Most of the Get-AD* cmdlets support the -Properties parameter. If the -Properties parameter is not included, only the default properties are retrieved. With this parameter you can specify default properties, extended properties, or the LDAPDisplayName of any Active Directory attribute appropriate for the class of object. Many, but not all, of these properties and attributes can also be assigned values using the corresponding Set-AD* cmdlet.
↑ Return to Top
For convenience, the Active Directory Get-AD* cmdlets always return a default set of properties. In many cases these correspond to mandatory attributes so they will always have values. These property names do not always match the LDAPDisplayName of the corresponding Active Directory attribute. For example, the SID property is in the default set for Get-ADUser and Get-ADComputer, but there is no such attribute in Active Directory. The SID property will be the value of the objectSID attribute, which is a byte array, converted into the familiar string format.
Many Active Directory Get-AD* cmdlets also support extended properties. These are only retrieved if they are specified in the -Properties parameter of the cmdlet. Many extended properties can also be assigned values using the corresponding Set-AD* cmdlet. Again, the names of these properties may or may not match the LDAPDisplayName of the corresponding Active Directory attribute.
In addition, you can use the -Properties parameter to specify the LDAPDisplayName of any Active Directory attribute appropriate for the class of object. If the attribute value cannot be displayed, such as nTSecurityDescriptor, then the class definition is displayed. If you attempt to retrieve the tokenGroups attribute (a multi-valued operational attribute that is an array of group SID values) an error is raised. Also, if you request an Active Directory attribute, and the object retrieved has no value for that attribute, then the attribute will not be included in the results. This differs from the behavior when you request an extended property. In that case, if the object retrieved has no value assigned to the extended property, it will be shown with a blank (missing) value. If you specify -Properties *, the Get-AD* cmdlets that support this parameter will retrieve all default and extended attributes, whether or not they have values, plus all Active Directory attributes that have values, plus the isDeleted attribute. However, if you specify the isDeleted attribute in the -Properties parameter, this attribute is not included in the results unless it has a value. For this reason (and because the initial letter in the name is displayed in lower case), the author considers isDeleted to not be an extended property. When you specify -Properties * with any Get-AD* cmdlet, if the initial letter of any property name is upper case, it is either a default or extended property. If the initial letter is lower case, the property corresponds to an Active Directory attribute.
All of the Get-AD* and Search-AD* cmdlets also provide two base properties.
These two base properties are themselves not included in the count or collection of names. Base properties are original properties of the .NET Framework object, as defined for the object class. These two properties are not included when you display the object, but you can always retrieve their values explicitly. The values of these two properties do not need to be the same for all objects retrieved by the cmdlet. As noted above, Active Directory attributes are only retrieved if they have a value assigned to the object in AD. Default and any extended properties requested in the -Properties parameter are always included in the collection. Finally, note that the Get-Member cmdlet does not reveal base properties unless you use the -Force parameter.
The default properties retrieved by the Get-ADUser cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.
The default and extended properties retrieved by the Get-ADUser cmdlet are documented in the following Wiki article: Active Directory: Get-ADUser Default and Extended Properties
The default properties retrieved by the Get-ADComputer cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.
The default and extended properties retrieved by the Get-ADComputer cmdlet are documented in the following Wiki article: Active Directory: Get-ADComputer Default and Extended Properties ↑ Return to Top
The default properties retrieved by the Get-ADGroup cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.
The default and extended properties retrieved by the Get-ADGroup cmdlet are documented in the following Wiki article: Active Directory: Get-ADGroup Default and Extended Properties ↑ Return to Top
The default properties retrieved by the Get-ADObject cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.
The default and extended properties retrieved by the Get-ADObject cmdlet are documented in the following Wiki article: Active Directory: Get-ADObject Default and Extended Properties ↑ Return to Top
The default properties retrieved by the Get-ADOrganizationalUnit cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.
The default and extended properties retrieved by the Get-ADOrganizationalUnit cmdlet are documented in the following Wiki article: Active Directory: Get-ADOrganizationalUnit Default and Extended Properties ↑ Return to Top
The default properties retrieved by the Get-ADGroupMember cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.
The Get-ADGroupMember cmdlet does not expose any extended properties, and does not support the -Properties parameter.
The default properties retrieved by the Get-ADForest cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on, or how it is determined.
The Get-ADForest cmdlet does not expose any extended properties, and does not support the -Properties parameter.
The default properties retrieved by the Get-ADDomain cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on, or how it is determined.
The Get-ADDomain cmdlet does not expose any extended properties, and does not support the -Properties parameter.
The default properties retrieved by the Get-ADDomainController cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on, or how it is determined.
The Get-ADDomainController cmdlet does not expose any extended properties, and does not support the -Properties parameter. Also, there is no Set-ADDomainController cmdlet.
The default properties retrieved by the Search-ADAccount cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.
The Search-ADAccount cmdlet does not expose any extended properties, and does not support the -Properties parameter.
Richard Mueller edited Revision 46. Comment: Clarify case of attribute names, add note 7 about the objectSID attribute
Richard Mueller edited Revision 45. Comment: Minor revisions
Richard Mueller edited Revision 43. Comment: Changed formatting of table header rows
Richard Mueller edited Revision 39. Comment: Added section on "Base Properties"
Richard Mueller edited Revision 38. Comment: Fix some formatting