Every user, computer, container, or OU in the Active Directory is an object. For each of those are dedicated cmdlets that we can use to retrieve or update information. But to get deleted objects we will need to use the Get-ADObject cmdlet.
The Get-ADObject cmdlet can retrieve all objects from the Active Directory. With the help of filters, we can select the information we need. The cmdlet also allows us to retrieve all the information from the AD with a single command, making it great to export Active Directory structures.
In this article
In this article, we are going to take a look at how to use the Get-ADObject cmdlet and retrieve deleted objects.
Install Active Directory Module
To be able to use the Get-ADObject cmdlet in PowerShell you will need to have the Active Directory Module installed. By default, it’s installed on the domain controller, but on Windows 10 or 11, you will need to install it.
You can run the following PowerShell command in Windows 10 or 11 to install the module:
Add-WindowsCapability –online –Name “Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0”
Finding Objects with Get ADObject in PowerShell
The Get-ADObject cmdlet allows us to find objects in the Active Directory and extract information from them. The true power of this cmdlet is that it comes with different options to find those objects.
We have the following options when it comes to finding objects:
- Identity – Find an object based on its identity. This will return only a single object
- Filter – Retrieve multiple objects based on a query
- LDAPFilter – Use an LDAP query string to filter objects
- SearchBase – Specify the Active Directory path (OU) to search in
- SearchScope – Specify how deep you want to search (baselevel, one level, or complete subtree)
To use the identity you will need to know the object’s GUID or distinguished name. In most cases, you only used the identity parameter when you pass an object through the pipeline.
Using the Filter
To search and find objects you will commonly use the -filter parameter. With the filter, we can search for one or more objects in the Active Directory. The filter parameter uses the PowerShell Expression Language the filter the result. This means that we can use the following operators in our queries:
| Operator | Description |
|---|---|
| -eq | Equals |
| -le | Less than or equal to |
| -ge | Great than or equal to |
| -ne | Not equal to |
| -lt | Less then |
| -gt | Greater then |
| -like | Like |
| -notlike | Not like |
| -and -or | and/or |
| -not | Not |
Let’s take a look at a couple of examples to retrieve objects from the Active Directory using the filter.
We can search all objects based on their name. This can be the exact name, or we can use the -like parameter to filter on a part of the name. Note that you can use an * as a wildcard in the like filter:
# Get all objects that have the name Amsterdam: Get-ADObject -Filter "Name -eq 'Amsterdam'" # Get all ojects where the name starts with LA- Get-ADObject -Filter "Name -like 'LA-*'"
A more realistic example for the Get-ADObject cmdlet is to get all objects that are changed after a specific date. For this, we will first need to create a date object, which we then can use to filter the objects:
$ChangeDate = Get-Date("01 may 2023")
Get-ADObject -Filter 'whenChanged -gt $ChangeDate'
You can use the same principle to get all objects that are created after a specific date:
$CreatedDate = Get-Date("01 may 2023")
Get-ADObject -Filter 'whenCreated -gt $CreatedDate'
Filtering on ObjectClass
Each object in the Active Directory has an objectClass. The class determines the type of object. We can use the ObjectClass in our filters when searching for objects with the Get-ADObject cmdlet.
There are a lot of classes in the AD, around 50 in total. I am not gone list them all here, but below you will find the most commonly used classes that we can use:
- computer
- contact
- group
- organizationalUnit
- user
To view all classes you can use the following command in PowerShell
Get-Adobject -filter * | Select objectClass -unique | sort-object ObjectClass
Combining filters
We can also expand our filter query with multiple expressions. This allows you to further narrow down your filter queries. For example, we only want to get all computers that are created in the last 30 days:
$CreatedDate = (Get-Date) - (New-TimeSpan -Days 30) Get-ADObject -Filter 'whenCreated -gt $CreatedDate -and objectCategory -eq "computer"'
Get ADObject SearchBase
The Get-ADObject cmdlet returns all objects (limited to 1000 by default) when using filters. So you probably want to narrow down the search results. To do this we can use the -SearchBase parameter. This allows us to specify the OU (distinguishedName) where we want to search.
To specify the OU where we want to search we need to write the distinguishedName from the bottom up. Thus, the string starts with the OU where you want to search and ends with the domain name.
Take the following Active Directory structure, we want to get all users from the IT OU:
The SearchBase string, in this case, would be:
1: IT 2: Amsterdam 3: Sites 4: Lazyadmin 5: NL "OU=IT,OU=Amsterdam,OU=Sites,DC=Lazyadmin,DC=NL"
Thus to get all objects from the IT department in Amsterdam we can use the following PowerShell command:
Get-ADObject -Filter * -SearchBase "OU=IT,OU=Amsterdam,OU=Sites,DC=Lazyadmin,DC=NL" | ft
Using the SearchScope
By default, the -SearchBase parameter will return all objects from the specified OU and nested OU’s. This is not always wanted, you might only want to return the results from the specified OU or only one level deep. With the -SearchScope parameter, we can specify how deep or not we want to search through the Active Directory tree. You can use the following values for the SearchScope:
- Base
- OneLevel
- Subtree
To get only the objects from the Amsterdam OU we can use the SearchScope Base parameter. This allows us to limit the SearchBase to the current level only:
Get-ADUser -Filter * -SearchBase "OU=Amsterdam,OU=Sites,DC=Lazyadmin,DC=NL" -SearchScope OneLevel | ft
Get Deleted Objects
The dedicated cmdlets, like Get-ADUser and Get-ADComputer, can’t retrieve the deleted objects from the Active Directory. To get deleted objects from the AD, we will need to use the Get-ADObject cmdlet with the parameter IncludeDeletedObjects.
Note
Make sure that you have enabled the Active Directory Recycle bin. Otherwise you won’t be able to find deleted objects.
To get all deleted computers we can use the command below. Note that we also need to add the filter isDeleted -eq $true. This way only objects that are deleted are returned. We also filter the objects based on the objectClass:
Get-ADObject -Filter 'objectClass -eq "computer" -and isDeleted -eq $True' -IncludeDeletedObjects | ft
Not all deleted objects can also be restored. The command below returns only the objects that are deleted, and that can be restored. It also filters out the Deleted Objects container from the result:
Get-ADObject -Filter 'isDeleted -eq $True -and -not (isRecycled -eq $True) -and name -ne "Deleted Objects"' -IncludeDeletedObjects
Wrapping Up
The Get-ADObject cmdlet allows you to retrieve all objects from the AD with a single cmdlet. Using the different filters allows you to retrieve only the information that you really need. You can export the results from the cmdlet easily with the Export-CSV cmdlet.
Make sure that you also check out my articles about Get-ADUser and Get-ADComputer, both with a complete script to export all the information that you need.
If you have any questions, just drop a comment below.
