Active Directory: PowerShell AD Module Properties

Active Directory: PowerShell AD Module Properties

Each of the PowerShell Active Directory module cmdlets, like Get-ADUser and Get-ADComputer, displays a default set of properties for all objects retrieved. You can specify other properties with the -Properties parameter, but the default set will always be included. There is another set of extended properties that can be specified. In addition, any Active Directory attribute appropriate to the class of objects can be included by specifying the LDAPDisplayName of the attribute in the -Properties parameter.

Both the default and extended properties are really methods. They return values based on the actual Active Directory attributes of the objects, converted in many cases for display. This article defines the different types of properties and documents the default properties for many of the cmdlets that come with the Active Directory module in PowerShell Version 2.0. This article does not document the Active Directory attributes that apply to each class of object.


Properties Parameter

Most of the Get-AD* cmdlets support the -Properties parameter. If the -Properties parameter is not included, only the default properties are retrieved. With this parameter you can specify default properties, extended properties, or the LDAPDisplayName of any Active Directory attribute appropriate for the class of object. Many, but not all, of these properties and attributes can also be assigned values using the corresponding Set-AD* cmdlet.

↑ Return to Top


Default Properties

For convenience, the Active Directory Get-AD* cmdlets always return a default set of properties. In many cases these correspond to mandatory attributes so they will always have values. These property names do not always match the LDAPDisplayName of the corresponding Active Directory attribute. For example, the SID property is in the default set for Get-ADUser and Get-ADComputer, but there is no such attribute in Active Directory. The SID property will be the value of the objectSID attribute, which is a byte array, converted into the familiar string format.

↑ Return to Top


Extended Properties

Many Active Directory Get-AD* cmdlets also support extended properties. These are only retrieved if they are specified in the -Properties parameter of the cmdlet. Many extended properties can also be assigned values using the corresponding Set-AD* cmdlet. Again, the names of these properties may or may not match the LDAPDisplayName of the corresponding Active Directory attribute.

↑ Return to Top


Active Directory Attributes

In addition, you can use the -Properties parameter to specify the LDAPDisplayName of any Active Directory attribute appropriate for the class of object. If the attribute value cannot be displayed, such as nTSecurityDescriptor, then the class definition is displayed. If you attempt to retrieve the tokenGroups attribute (a multi-valued operational attribute that is an array of group SID values) an error is raised. Also, if you request an Active Directory attribute, and the object retrieved has no value for that attribute, then the attribute will not be included in the results. This differs from the behavior when you request an extended property. In that case, if the object retrieved has no value assigned to the extended property, it will be shown with a blank (missing) value.

If you specify -Properties *, the Get-AD* cmdlets that support this parameter will retrieve all default and extended attributes, whether or not they have values, plus all Active Directory attributes that have values, plus the isDeleted attribute. However, if you specify the isDeleted attribute in the -Properties parameter, this attribute is not included in the results unless it has a value. For this reason (and because the initial letter in the name is displayed in lower case), the author considers isDeleted to not be an extended property.

When you specify -Properties * with any Get-AD* cmdlet, if the initial letter of any property name is upper case, it is either a default or extended property. If the initial letter is lower case, the property corresponds to an Active Directory attribute.

↑ Return to Top


Base Properties

All of the Get-AD* and Search-AD* cmdlets also provide two base properties.

Property Syntax Description
propertyCount 32-bit integer The number of properties retrieved for the object
propertyNames collection The names of the properties retrieved for the object

These two base properties are themselves not included in the count or collection of names. Base properties are original properties of the .NET Framework object, as defined for the object class. These two properties are not included when you display the object, but you can always retrieve their values explicitly.

The values of these two properties do not need to be the same for all objects retrieved by the cmdlet. As noted above, Active Directory attributes are only retrieved if they have a value assigned to the object in AD. Default and any extended properties requested in the -Properties parameter are always included in the collection. Finally, note that the Get-Member cmdlet does not reveal base properties unless you use the -Force parameter.

↑ Return to Top


Get-ADUser

The default properties retrieved by the Get-ADUser cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.

Property Syntax R/RW lDAPDisplayName
DistinguishedName String (DN) R distinguishedName
Enabled Boolean RW userAccountControl (bit mask Not 2)
GivenName String RW givenName
Name String R cn (Relative Distinguished Name)
ObjectClass String R objectClass, most specific value
ObjectGUID Guid R objectGUID converted to string
SamAccountName String RW sAMAccountName
SID Sid R objectSID converted to string
Surname String RW sn
UserPrincipalName String RW userPrincipalName

The default and extended properties retrieved by the Get-ADUser cmdlet are documented in the following Wiki article:
Active Directory: Get-ADUser Default and Extended Properties

↑ Return to Top


Get-ADComputer

The default properties retrieved by the Get-ADComputer cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.

Property Syntax R/RW lDAPDisplayName
DistinguishedName String (DN) R distinguishedName
DNSHostName String RW dNSHostName
Enabled Boolean RW userAccountControl (bit mask Not 2)
Name String R cn (Relative Distinguished Name)
ObjectClass String R objectClass, most specific value
ObjectGUID Guid R objectGUID converted to string
SamAccountName String RW sAMAccountName
SID Sid R objectSID converted to string
UserPrincipalName String RW userPrincipalName

The default and extended properties retrieved by the Get-ADComputer cmdlet are documented in the following Wiki article:
Active Directory: Get-ADComputer Default and Extended Properties

↑ Return to Top


Get-ADGroup

The default properties retrieved by the Get-ADGroup cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.

Property Syntax R/RW lDAPDisplayName
DistinguishedName String (DN) R distinguishedName
GroupCategory String RW groupType (bit mask 2147483648)
GroupScope String RW groupType (bit mask 1, 2, 4, or 8)
Name String R cn (Relative Distinguished Name)
ObjectClass String R objectClass, most specific value
ObjectGUID Guid R objectGUID converted to string
SamAccountName String RW sAMAccountName
SID Sid R objectSID converted to string

The default and extended properties retrieved by the Get-ADGroup cmdlet are documented in the following Wiki article:
Active Directory: Get-ADGroup Default and Extended Properties

↑ Return to Top


Get-ADObject

The default properties retrieved by the Get-ADObject cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.

Property Syntax R/RW lDAPDisplayName
DistinguishedName String (DN) R distinguishedName
Name String R Name (Relative Distinguished Name)
ObjectClass String R objectClass, most specific value
ObjectGUID Guid R objectGUID converted to string

The default and extended properties retrieved by the Get-ADObject cmdlet are documented in the following Wiki article:
Active Directory: Get-ADObject Default and Extended Properties

↑ Return to Top


Get-ADOrganizationalUnit

The default properties retrieved by the Get-ADOrganizationalUnit cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.

Property Syntax R/RW lDAPDisplayName
City String RW l
Country String RW c (2 character abbreviation)
DistinguishedName String (DN) R distinguishedName
LinkedGroupPolicyObjects ADCollection R gPLink
ManagedBy String (DN) RW managedBy
Name String R ou (Relative Distinguished Name)
ObjectClass String R objectClass, most specific value
ObjectGUID Guid R objectGUID converted to string
PostalCode String RW postalCode
State String RW st
StreetAddress String RW streetAddress

The default and extended properties retrieved by the Get-ADOrganizationalUnit cmdlet are documented in the following Wiki article:
Active Directory: Get-ADOrganizationalUnit Default and Extended Properties

↑ Return to Top


Get-ADGroupMember

The default properties retrieved by the Get-ADGroupMember cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.

Property Syntax R/RW lDAPDisplayName
DistinguishedName String (DN) R distinguishedName
Name String R cn (Relative Distinguished Name)
ObjectClass String R objectClass, most specific value
ObjectGUID Guid R objectGUID converted to string
SamAccountName String RW sAMAccountName
SID Sid R objectSID converted to string

The Get-ADGroupMember cmdlet does not expose any extended properties, and does not support the -Properties parameter.

↑ Return to Top


Get-ADForest

The default properties retrieved by the Get-ADForest cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on, or how it is determined.

Property Syntax R/RW lDAPDisplayName
ApplicationPartitions ADCollection R
DN's of Application NC's
CrossForestReferences ADCollection R
DN's of crossRef objects
DomainNamingMaster String R
fSMORoleOwner of crossRefContainer object
Domains ADCollection R
DNS names of domains
ForestMode String RW
msDS-Behavior-Version of crossRefContainer object
GlobalCatalogs ADCollection R
DNS names of GC's
Name String R
DNS name of forest
PartitionsContainer String (DN) R
DN of crossRefContainer object
RootDomain String R
DNS name of root domain
SchemaMaster String R
fSMORoleOwner of Schema Container
Sites ADCollection R
Names of sites in cn=Sites container
SPNSuffixes ADCollection RW
msDS-SPNSuffixes
UPNSuffixes ADCollection RW
msDS-UPNSuffixes

The Get-ADForest cmdlet does not expose any extended properties, and does not support the -Properties parameter.

↑ Return to Top


Get-ADDomain

The default properties retrieved by the Get-ADDomain cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on, or how it is determined.

Property Syntax R/RW lDAPDisplayName
AllowedDNSSuffixes ADCollection RW
msDS-AllowedDNSSuffixes
ChildDomains ADCollection R
dnsRoot of crossRef objects where trustParent is DN of domain
ComputersContainer String (DN) R
DN of Computers container
DeletedObjectsContainer String (DN) R
DN of Deleted Objects container
DistinguishedName String (DN) R distinguishedName
DNSRoot String R
dnsRoot
DomainControllersContainer String (DN) R
DN of Domain Controllers OU
DomainMode String RW
msDS-Behavior-Version of domain NC root object
DomainSID Sid R objectSID converted to string
ForeignSecurityPrincipalsContainer String (DN) R
DN of ForeignSecurityPrincipals container
Forest String R
DNS name of forest
InfrastructureMaster String R
fSMORoleOwner of Infrastructure container
LastLogonReplicationInterval Int64 RW
msDS-LogonTimeSyncInterval
LinkedGroupPolicyObjects ADCollection R
gPLink
LostAndFoundContainer String (DN) R
DN of LostAndFound container
ManagedBy String (DN) RW
managedBy
Name String R
dc (Relative Distinguished Name)
NetBIOSName String R
nETBIOSName of crossRef object
ObjectClass String R objectClass, most specific value
ObjectGUID Guid R objectGUID converted to string
ParentDomain String R
dsnRoot of crossRef object where nCName is trustParent of domain crossRef
PDCEmulator String R
fSMORoleOwner of Domain object
QuotasContainer String (DN) R
DN of NTDS Quotas container
ReadOnlyReplicaDirectoryServers ADCollection R

ReplicaDirectoryServers ADCollection R

RIDMaster String R
fSMORoleOwner of rIDManager class object
SubordinateReferences ADCollection R
subRefs
SystemsContainer String (DN) R
DN of Systems container
UsersContainer String (DN) R
DN of Users container

The Get-ADDomain cmdlet does not expose any extended properties, and does not support the -Properties parameter.

↑ Return to Top


Get-ADDomainController

The default properties retrieved by the Get-ADDomainController cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on, or how it is determined.

Property Syntax R/RW lDAPDisplayName
ComputerObjectDN String (DN) R distinguishedName
DefaultPartition String (DN) R DN of default partition
Domain String R DNS name of domain
Enabled Boolean R userAccountControl (bit mask Not 2)
Forest String R DNS name of forest
HostName String R dNSHostName
InvocationId Guid R invocationID of cn=NTDS Settings object
IPv4Address Ip R/RW
IPv6Address Ip R/RW
IsGlobalCatalog Boolean R options (bit mask 1) of nTDSDSA object
IsReadOnly Boolean R objectCategory of nTDSDSA object
LdapPort Int32 R
Name String R cn (Relative Distinguished Name)
NTDSSettingsObjectDN String (DN) R DN of NTDS Settings container
OperatingSystem String R operatingSystem
OperatingSystemHotfix String R operatingSystemHotFix
OperatingSystemServicePack String R operatingSystemServicePack
OperatingSystemVersion String R operatingSystemVersion
OperationMasterRoles ADCollection R FSMO roles
Partitions ADCollection R DN's of partitions in Partitions container
ServerObjectDN String (DN) R DN of object in Servers container
ServerObjectGuid Guid R objectGUID of object in Servers container
Site String R/RW Site container where server object resides
SslPort Int32 R

The Get-ADDomainController cmdlet does not expose any extended properties, and does not support the -Properties parameter. Also, there is no Set-ADDomainController cmdlet.

↑ Return to Top


Search-ADAccount

The default properties retrieved by the Search-ADAccount cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.

Property Syntax R/RW lDAPDisplayName
AccountExpirationDate DateTime RW accountExpires, converted to local time
DistinguishedName String (DN) R distinguishedName
Enabled Boolean RW userAccountControl (bit mask Not 2)
LastLogonDate DateTime R lastLogonTimeStamp, converted to local time
LockedOut Boolean RW msDS-UserAccount-Control-Computed (bit mask 16)
Name String R cn (Relative Distinguished Name)
ObjectClass String R objectClass, most specific value
ObjectGUID Guid R objectGUID converted to string
PasswordExpired Boolean RW msDS-User-Account-Control-Computed (bit mask 8388608)
PasswordNeverExpires Boolean RW userAccountControl (bit mask 32)
SamAccountName String RW sAMAccountName
SID Sid R objectSID converted to string
UserPrincipalName String RW userPrincipalName

The Search-ADAccount cmdlet does not expose any extended properties, and does not support the -Properties parameter.

↑ Return to Top


NOTES

  1. The Get-Help cmdlet seems to indicate that the default properties distinguishedName, ObjectCategory, ObjectClass, and SID are read-write. However, the corresponding Active Directory attributes can only be modified by the system, so they are shown as Read-Only in the above tables. The same has been done for the DomainSID property of Get-ADDomain and the Domain and Forest properties of Get-ADDomainController.
  2. The Name property is revealed by the Get-Help cmdlet as Read-Only. This property cannot be modified directly. However, you can rename the object, which will modify the Name property. You can use the Rename-ADObject cmdlet to rename Active Directory objects.
  3. All properties based on the userAccountControl attribute in the tables above refer to a bit mask. The userAccountControl attribute is a 32-bit integer where each bit corresponds to a different setting. To check if a specific bit is set, you "OR" the userAccountControl value with the bit mask. A non-zero result means the bit is set.
  4. The Syntax "ADCollection" in the above tables means the corresponding Active Directory attribute is multi-valued. The Get-AD* cmdlets retrieve these properties as arrays.
  5. Some Active Directory attributes are not replicated to all Domain Controllers. A different value is saved on every Domain Contoller. The AD Modules only retrieve these attributes from one Domain Controller. Use the -Server parameter to specify which Domain Controller.
  6. Some Active Directory attributes are operational (also called constructed). That means that the value is not actually saved in Active Directory, but is calculated on request based on other attributes. Most of these attributes, such as canonicalName and primaryGroupToken, can be retrieved by the AD modules. However, an error is raised if you attempt to retrieve the tokenGroups attribute.
  7. If you request the objectSID attribute, which is a byte array in Active Directory, the value is displayed in the familiar friendly format, beginning with the string "S-1-5-21". This is the only known case where the PowerShell AD cmdlets convert the value of an AD attribute (not a default or extended property) for display (implying that code is invoked).

 

↑ Return to Top


 

Leave a Comment
  • Please add 7 and 8 and type the answer here:
  • Post
Wiki - Revision Comment List(Revision Comment)
Sort by: Published Date | Most Recent | Most Useful
Comments
  • Richard Mueller edited Revision 46. Comment: Clarify case of attribute names, add note 7 about the objectSID attribute

  • Richard Mueller edited Revision 45. Comment: Minor revisions

  • Richard Mueller edited Revision 43. Comment: Changed formatting of table header rows

  • Richard Mueller edited Revision 39. Comment: Added section on "Base Properties"

  • Richard Mueller edited Revision 38. Comment: Fix some formatting