Do you want to learn how to get AD objects in PowerShell? You need the Get-ADObject cmdlet, and this guide teaches you all you need to know about the cmdlet.
Overview
If you want to get the properties of any AD object – users, computers, OUs, etc – the Get-ADObject command is your cmdlet. Apart from returning information about a single AD object, this cmdlet can return information about multiple AD objects.
As you will see in the next section, this versatile PowerShell commandlet has three synaxes. The primary difference between the three syntaxes is the Identity, Filter, and LDAPFilter parameters.
However, most users use the syntax with the Identity parameter. Talking about the Identity parameter, you can specify an object’s distinguished name or GUID as its Identity in the Get-ADObject command.
Moreover, if you want to search for the properties of more than one AD object, use the Filter or LDAPFilter parameters. The difference between the Filter and LDAPFilter parameters is the way you format the search parameters.
Specifically, for the Filter parameter, you specify your search parameter within curly braces, {}. Then, within the curly braces, {} you use comparison operators to perform your query criteria.
In comparison, for the LDAPFilter parameter, you set your search parameter within “()”. However, instead of using comparison operators to perform your query criteria, you use the equality (=) operator.
Syntax And Parameters of the Get-ADObject Command
In the last section, I mentioned that the Get-ADObject command has three syntaxes. In the first sub-section of this section, I will list the three syntaxes of this cmdlet.
Then, in the second sub-section, I will explain all the parameters of the syntaxes.
Syntax of the Get-ADObject Command
As I have mentioned more than once in this article, this cmdlet has three syntaxes. Here they are…
Get-ADObject [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-Identity] <ADObject> [-IncludeDeletedObjects] [-Partition <String>] [-Properties <String[]>] [-Server <String>] [<CommonParameters>]
Get-ADObject [-AuthType <ADAuthType>] [-Credential <PSCredential>] -Filter <String> [-IncludeDeletedObjects] [-Properties <String[]>] [-ResultPageSize <Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope <ADSearchScope>] [-Server <String>] [<CommonParameters>]
Get-ADObject [-AuthType <ADAuthType>] [-Credential <PSCredential>] [-IncludeDeletedObjects] -LDAPFilter <String> [-Properties <String[]>] [-ResultPageSize <Int32>] [-ResultSetSize <Int32>] [-SearchBase <String>] [-SearchScope <ADSearchScope>] [-Server <String>] [<CommonParameters>]
When I introduced the Get-ADObject cmdlet in the overview section, I mentioned that what differentiates the three syntaxes are the Identity, Filter, and LDAPFilter parameters.
While this is largely true, if you look closely at the syntaxes, you’ll notice some other parameters common to the Filter and LDAPFilter syntaxes but not included in the -Identity syntax.
Essentially, the three syntaxes include the following parameters: AuthType, Credential, IncludeDeletedObjects, Server, and Properties. It is also important to point out that the syntax with the Identity parameter has another unique parameter – Partition.
However, the Filter and LDAPFilter syntaxes include the following additional parameters: SearchBase, SearchScope, ResultPageSize, and ResultSetSize.
If you recollect, I said earlier that you use the Filter and LDAPFilter parameters to get the properties of more than one AD object. The implication is that you may need to specify a container that you want Get-ADObject to search for objects.
This is why you have the SearchBase parameter in the Filter and LDAPFilter syntaxes. I’ll explain the parameters and what they do in the next subsection.
Furthermore, since the Filter and LDAPFilter may return large amounts of data, the Get-ADObject needs to include the parameters you can use to control result sizes and display parameters.
This is why the two syntaxes of the Get-ADObject command include parameters like ResultPageSize and ResultSetSize. More on all these parameters in the next sub-section.
Parameters of the Get-ADObject Command Explained
In the table below, I have listed and explained the parameters of the Get-ADObject command. Furthermore, I have organized the parameters according to the syntaxes of the Get-ADObject cmdlet.
Essentially, except for the Partition parameter, which only belongs to the Identity syntax, all other parameters after the Identity parameter are common to the three syntaxes of the Get-ADObject command.
However, all parameters after the Filter and LDAPFilter parameters are common to the Filter and LDAPFilter syntaxes of Get-ADObject.
| Get-ADObject Parameter Name | Parameter Meaning/Notes |
|---|---|
| Identity | Use the Identity to specify the distinguished name or GUID (objectGUID) or the AD object that you want to get. |
| Partition | The Partition parameter can only be used with the Identity parameter. The Partition parameter specifies the distinguished name of an Active Directory partition. |
| AuthType | Specifies the authentication method to use to run the command. This parameter accepts the following values: Negotiate or 0, Basic or 1. |
| Credential | Use the Credential parameter to specify the AD user account credentials to use to perform run the Get-ADObject command. |
| IncludeDeletedObjects | This parameter indicates that the Get-ADObject cmdlet retrieves deleted objects and the deactivated forward and backward links. |
| Properties | When you run the Get-ADObject command, it returns the default properties of the object. But if you want to return other properties, not in the default result, or you want to return specific properties, use the Properties. Moreover, to return all properties of an object, add the asterisks wildcard next to the Properties parameter. |
| Server | Use the Server parameter to specify the AD DS instance to connect to. You can specify the fully qualified domain name or NetBIOS name of a Domain. Alternatively, you can specify the fully qualified directory server name, the NetBIOS name of a directory server, or the fully qualified directory server name and port. |
| Filter | Use this parameter to specify a query string inside curly braces, {}. To specify your query, use the PowerShell comparison operators. Here is an example command: Get-ADObject -Filter {samaccountname -eq “ARaj”} |
| LDAPFilter | Use this parameter to specify an LDAP query string that is used to filter Active Directory objects. Unlike the Filter parameter that uses {}, LDAPFilter uses “()” for its filter. Additionally, LDAPFilter uses the equality (=) operator instead of the PowerShell comparison operator. Here is an example: Get-ADObject -LDAPFilter “(OU=Writers)” |
| SearchBase | Use SearchBase to specify an Active Directory path to search. |
| SearchScope | SearchScope specifies the scope of an Active Directory search. You can specify the following values next to the SearchScope: Base or 0, OneLevel or 1, Subtree or 2. |
| ResultPageSize | This parameter specifies the number of objects to include in one page for an AD DS query. By default, the Get-ADObject command returns 256 objects per page. |
| ResultSetSize | The ResultSetSize parameter specifies the maximum number of objects to return for an AD DS query. To return all of the objects, set this parameter to $Null (null value). $Null is the default. If the command is taking too long to complete, use Ctrl+C to stop the query. |
The Get-ADObject Command Examples
Having read my overview and the syntax and parameters section of this guide, you’re equipped to start using the Get-ADObject cmdlet. However, to start you off, here are a few applications and examples.
1. Use the Get-ADObject PowerShell Command to get the Distinguished Name
To get an AD object’s distinguished name with the Get-ADObject PowerShell command, follow the steep below:
- Get the object’s sAMAccountName (AD username). Follow the steps in this guide – How To View sAMAccountName, distinguishedName, And Other Attributes With Active Directory Attribute Editor.
- Then, run the command below to use Get-ADObject to get the object’s Distinguished Name.
(Get-ADObject -Filter {samaccountname -eq "ARaj"}).DistinguishedNameThe command displays the Distinguished Name of the object.
2. Count The Number of Items Returned by the Get-ADObject PowerShell Command
Counting the objects returned by the Get-ADObject command is pretty simple. When you run the Get-ADObject command, it has a property called, PropertyCount.
So, to count the number of items in the Get-ADObject command result, wrap the command in (), followed by a period and the word PropertyCount.
Here is an example. The command below returns ALL the attributes of an AD user with the username, ARaj.
Get-ADUser ARaj -Properties * | select *
I have highlighted the PropertyCount property of the command. As you can see, the command returned 105 results.
However, to return the count of the items without displaying any other item, modify the last command as shown below:
(Get-ADUser ARaj -Properties * | select *).PropertyCount
3. Find AD Object SID with the Get-ADObject PowerShell Command
The Get-ADObject has a property called objectSid. This is what most people call SID. Unfortunately, the default Get-ADObject command does not return the objectSid.
Here is a sample Get-ADObject command…
Get-ADObject -SearchBase "OU=Writers,DC=itechguides,DC=local" -Filter {ObjectClass -eq "user"}And here are the results. As you can see from the screenshot, the result does not include the objectSid.
To include the objectSid property, include the -Properties parameter of the Get-ADObject command. Then, specify objectSid as the property to include.
Get-ADObject -SearchBase "OU=Writers,DC=itechguides,DC=local" -Filter {ObjectClass -eq "user"} -Properties objectSidNow the command returns the objectSid property.
You can make the result look even better by returning essential properties, including objectSid. Here is a sample command that returns the following properties – Name, sAMAccountName, and objectSid.
Get-ADObject -SearchBase "OU=Writers,DC=itechguides,DC=local" -Filter {ObjectClass -eq "user"} -Properties objectSid,sAMAccountName | Select-Object Name, sAMAccountName, objectSid
Finally, if you want to sort the result by objectSid, pipe the result of the last command to the Sort-Object -command. Then, use the -Property parameter of Sort-Object to specify objectSid.
Get-ADObject -SearchBase "OU=Writers,DC=itechguides,DC=local" -Filter {ObjectClass -eq "user"} -Properties objectSid,sAMAccountName | Select-Object Name, sAMAccountName, objectSid | Sort-Object -Property objectSid4. Sort the Result of the Get-ADObject PowerShell Command by GUID
When you run the Get-ADObject PowerShell command, it returns the ObjectGUID property by default. So, to sort the objects by ObjectGUID, pipe the result of Get-ADObject to Sort-Object and order by ObjectGUID.
Here is a sample command…
Get-ADObject -SearchBase "OU=Writers,DC=itechguides,DC=local" -Filter {ObjectClass -eq "user"} -Properties sAMAccountName | Select-Object Name,sAMAccountName,ObjectGUID | Sort-Object -Property ObjectGUID
5. Find AD Object’s Creation Date with the Get-ADObject PowerShell Command
In one of my examples earlier in this section, I mentioned that the Get-ADObject command does not return an AD object’s objectSid by default. Similarly, the Get-ADObject command does not return an AD object’s creation date (known as “Created”).
So, to return an object’s creation date, include the -Properties parameter of the Get-ADObject command and specify Created. The first command below does not include the -Properties parameter of the Get-ADObject command.
Get-ADObject -SearchBase "OU=Writers,DC=itechguides,DC=local" -Filter {ObjectClass -eq "user"}
As I mentioned earlier, to include the creation date (the Created property) in the result, modify the command as shown below:
Get-ADObject -SearchBase "OU=Writers,DC=itechguides,DC=local" -Filter {ObjectClass -eq "user"} -Properties CreatedThe last command includes the creation date (the Created property) in the result, but the result is not displayed in a table. To display the result in a table, pipe the last command to the Format-Table command.
Get-ADObject -SearchBase "OU=Writers,DC=itechguides,DC=local" -Filter {ObjectClass -eq "user"} -Properties Created | Format-TableThe screenshot below shows the results of the three commands. The creation date (the Created property) is in the first column of the result of the last command.
6. Find All Properties of an AD Object with the Get-ADObject PowerShell Command
As I have mentioned more than once in this article, when you run the Get-ADObject command without its –Properties parameter, the command does not return all properties.
To return all properties of an AD object with the Get-ADObject PowerShell command, include the –Properties parameter. Then, specify the asterisk’s wildcard.
Here is a sample command that returns ALL the properties of an AD user with sAMAccountName, ARaj.
Get-ADUser ARaj -Properties *
Here is the result of the command in PowerShell…
7. Find AD Object’s Class with the Get-ADObject PowerShell Command
In the last example, I showed you how to return all the properties of an AD object using the Get-ADObject -Properties parameter. You can use this principle to include the class of an AD object in the result of the Get-ADObject command.
To illustrate this, I’ll use the command below:
Get-ADObject -SearchBase "OU=Writers,DC=itechguides,DC=local" -Filter {ObjectClass -eq "user"} -Properties ObjectClassThe command includes the ObjectClass property using the -Properties parameter of the Get-ADObject command. Here is the screenshot showing the result of the command.
8. Find Deleted Objects in Active Directory with the Get-ADObject PowerShell Command
By default, the Get-ADObject command does not include deleted objects in the result.
If you read this article from the beginning, you would have read in the syntaxes and parameters section that the Get-ADObject command has a parameter called IncludeDeletedObjects. For example, when I run the command below, it will not include a user I just deleted from my staging Active Directory domain.
Get-ADObject -SearchBase "OU=Writers,DC=itechguides,DC=local" -Filter {ObjectClass -eq "user"}So, to include deleted objects in the result of the Get-ADObject command, include the IncludeDeletedObjects parameter.
Get-ADObject -SearchBase "DC=itechguides,DC=local" -Filter {ObjectClass -eq "user"} -IncludeDeletedObjectsWhen I run the Get-ADObject command with the IncludeDeletedObjects parameter, the command includes a property called Deleted. If this property returns True, it means that the AD object is deleted.
So, I can decide to return only deleted objects by filtering using the Deleted property. The modified command below does the magic.
Get-ADObject -SearchBase "DC=itechguides,DC=local" -Filter {(ObjectClass -eq "user") -and (Deleted -eq $true)} -IncludeDeletedObjects
9. Get AD Computer Object Description with the Get-ADObject PowerShell Command
The command below returns information about all computers in my domain with DN “DC=itechguides,DC=local” – including the Description.
Get-ADObject -SearchBase "DC=itechguides,DC=local" -Filter {ObjectClass -eq "Computer"} -Properties DescriptionHere is the result in PowerShell.
To make the result even look better, I can use the PowerShell command below to get all AD computer names and their description in my domain, “DC=itechguides,DC=local”.
Get-ADObject -SearchBase "DC=itechguides,DC=local" -Filter {ObjectClass -eq "Computer"} -Properties Description | Select-Object Name, DescriptionThe command returns the name and description of all computers in the domain. If you want the Get-ADObject command to search another Ad container, change “DC=itechguides,DC=local” (the -SearchBase parameter) to the DN of the AD container.
10. Get AD Objects in an OU with the Get-ADObject PowerShell Command
To get all users and computers in an OU, run the Get-ADObject command with the -SearchBase parameter. Then, specify the OU’s distinguishedName as the SearchBase.
In the example, I want to return all users and computers in the OU with DN, “OU=Writers,DC=itechguides,DC=local”:
Get-ADObject -SearchBase "OU=Writers,DC=itechguides,DC=local" -Filter {(ObjectClass -eq "user") -or (ObjectClass -eq "Computer")} The command returns one computer object and three user objects.
Frequently Asked Questions
An AD Object is any resource in an Active Directory forest, such as users, computers, or Organizational Units.
PowerShell has multiple cmdlets you can use to get information about Active Directory objects. For example, to get information about AD users, use the Get-ADUser cmdlet.
However, to get information about AD computers, you use the Get-ADComputer. Additionally, you can use the Get-ADGroup cmdlet to get information about AD groups.
Finally, you can use the Get-ADObject command to get information about any Active Directory object.
The Get-ADComputer cmdlet belongs to the Active Directory PowerShell module.
An LDAP Objectclass defines a collection of attributes that can be used to define a directory entry. Some common examples of Objectclass are user, or computer.
To install RSAT on Windows 10, follow the steps in our guide – Active Directory Windows 10: How to Enable RSAT for AD in Windows 10.
Conclusion
If you’re an Active Directory SysAdmin, the Get-ADObject cmdlet is arguably your most-used PowerShell command. I say that because the Get-ADObject command can return information about any Ad object.
So, instead of running object-specific cmdlets like the Get-ADUser and the Get-ADComputer, you can use Get-ADObject.
So, based on the importance of the Get-ADObject command, I spent time covering every aspect of this all-important PowerShell cmdlet in this article.
As I refresher on what I discussed in this guide, I started with an overview of this cmdlet. Then, I discussed the syntax and parameters, followed by 10 examples and applications.
I hope you found the article helpful. If you did, click on “Yes” beside the “Was this page helpful” question below.
You may also express your thoughts and opinions by using the “Leave a Comment” form at the bottom of this page.
Finally, to expand your Active Directory or PowerShell skills, visit our Active Directory Guides or Windows PowerShell Explained pages.
