Menu
I've run into a case where specific properties are not enumerated when usingGet-ADUser -Properties *. For example the following code does not list themsDS-UserPasswordExpiryTimeComputed property even though it exists and I can specify it as a-Properties argument, have it return, and can process its value.
# Does not return msDS-UserPasswordExpiryTimeComputed
Get-ADUser username -Properties *
# This works to get the msDS-UserPasswordExpiryTimeComputed attribute returned
Get-ADUser username -Properties msDS-UserPasswordExpiryTimeComputed
# If I really want all properties and this one
# I have to specify it alongside *
Get-ADUser username -Properties *, msDS-UserPasswordExpiryTimeComputed
This isn't just a case of the property being omitted from the display, I need to explicitly state the msDS-UserPasswordExpiryTimeComputed property or else it simply isn't available on the resulting object.
I already know filtering on Properties * isn't a good idea in most cases, but I'm curious about why all AD DS attributes are not enumerated when this is precisely what I am asking the cmdlet to do.
This question is asking about Get-ADUser but like most other behaviors with the Get-ADObject cmdlets I assume this behavior extends to most, if not all, of them.
352
The following code should return ALL attributes of an AD User (all properties of the ObjectClass=user):
$properties = Get-ADObject -SearchBase (Get-ADRootDSE).SchemanamingContext -Filter {name -eq "User"} -Properties MayContain,SystemMayContain |
Select-Object @{name="Properties";expression={$_.maycontain+$_.systemmaycontain}} |
Select-Object -ExpandProperty Properties
Get-ADUser -Identity username -Properties $properties | fl $properties
Firstly it retrieves and saves all user properties into an array and then secondly the properties array is used with Get-ADUser to retrieve all the properties for a single user (in this example).
164
After doing some research, there are multiple types of attributes on an ADObject - Default, Extended, and Constructed are some examples of these.
Default properties are returned on all ADObject queries matching a specific type of ADObject (ADUser has its own set of default properties, ADGroup has it's own set, etc.)
Extended properties are not returned by default but are implicitly enumerable static attributes on an ADObject.
Constructed attributes are not static properties but are calculated based on the values of other attributes belonging to an ADObject. I could not find any info on this, but I imagine that enumerating all Constructed attributes can be an expensive operation since the values are computed, and as such need to be explicitly requested via the -Properties parameter of the Get-ADObject cmdlets.
This all seems to be related to the systemFlags attribute on an ADObject, which is where the attribute types are set. From my testing, attributes with either the Constructed (4) or Non-Replicated (2) flag need to be explicitly specified to be returned from the RSAT cmdlets.
msDS-UserPasswordExpiryTimeComputed Documentation
List All Constructed Attributes on ADObject using an LDAP Filter
Determining an Attribute Type
SystemFlags Attribute
42
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
