Table of Contents
In PowerShell, we must import the
ActiveDirectorymodule to use theGet-ADUsercmdlet. If you have imported it already, you can jump to the Checking If AD User Exists in PowerShell section; otherwise, let’s continue with us step-by-step below.
Installing the ActiveDirectory Module
To import the ActiveDirectory module, we first need to install it. So, for that, we need to go through the following steps:
Install Remote Server Administration Tool (RSAT)
We need to install it if we use Windows’ workstation variant; otherwise, we will get an error saying Get-AD* is not recognized. However, it is not required for the server variant because it is already accessible there. The RSAT package installation varies based on Windows 10 version.
RSAT For Windows Variant
We need to manually download RSAT from here and install it if we are using Microsoft Windows 10 pre-build 1809. But first, choose the correct version for your operating system and architecture (32-bit or 64-bit).
Once it is installed, follow the below steps to verify:
- Open
Control Panel. - Go to
Programs and Features. - Hit
Turn Windows Features on or off; you can see it on the left side of thePrograms and Featureswindow opened in the previous step. - In the
Windows Featureswindow, expand Remote Server Administration Tools -> Role Administration Tools -> AD DS and AD LDS Tools and ensure that theActive Directory Module for Windows PowerShellis checked; by default, it is selected.
On the other hand, for Microsoft Windows 10 post-build 1809, we don’t need to download it externally because they are available as optional features. Instead, we need to run the Add-WindowsCapability cmdlet, as shown below, to enable these optional features.
|
1 2 3 |
Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 |
We are now ready to import the ActiveDirectory module for this version of Windows OS. In case you don’t know the Windows version, then press Windows + R key from the keyboard, type winver, and hit Enter; you will find the version of Window Operating System.
RSAT For Windows Server 2008R2 and Latest
Execute the following commands to use RSAT-AD-PowerShell in PowerShell.
|
1 2 3 4 |
Import-Module ServerManager Install-WindowsFeature -Name RSAT-AD-PowerShell |
Ensure you run the above commands on the server; otherwise, you will get an error saying the target of a specified cmdlet cannot be the Windows client-based operating system. You can follow this link to download Windows Server.
It is better to restart the machine after installing RSAT, whether installed on the Windows or server variants.
Import ActiveDirectory Module
Use the following command to import the active directory module in PowerShell.
|
1 2 3 |
Import-Module ActiveDirectory |
If everything is in its place, you will not get any error for executing the above command. So now, you can use AD commands in PowerShell. After importing the active directory module, don’t forget to join your Windows PC to a domain controller and log in as an AD user account. Remember, you can use the systeminfo command to find your Domain.
Checking If AD User Exists in PowerShell
Use the Get-ADUser cmdlet with the -Identity parameter in PowerShell.
|
1 2 3 4 5 6 7 8 9 |
$username = "john" $user = Get-ADUser -Identity $username If ($user.SamAccountName -eq $username){ Write-Host "'$username' exists." }else{ Write-Host "'$username' does not exist." } |
|
1 2 3 |
john exists |
Use Get-ADUser with -Identity and -Properties parameters to get all the properties of the specified AD user in PowerShell.
|
1 2 3 |
Get-ADUser -Identity john -Properties * |
|
1 2 3 4 5 6 7 8 9 10 11 |
DistinguishedName : CN=John Williomson,OU=Writing,DC=Test,DC=local Enabled : False GivenName : John Name : John Williomson ObjectClass : user ObjectGUID : b98fd0c4-3d5d-4219-8245-b04145d6a0db SamAccountName : john ... ... ... ... |
Use the Get-ADUser cmdlet with the -Filter parameter to get multiple user objects in PowerShell.
|
1 2 3 |
Get-AdUser -Filter "Name -like '*ser*'" |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 |
DistinguishedName : CN=UserOne,OU=SEO,DC=TestOne,DC=local Enabled : False GivenName : UserOne Name : UserOne ObjectClass : user ... ... ... ... ... ... DistinguishedName : CN=User One,CN=Users,DC=TestOne,DC=local Enabled : True GivenName : UserOne Name : User One ObjectClass : user ... ... ... ... ... ... |
In this section’s above examples, we used the Get-ADUser cmdlet to retrieve a particular user object or search for multiple user objects. The -Identity parameter was used to specify the AD user (Active Directory User) to get. Note that we can identify a user via different things, including DistinguishedName (DN), ObjectGUID, SamAccountName (SAM, security account manager), and SID (security identifier). Note that we can pass a particular user object via pipeline to the -Identity parameter or set it to a user object variable; for instance, -Identity $yourLocalUserObjectName.
To get multiple user objects, we used the -Filter parameter for all the user objects where the Name property’s value matched the specified pattern, which was *ser* (* wildcard character denotes any number of characters). Alternatively, we can use the -LDAPFilter parameter to retrieve multiple user objects.
If -Filter and -LDAPFilter retrieve multiple user objects, what is the difference between them? The -Filter uses the PowerShell Expression Language to specify query strings for AD (Active Directory); however, the -LDAPFilter is used if you have Lightweight Directory Access Protocol (LDAP) installed. You can visit this page for additional details.
Use the Get-ADUser cmdlet with the try-catch block to handle exceptions if any occur. See the following example.
|
1 2 3 4 5 6 7 8 9 |
$UserName = "RandomName" $User = $(try {Get-ADUser $UserName} catch {$null}) If ($User -ne $Null) { echo "The specified user exists in the active directory." } Else { echo "The specified user does not exist in the active directory." } |
|
1 2 3 |
The specified user does not exist in the active directory. |
Note that you can use the array operator to create an array of usernames and then use the foreach loop to iterate over this array. For every array element, check whether it exists in the active directory.
Further reading:
Some Important Points
Following are a few points that you may need while checking if an AD user exits in PowerShell:
Can’t Run Get-ADUser in PowerShell
You may not be able to run this cmdlet if any of the following problems occur:
- Active Directory module is not loaded. Note that the
Get-ADUseris part of theActiveDirectorymodule, which is not loaded in PowerShell by default. It would be best if you imported this module asImport-Module ActiveDirectoryto load it. - You are not running PowerShell as an Administration.
- You may have specified incorrect parameters or used incorrect syntax.
ActiveDirectory Wasn’t Loaded Because No Valid Module File Was Found
For this, you need to ensure the following:
- You have downloaded and installed the correct version of Remote Server Administration Tools (RSAT).
- Once RSAT is installed, enable the
ActiveDirectorymodule by importing it via theImport-Modulecmdlet. - Restart your machine and rerun the command if you still have the same issue.
- Still facing this problem, re-check the PowerShell execution policy and ensure you have installed the correct version of RSAT.
Unable to Find the Default Server with ADWS Running
You may encounter this if:
-
Your Active Directory Web Services (ADWS) service is not running on the domain controller. To check it, open
services.mscon the domain controller and ensure theStatusisRunningfor the Active Directory Web Services. -
You are not connected to a network.
-
If your DNS settings are incorrect. Confirm that the DNS settings of your computer are configured correctly and that the hostname of the domain controller is resolving to the correct IP address.
-
If you have not specified the correct domain controller. This can happen if you are working with multiple domain controllers. Re-check and confirm that you have used the following command correctly:
1234Get-ADUser -Server <domain controller name or ip address> -Identity <username></username></domain>
You can use the systeminfo command on PowerShell to check your domain.
Active Directory Web Services Service Not Found in services.msc
Active Directory Web Services (ADWS) is not included in all versions of Windows Server because it is not installed by default. If it is not installed on your domain controller or server, you cannot locate it in services.msc. To fix this:
- Open Server Manager by searching it on Windows Search Bar.
- Add the AD DS and AD LDS tools feature in Server Manager. To do this:
- Click
Manageand chooseAdd Roles and Features. Then, clickNextin the opened wizard until you see theFeaturessection. - Expand
Remote Server Administration Tools -> Role Administration Tools. Then, check theAD DS and AD LDS Toolscheck box and hitNextto install it.
- Click
- Now, confirm that ADWS is available in
services.msc; if the issue persists, restart the server or domain controller.
Can’t Find Server Manager Console
You may not be able to find the Server Manager console if it isn’t installed on your Windows Server OS. So, for this case, you need the AD DS and AD LDS Tools feature, which includes the ADWS feature. To do this:
- Open PowerShell as an administrator, and run the
Install-WindowsFeature RSAT-AD-Toolscommand to install AD DS and AD LDS Tools feature. - Running the above command will install the RSAT feature containing the AD DS and AD LDS tools features.
- Now, open the
services.mscand verify that ADWS is successfully installed. If unable to locate ADWS, restart the domain controller or server.
That’s all about how to check if AD users exists in PowerShell.
