Using PowerShell to Search for Specific Users in Active Directory without Knowing their Exact Information

You’re looking for a user in your Active Directory environment who goes by the nickname of “JW”. You know that’s the user’s initials and you need to find their AD user account.

Typically you’d use the Identity parameter, but that parameter doesn’t allow wildcards:


Verifying wildcard’s are not allowed on the Identity parameter of Get-ADUser:


What you’ll need to do is use the Filter parameter instead:


The previous results were close to what you wanted, but not exactly. It included users like “Jo Brown” since his name also matches the search criteria that was provided. This time let’s try a compound filter and specify GivenName’s that start with “J” and Surname’s that start with “W”:


The previous example is much, much better than using the Where-Object cmdlet to filter with since the previous example follows the best practice of filtering early or filtering left.

This is how NOT to accomplish the task because it is less efficient:


Since I’ve already told you that the previous example is less efficient, I’ll now show you that it’s less efficient:


As you can see in the previous results, the example that used the Filter parameter took about 12 milliseconds to complete and the example that used the Where-Object cmdlet for the filtering took approximately 310 milliseconds to complete. There are a total of 305 Active Directory user accounts in the test environment that these examples were run against. The performance of the Where-Object example would be worse if more Active Directory user accounts existed in the environment.

The examples shown in this blog have been demonstrated on a Windows 8.1 client machine with the RSAT (Remote Server Administration Tools) installed. The client machine is part of a domain and the domain controllers are running Windows Server 2012 R2.


1 Comment

  1. Tim ONeill

    I used your command <> to list all users whose names begin with “svc”, so my command was

    I need to limit the search to only my department’s part of AD. Get-ADUser returns, for the name svc.hvappvol.atc:

    DistinguishedName : CN=svc.hvappvol.atc,OU=Service Accounts,OU=Users,OU=XYZ,OU=3TC,OU=34EC,OU=Installations,DC=abc,DC=def,DC=ghi,DC=com
    Enabled : True
    GivenName : svc.hvappvol.atc
    LastLogonDate : 5/7/2015 7:21:13 AM
    Name : svc.hvappvol.atc
    ObjectClass : user
    ObjectGUID : 37f2cedd-5fec-431f-adff-b2887fd9bd99
    SamAccountName : svc.hvappvol.atc
    SID : S-1-5-21-329068152-448539723-839522115-4242408
    Surname :
    UserPrincipalName :

    I have used the limiters -SearchBase and -SearchRoot but they cause Get-ADUser to return errors.


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: