I am fairly new to PowerShell and have gotten quite a bit of help browsing the Forums and asking questions.

I have been working on getting Properties from get-aduser, and its bafflilng to me on the below examples.

To find if a user account is enabled I have used:

get-aduser -identity USERNAME | %{$_.enabled}

   This will return True or False

To check if a user account is Locked I found this will return True or False

(get-aduser -identity USERNAME -Properties LockedOut).LockedOut

Why is this?  When I try

get-aduser -identity USERNAME | %{$_.LockedOut}, it returns blank

Subsequently if I try

(get-aduser -identity USERNAME -Properties Enabled).Enabled, it returns blank.

Hi,

Have a look at

Search-ADAccount -AccountExpired

and

Search-ADAccount -AccountDisabled

I've looked at (get-aduser -identity USERNAME -Properties Enabled).Enabled works for me. get-aduser -identity USERNAME | %{$_.LockedOut} is blank for me because my account isn't locked ... but get-aduser -identity USERNAME | % {$_.Enabled} returns true

Have you looked at get-aduser USERNAME | Get-Member ...I

s there anything in particular you're trying to achieve or just understanding?

Thanks,

John

Thanks John,

I may not have explained my question right.

I am confused on why I have to use two different methods to pull a property out of get-aduser?  Both the Enabled and LockedOut properties return True or False.

I am quickly finding out there are very many different ways to get something accomplished in Powershell.

Chris

You are right that there is often more than one way to accomplish a task in PowerShell. There is a fundamental difference between the Enabled and LockedOut properties exposed by Get-ADUser. Enabled is a default property, so it is returned whether you ask for it or not. LockedOut, however, is an extended property. It is only retrieved if you request it with the -Properties parameter.

I find that the following always returns either True or False (unlike what you report):

(Get-ADUser -Identity username -Properties Enabled).Enabled

In fact, the following also always returns either True or False, because Enabled is a default property:

(Get-ADUser -Identity username).Enabled

If I request the LockedOut property, then again I always get either True or False:

Get-ADUser -Identity username -Properties LockedOut | % {$_.LockedOut}

I document the default properties exposed by many of the Get-AD* cmdlets here:

http://social.technet.microsoft.com/wiki/contents/articles/12031.active-directory-powershell-ad-module-properties.aspx

I never found documentation on the extended properties, so for Get-ADUser I document them here:

http://social.technet.microsoft.com/wiki/contents/articles/12037.active-directory-get-aduser-default-and-extended-properties.aspx

For me, Get-Aduser is returning information for some accounts but not others even though they are actively used accounts.  In the following picture, both accounts are enabled and actively used but only one is showing the Enabled attribute.  It doesn't matter if I explicitly ask for it either (Get-Aduser userid -Properties Enabled)

Ricc, I've never seen a user object with no value for Enabled. Can you report the value of the userAccountControl attribute for such a user? For example:

Get-ADUser -Identity "jsmith" -Properties userAccountControl

Or, you can look at the value reported on the "Attribute Editor" tab of the user properties in ADUC. PowerShell will retrieve the value of userAccountControl in decimal. ADUC shows it in hexadecimal (in Windows Server 2008 and above).

Ricc

The Enabled property exposed by the Get-ADUser cmdlet returns True or False based on the value of the userAccountControl attribute of the user, which is a flag attribute. The value is an integer where each bit represents a different setting, like ADS_UF_PASSWD_NOTREQD, ADS_UF_PASSWD_CANT_CHANGE, or ADS_UF_ACCOUNTDISABLE. The last is used by the Enabled property. The proper way to retrieve the setting is to retrieve the integer value of userAccountControl and binary AND this with a bit mask appropriate for the setting. The bit mask for ADS_UF_ACCOUNTDISABLE is 2. If (userAccountControl -band 2) is non-zero (True), then the account is disabled and Enabled should be False. If (userAccountControl -band 2) is zero (False), then the account is enabled and Enabled will be True.

The system requires that userAccountControl have an integer value. It cannot be missing or null. As such, the binary AND of this value with 2 will always be either True or False. The result cannot be missing or null. That is why I requested the integer value of the userAccountControl attribute for your problem user. I want to make sure you have not found a bug in the Enabled property of Get-ADUser.

Also, are any other properties besides Enabled missing?

Ricc,

My guess now is that there is a problem with the permissions for the userAccountControl attribute. The account you use lacks permission to read userAccountControl.

In ADUC view the properties of a problem user, select the "Security" tab, then "Advanced" and look at "Effective permissions". Near the bottom you will see read and write "userAccountControl".

Then on the "Security" tab in "Advanced", select a trustee (user or group) and click "Edit". Again, under "Properties" you will find "userAccountControl". I suspect that your domain account cannot read userAccountControl. This would explain why the Enabled PowerShell property is missing.