Weekend Scripter: Explore AD DS Attributes with PowerShell

Doctor Scripto

Summary: Microsoft Scripting Guy, Ed Wilson, talks about using Windows PowerShell to discover the names of attributes in Active Directory Domain Services.

Microsoft Scripting Guy, Ed Wilson, is here. One of the great things about writing a blog is the comments I receive. Most of the time the comments add illuminating information, express thanks for a topic, or offer thoughts to contemplate further exploration. Today’s blog is a result of one of those comments. Thomas Brevig offered a way to find the name of an attribute in Active Directory Domain Services (AD DS) if he knew the value of the attribute. I thought the technique was great, and it showed that by piping Windows PowerShell pieces together, powerful solutions are easily built.

But I decided to see if I could find a different way to perform the search. The trick is that I access the underlying PSObject. So, the first thing I do is grab a user object with which I am interested in working. For this, I use the Get-ADUser cmdlet from the Active Directory module, and I choose all of the properties from the object. This command is shown here.

$user = get-aduser -filter “name -eq ‘ed wilson'” -Properties *

If I use the Get-Member cmdlet to look at the user object stored in the $user variable the PSObject property does not appear. To see this, I must add the Force parameter to the Get-Member command. This technique is shown here.

$user | gm –Force

The command and its associated output are shown in the image that follows.

Image of command output

Now, I access the PSObject property directly from the user object as shown here.

PS C:\> $user.psobject


Members             : {AccountExpirationDate, accountExpires, AccountLockoutTime,


Properties          : {AccountExpirationDate, accountExpires, AccountLockoutTime,


Methods             : {string get_GivenName(), void set_GivenName(string value),

                      string get_Surname(), void set_Surname(string value)…}

ImmediateBaseObject : CN=ed wilson,OU=Charlotte,DC=iammred,DC=net

BaseObject          : CN=ed wilson,OU=Charlotte,DC=iammred,DC=net

TypeNames           : {Microsoft.ActiveDirectory.Management.ADUser,




I access the Properties of the PSObject directly, and I get back a bunch of information about each of the properties stored in the collection. The command is shown here.


The command and its associated output are shown in the following image.

Image of command output

This lets me know that the attribute name appears in the Name property and the value in the Value property. By using this information, I come up with the following command.

PS C:\> $user.psobject.Properties | ? value -match ‘charlotte’ | select name, value


Name                                       Value

—-                                       —–

CanonicalName                              iammred.net/Charlotte/ed wilson

City                                       Charlotte

DistinguishedName                          CN=ed wilson,OU=Charlotte,DC=iammred,D…

l                                          Charlotte

Office                                     Charlotte office

physicalDeliveryOfficeName                 Charlotte office

If I am doing this in Windows PowerShell 2.0, I would not use the simplified Where-Object syntax. Instead, the command would appear as:

$user.psobject.Properties | ? {$_.value -match ‘charlotte’} | select name, value

I invite you to follow me on Twitter and Facebook. If you have any questions, send email to me at scripter@microsoft.com, or post your questions on the Official Scripting Guys Forum. See you tomorrow. Until then, peace.

Ed Wilson, Microsoft Scripting Guy


Discussion is closed.

Feedback usabilla icon