human-readable form by default. I'll need to make two changes to get the desired result. The first thing I need to do is add the field "msDS-UserPasswordExpiryTimeComputed" to my  original Get-ADuser query, and then I need to convert the data returned to a format we can make sense of.

Here I convert the msDs-UserPasswordExpiryTimeComputed value to a readable date value and save the output to a variable named $PasswordExpiry

$PasswordExpiry = [datetime]::FromFileTime($Employee.'msDS-UserPasswordExpiryTimeComputed')

Now that I have all the fields I need, I can work on breaking up the original output into two distinct groups (employee information and account status information), but using Select-Object to display the fields probably isn’t going to give me the desired result. I could feed that data from Get-ADUser into two separate arrays, and then I could display each array separately. Using arrays lets me rename fields in Active Directory like "given name" and "surname" to more commonly used names like FirstName and LastName. Let's see what those arrays look like.

$AccountInfo = [PSCustomObject]@{
  FirstName    = $Employee.GivenName
  LastName     = $Employee.Surname
  Title        = $Employee.Title
  Department   = $Employee.Department
  Manager      = $Manager
  City         = $Employee.City
  EmployeeID   = $Employee.EmployeeID
  UserName     = $Employee.SamAccountName
  DisplayNme   = $Employee.Displayname
  EmailAddress = $Employee.Emailaddress
  OfficePhone  = $Employee.Officephone
  MobilePhone  = $Employee.Mobilephone
}

$AccountStatus = [PSCustomObject]@{
  PasswordExpired       = $Employee.PasswordExpired
  AccountLockedOut      = $Employee.LockedOut
  LockOutTime           = $Employee.LockOutTime
  AccountEnabled        = $Employee.Enabled
  AccountExpirationDate = $Employee.AccountExpirationDate
  PasswordLastSet       = $Employee.PasswordLastSet
  PasswordExpireDate    = $PasswordExpiry
}

The result is we have taken the information from our original lookup and have split the data into two smaller groups. Those groups now contain field names that are more user friendly as well. You could argue that this isn't necessary, and you would not be wrong.

The reason for doing this extra work is to get the output organized in the way I want it displayed with the field names I want. I could instead have run Get-ADuser twice in one script. The first Get-ADUser could have got just the account info fields, and then I could've run Get-ADuser again to lookup the Account status fields.

However, those two calls still would not convert the msDs-UserPasswordExpiryTimeComputed value to a readable date value, so I would still need to do more work afterwards. For me, arrays offer more flexibility with formatting and naming and allow me to add other fields that weren't available with the original Get-ADuser query.

Also, I believe that it's not enough just to build a tool that gives me the desired result. Instead, the tool should also be well documented, easy to follow, and built using best practices. Arrays are a better solution to the problem, and my code will be easier to understand.

Lastly, I'd like to remind you that the fields I chose may not be the ones you want to use. It's only a small amount of work to customize this as you wish. Let's see what the output of the two arrays looks like:

The output of the two arrays

We have broken up the output into two smaller groups. I think that output is better organized and easier to read at a glance, which was my main concern when starting this project. The result is that helpdesk staff members will have an easier time finding the info they need.

I prefer to run my tools as functions. This means we need to name our function and include help files so people have something to reference when they have questions. The script below is formatted as a function, which means you'll have to load the function to run it. I'll assume you already know how to do that. I named my function Get-EmployeeInfo. The syntax is simple to type:

Get EmployeeInfo syntax

The result is that we have a tool that is easy to use, with a simple syntax that results in a customized output that is easy to read. I also created code that follows best practices, is succinct, portable, and well documented.

My hope is that you found this article insightful, and it helps you build your own functions using customized lookups. Please leave me some feedback in the comments section so I can continue to write useful articles. If there is something you would love to see me write about or if you have a specific question about this or any or my other articles, please feel free to leave me a note as well.

Function Get-EmployeeInfo {

    <#
 .Synopsis
  Returns a customized list of Active Directory account information for a single user

 .Description
  Returns a customized list of Active Directory account information for a single user. The customized list is a combination of the fields that
  are most commonly needed to review when an employee calls the helpdesk for assistance.

 .Example
  Get-EmployeeInfo Joe_Smith
  Returns a customized list of AD account information fro Michael_Kanakos

  PS C:\Scripts> Get-EmployeeInfo Joe_Smith

    FirstName    : Joe
    LastName     : Smith
    Title        : Marketing Analysyt
    Department   : Marketing
    Manager      : Tom_Jones
    City         : New York
    EmployeeID   : 123456789
    UserName     : Joe_Smith
    DisplayNme   : Smith, Joe
    EmailAddress : Joe_smith@bigfrom.biz
    OfficePhone  : +1 631-555-1212
    MobilePhone  : +1 631-333-4444

    PasswordExpired       : False
    AccountLockedOut      : False
    LockOutTime           : 0
    AccountEnabled        : True
    AccountExpirationDate :
    PasswordLastSet       : 3/26/2018 9:29:02 AM
    PasswordExpireDate    : 9/28/2018 9:29:02 AM

 .Parameter UserName
  The employee account to lookup in Active Directory

  .Notes
  NAME: Get-EmployeeInfo
  AUTHOR: Mike Kanakos
  LASTEDIT: 2018-04-14
  .Link
    https://github.com/compwiz32/PowerShell

#>

    [CmdletBinding()]
    Param(
        [Parameter(Mandatory = $True, Position = 1)]
        [string]$UserName
    )


    #Import AD Module
    Import-Module ActiveDirectory

    $Employee = Get-ADuser $UserName -Properties *, 'msDS-UserPasswordExpiryTimeComputed'
    $Manager = ((Get-ADUser $Employee.manager).samaccountname)
    $PasswordExpiry = [datetime]::FromFileTime($Employee.'msDS-UserPasswordExpiryTimeComputed')

      $AccountInfo = [PSCustomObject]@{
        FirstName    = $Employee.GivenName
        LastName     = $Employee.Surname
        Title        = $Employee.Title
        Department   = $Employee.department
        Manager      = $Manager
        City         = $Employee.city
        EmployeeID   = $Employee.EmployeeID
        UserName     = $Employee.SamAccountName
        DisplayNme   = $Employee.displayname
        EmailAddress = $Employee.emailaddress
        OfficePhone  = $Employee.officephone
        MobilePhone  = $Employee.mobilephone
    }

    $AccountStatus = [PSCustomObject]@{
        PasswordExpired       = $Employee.PasswordExpired
        AccountLockedOut      = $Employee.LockedOut
        LockOutTime           = $Employee.AccountLockoutTime
        AccountEnabled        = $Employee.Enabled
        AccountExpirationDate = $Employee.AccountExpirationDate
        PasswordLastSet       = $Employee.PasswordLastSet
        PasswordExpireDate    = $PasswordExpiry
    }

    $AccountInfo

    $AccountStatus

} #END OF FUNCTION