Active Directory: PowerShell AD Module Properties
Each of the PowerShell Active Directory module cmdlets, like Get-ADUser and Get-ADComputer, displays a default set of properties for all objects retrieved. You can specify other properties with the -Properties parameter, but the default set will always be included. There is another set of extended properties that can be specified. In addition, any Active Directory attribute appropriate to the class of objects can be included by specifying the LDAPDisplayName of the attribute in the -Properties parameter.
Both the default and extended properties are really methods. They return values based on the actual Active Directory attributes of the objects, converted in many cases for display. This article defines the different types of properties and documents the default properties for many of the cmdlets that come with the Active Directory module in PowerShell Version 2.0. This article does not document the Active Directory attributes that apply to each class of object.
Properties Parameter
Most of the Get-AD* cmdlets support the -Properties parameter. If the -Properties parameter is not included, only the default properties are retrieved. With this parameter you can specify default properties, extended properties, or the LDAPDisplayName of any Active Directory attribute appropriate for the class of object. Many, but not all, of these properties and attributes can also be assigned values using the corresponding Set-AD* cmdlet.
Default Properties
For convenience, the Active Directory Get-AD* cmdlets always return a default set of properties. In many cases these correspond to mandatory attributes so they will always have values. These property names do not always match the LDAPDisplayName of the corresponding Active Directory attribute. For example, the SID property is in the default set for Get-ADUser and Get-ADComputer, but there is no such attribute in Active Directory. The SID property will be the value of the objectSID attribute, which is a byte array, converted into the familiar string format.
Extended Properties
Many Active Directory Get-AD* cmdlets also support extended properties. These are only retrieved if they are specified in the -Properties parameter of the cmdlet. Many extended properties can also be assigned values using the corresponding Set-AD* cmdlet. Again, the names of these properties may or may not match the LDAPDisplayName of the corresponding Active Directory attribute.
Active Directory Attributes
In addition, you can use the -Properties parameter to specify the LDAPDisplayName of any Active Directory attribute appropriate for the class of object. If the attribute value cannot be displayed, such as nTSecurityDescriptor, then the class definition is displayed. If you attempt to retrieve the tokenGroups attribute (a multi-valued operational attribute that is an array of group SID values) an error is raised. Also, if you request an Active Directory attribute, and the object retrieved has no value for that attribute, then the attribute will not be included in the results. This differs from the behavior when you request an extended property. In that case, if the object retrieved has no value assigned to the extended property, it will be shown with a blank (missing) value.
If you specify -Properties *, the Get-AD* cmdlets that support this parameter will retrieve all default and extended properties, whether or not they have values, plus all Active Directory attributes that have values, plus the isDeleted attribute. However, if you specify the isDeleted attribute in the -Properties parameter, this attribute is not included in the results unless it has a value. For this reason (and because the initial letter in the name is displayed in lower case), the author considers isDeleted to not be an extended property.
If you use a Get-AD* cmdlet with -Properties *, and retrieve more than one object, only the attributes where the first object in the results has a value will be included. For example, if the first object retrieved has no value for the pager attribute, then none of the objects will include this attribute, even if the attribute has a value.
When you specify -Properties * with any Get-AD* cmdlet, if the initial letter of any property name is upper case, it is either a default or extended property. If the initial letter is lower case, the property corresponds to an Active Directory attribute.
Base Properties
All of the Get-AD* and Search-AD* cmdlets also provide two base properties.
| Property | Syntax | Description |
| propertyCount | 32-bit integer | The number of properties retrieved for the object |
| propertyNames | collection | The names of the properties retrieved for the object |
These two base properties are themselves not included in the count or collection of names. Base properties are original properties of the .NET Framework object, as defined for the object class. These two properties are not included when you display the object, but you can always retrieve their values explicitly.
The values of these two properties do not need to be the same for all objects retrieved by the cmdlet. As noted above, Active Directory attributes are only retrieved if they have a value assigned to the object in AD. Default and any extended properties requested in the -Properties parameter are always included in the collection. Finally, note that the Get-Member cmdlet does not reveal base properties unless you use the -Force parameter.
Get-ADUser
The default properties retrieved by the Get-ADUser cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.
| Property | Syntax | R/RW | lDAPDisplayName |
| DistinguishedName | String (DN) | R | distinguishedName |
| Enabled | Boolean | RW | userAccountControl (bit mask Not 2) |
| GivenName | String | RW | givenName |
| Name | String | R | cn (Relative Distinguished Name) |
| ObjectClass | String | R | objectClass, most specific value |
| ObjectGUID | Guid | R | objectGUID converted to string |
| SamAccountName | String | RW | sAMAccountName |
| SID | Sid | R | objectSID converted to string |
| Surname | String | RW | sn |
| UserPrincipalName | String | RW | userPrincipalName |
The default and extended properties retrieved by the Get-ADUser cmdlet are documented in the following Wiki article:
Active Directory: Get-ADUser Default and Extended Properties
Get-ADComputer
The default properties retrieved by the Get-ADComputer cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.
| Property | Syntax | R/RW | lDAPDisplayName |
| DistinguishedName | String (DN) | R | distinguishedName |
| DNSHostName | String | RW | dNSHostName |
| Enabled | Boolean | RW | userAccountControl (bit mask Not 2) |
| Name | String | R | cn (Relative Distinguished Name) |
| ObjectClass | String | R | objectClass, most specific value |
| ObjectGUID | Guid | R | objectGUID converted to string |
| SamAccountName | String | RW | sAMAccountName |
| SID | Sid | R | objectSID converted to string |
| UserPrincipalName | String | RW | userPrincipalName |
The default and extended properties retrieved by the Get-ADComputer cmdlet are documented in the following Wiki article:
Active Directory: Get-ADComputer Default and Extended Properties
Get-ADGroup
The default properties retrieved by the Get-ADGroup cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.
| Property | Syntax | R/RW | lDAPDisplayName |
| DistinguishedName | String (DN) | R | distinguishedName |
| GroupCategory | String | RW | groupType (bit mask 2147483648) |
| GroupScope | String | RW | groupType (bit mask 1, 2, 4, or 8) |
| Name | String | R | cn (Relative Distinguished Name) |
| ObjectClass | String | R | objectClass, most specific value |
| ObjectGUID | Guid | R | objectGUID converted to string |
| SamAccountName | String | RW | sAMAccountName |
| SID | Sid | R | objectSID converted to string |
The default and extended properties retrieved by the Get-ADGroup cmdlet are documented in the following Wiki article:
Active Directory: Get-ADGroup Default and Extended Properties
Get-ADObject
The default properties retrieved by the Get-ADObject cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.
| Property | Syntax | R/RW | lDAPDisplayName |
| DistinguishedName | String (DN) | R | distinguishedName |
| Name | String | R | Name (Relative Distinguished Name) |
| ObjectClass | String | R | objectClass, most specific value |
| ObjectGUID | Guid | R | objectGUID converted to string |
The default and extended properties retrieved by the Get-ADObject cmdlet are documented in the following Wiki article:
Active Directory: Get-ADObject Default and Extended Properties
Get-ADOrganizationalUnit
The default properties retrieved by the Get-ADOrganizationalUnit cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.
| Property | Syntax | R/RW | lDAPDisplayName |
| City | String | RW | l |
| Country | String | RW | c (2 character abbreviation) |
| DistinguishedName | String (DN) | R | distinguishedName |
| LinkedGroupPolicyObjects | ADCollection | R | gPLink |
| ManagedBy | String (DN) | RW | managedBy |
| Name | String | R | ou (Relative Distinguished Name) |
| ObjectClass | String | R | objectClass, most specific value |
| ObjectGUID | Guid | R | objectGUID converted to string |
| PostalCode | String | RW | postalCode |
| State | String | RW | st |
| StreetAddress | String | RW | streetAddress |
The default and extended properties retrieved by the Get-ADOrganizationalUnit cmdlet are documented in the following Wiki article:
Active Directory: Get-ADOrganizationalUnit Default and Extended Properties
Get-ADGroupMember
The default properties retrieved by the Get-ADGroupMember cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.
| Property | Syntax | R/RW | lDAPDisplayName |
| DistinguishedName | String (DN) | R | distinguishedName |
| Name | String | R | cn (Relative Distinguished Name) |
| ObjectClass | String | R | objectClass, most specific value |
| ObjectGUID | Guid | R | objectGUID converted to string |
| SamAccountName | String | RW | sAMAccountName |
| SID | Sid | R | objectSID converted to string |
The Get-ADGroupMember cmdlet does not expose any extended properties, and does not support the -Properties parameter.
Get-ADPrincipalGroupMembership
The default properties retrieved by the Get-ADPrincipalGroupMembership cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.
| Property | Syntax | R/RW | lDAPDisplayName |
| DistinguishedName | String (DN) | R | distinguishedName |
| GroupCategory | String | RW | groupType (bit mask 2147483648) |
| GroupScope | String | RW | groupType (bit mask 1, 2, 4, or 8) |
| Name | String | R | cn (Relative Distinguished Name) |
| ObjectClass | String | R | objectClass, most specific value |
| ObjectGUID | Guid | R | objectGUID, converted to string |
| SamAccountName | String | RW | sAMAccountName |
| SID | Sid | R | objectSID converted to string |
The Get-ADPrincipalGroupMembership cmdlet does not expose any extended properties, and does not support the -Properties parameter.
Get-ADForest
The default properties retrieved by the Get-ADForest cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on, or how it is determined.
| Property | Syntax | R/RW | lDAPDisplayName |
| ApplicationPartitions | ADCollection | R | DN's of Application NC's |
| CrossForestReferences | ADCollection | R | DN's of crossRef objects |
| DomainNamingMaster | String | R | fSMORoleOwner of crossRefContainer object |
| Domains | ADCollection | R | DNS names of domains |
| ForestMode | String | RW | msDS-Behavior-Version of crossRefContainer object |
| GlobalCatalogs | ADCollection | R | DNS names of GC's |
| Name | String | R | DNS name of forest |
| PartitionsContainer | String (DN) | R | DN of crossRefContainer object |
| RootDomain | String | R | DNS name of root domain |
| SchemaMaster | String | R | fSMORoleOwner of Schema Container |
| Sites | ADCollection | R | Names of sites in cn=Sites container |
| SPNSuffixes | ADCollection | RW | msDS-SPNSuffixes |
| UPNSuffixes | ADCollection | RW | msDS-UPNSuffixes |
The Get-ADForest cmdlet does not expose any extended properties, and does not support the -Properties parameter.
Get-ADDomain
The default properties retrieved by the Get-ADDomain cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on, or how it is determined.
| Property | Syntax | R/RW | lDAPDisplayName |
| AllowedDNSSuffixes | ADCollection | RW | msDS-AllowedDNSSuffixes |
| ChildDomains | ADCollection | R | dnsRoot of crossRef objects where trustParent is DN of domain |
| ComputersContainer | String (DN) | R | DN of Computers container |
| DeletedObjectsContainer | String (DN) | R | DN of Deleted Objects container |
| DistinguishedName | String (DN) | R | distinguishedName |
| DNSRoot | String | R | dnsRoot |
| DomainControllersContainer | String (DN) | R | DN of Domain Controllers OU |
| DomainMode | String | RW | msDS-Behavior-Version of domain NC root object |
| DomainSID | Sid | R | objectSID converted to string |
| ForeignSecurityPrincipalsContainer | String (DN) | R | DN of ForeignSecurityPrincipals container |
| Forest | String | R | DNS name of forest |
| InfrastructureMaster | String | R | fSMORoleOwner of Infrastructure container |
| LastLogonReplicationInterval | Int64 | RW | msDS-LogonTimeSyncInterval |
| LinkedGroupPolicyObjects | ADCollection | R | gPLink |
| LostAndFoundContainer | String (DN) | R | DN of LostAndFound container |
| ManagedBy | String (DN) | RW | managedBy |
| Name | String | R | dc (Relative Distinguished Name) |
| NetBIOSName | String | R | nETBIOSName of crossRef object |
| ObjectClass | String | R | objectClass, most specific value |
| ObjectGUID | Guid | R | objectGUID converted to string |
| ParentDomain | String | R | dsnRoot of crossRef object where nCName is trustParent of domain crossRef |
| PDCEmulator | String | R | fSMORoleOwner of Domain object |
| QuotasContainer | String (DN) | R | DN of NTDS Quotas container |
| ReadOnlyReplicaDirectoryServers | ADCollection | R | |
| ReplicaDirectoryServers | ADCollection | R | |
| RIDMaster | String | R | fSMORoleOwner of rIDManager class object |
| SubordinateReferences | ADCollection | R | subRefs |
| SystemsContainer | String (DN) | R | DN of Systems container |
| UsersContainer | String (DN) | R | DN of Users container |
The Get-ADDomain cmdlet does not expose any extended properties, and does not support the -Properties parameter.
Get-ADDomainController
The default properties retrieved by the Get-ADDomainController cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on, or how it is determined.
| Property | Syntax | R/RW | lDAPDisplayName |
| ComputerObjectDN | String (DN) | R | distinguishedName |
| DefaultPartition | String (DN) | R | DN of default partition |
| Domain | String | R | DNS name of domain |
| Enabled | Boolean | R | userAccountControl (bit mask Not 2) |
| Forest | String | R | DNS name of forest |
| HostName | String | R | dNSHostName |
| InvocationId | Guid | R | invocationID of cn=NTDS Settings object |
| IPv4Address | Ip | R/RW | |
| IPv6Address | Ip | R/RW | |
| IsGlobalCatalog | Boolean | R | options (bit mask 1) of nTDSDSA object |
| IsReadOnly | Boolean | R | objectCategory of nTDSDSA object |
| LdapPort | Int32 | R | |
| Name | String | R | cn (Relative Distinguished Name) |
| NTDSSettingsObjectDN | String (DN) | R | DN of NTDS Settings container |
| OperatingSystem | String | R | operatingSystem |
| OperatingSystemHotfix | String | R | operatingSystemHotFix |
| OperatingSystemServicePack | String | R | operatingSystemServicePack |
| OperatingSystemVersion | String | R | operatingSystemVersion |
| OperationMasterRoles | ADCollection | R | FSMO roles |
| Partitions | ADCollection | R | DN's of partitions in Partitions container |
| ServerObjectDN | String (DN) | R | DN of object in Servers container |
| ServerObjectGuid | Guid | R | objectGUID of object in Servers container |
| Site | String | R/RW | Site container where server object resides |
| SslPort | Int32 | R |
The Get-ADDomainController cmdlet does not expose any extended properties, and does not support the -Properties parameter. Also, there is no Set-ADDomainController cmdlet.
Get-ADRootDSE
The default properties retrieved by the Get-ADRootDSE cmdlet are documented below. They are all attributes of the RootDSE object (or Root Directory Service Entry). The RootDSE object is required of all LDAP compliant directories and exposes properties characteristic of the directory. The column labeled "R/RW" documents whether the attribute is Read-Only (R) or Read-Write (RW). Two attributes are RW, but there is no Set-ADRootDSE cmdlet. The last column describes the attribute of the RootDSE object.
| Attribute | Syntax | R/RW | Description |
| configurationNamingContext | String (DN) | R | DN of Configuration Container |
| currentTime | DateTime | R | Current Time on DC in UTC |
| defaultNamingContext | String (DN) | R | DN of Domain of DC |
| dnsHostName | String | R | DNS Address of DC |
| domainControllerFunctionality | Integer | R | DC Functional Level |
| domainFunctionality | Integer | R | Domain Functional Level |
| dsServiceName | String (DN) | R | DN of NTDS Settings Object of DC |
| forestFunctionality | Integer | R | Forest Functional Level |
| highestCommittedUSN | Int64 | R | Highest USN on DC |
| isGlobalCatalogReady | Boolean | RW | If GC Fully Operational |
| isSynchronized | Boolean | RW | If DC Fully Synchronized |
| ldapServiceName | String | R | SPN for LDAP Server |
| namingContexts | ADCollection | R | DN's of all Naming Contexts |
| rootDomainNamingContext | String (DN) | R | DN of Root Domain in Forest |
| schemaNamingContext | String (DN) | R | DN of Schema Container |
| serverName | String (DN) | R | DN of DC |
| subschemaSubentry | String (DN) | R | DN of subSchema Object |
| supportedCapabilities | ADCollection | R | Capabilties Supported by DC |
| supportedControl | ADCollection | R | OID's for Extension Controls |
| supportedLDAPPolicies | ADCollection | R | Names of Supported Policies |
| supportedLDAPVersion | Int32 | R | LDAP Versions Supported by DC |
| supportedSASLMechanisms | ADCollection | R | Mechanisms Supported for SASL |
The Get-ADRootDSE cmdlet supports the -Properties parameter, but there is only one extended property. This is the supportedExtension attribute, a multi-valued (ADCollection) read-only attribute. The values are OID's for supported extensions.
Search-ADAccount
The default properties retrieved by the Search-ADAccount cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on.
| Property | Syntax | R/RW | lDAPDisplayName |
| AccountExpirationDate | DateTime | RW | accountExpires, converted to local time |
| DistinguishedName | String (DN) | R | distinguishedName |
| Enabled | Boolean | RW | userAccountControl (bit mask Not 2) |
| LastLogonDate | DateTime | R | lastLogonTimeStamp, converted to local time |
| LockedOut | Boolean | RW | msDS-UserAccount-Control-Computed (bit mask 16) |
| Name | String | R | cn (Relative Distinguished Name) |
| ObjectClass | String | R | objectClass, most specific value |
| ObjectGUID | Guid | R | objectGUID converted to string |
| PasswordExpired | Boolean | RW | msDS-User-Account-Control-Computed (bit mask 8388608) (see Note 8) |
| PasswordNeverExpires | Boolean | RW | userAccountControl (bit mask 32) |
| SamAccountName | String | RW | sAMAccountName |
| SID | Sid | R | objectSID converted to string |
| UserPrincipalName | String | RW | userPrincipalName |
The Search-ADAccount cmdlet does not expose any extended properties, and does not support the -Properties parameter.
Get-ADOptionalFeature
The default properties retrieved by the Get-ADOptionalFeature cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on. The attributes are those of the Optional Feature objects, for example "cn=Recycle Bin Feature". These are objects of class msDS-OptionalFeature located in the container "cn=Optional Features,cn=Directory Service, cn=Windows NT, cn=Services, cn=Configuration,dc=mydomain,dc=com", where the domain is mydomain.com.
| Property | Syntax | R/RW | lDAPDisplayName |
| DistinguishedName | String (DN) | R | distinguishedName |
| EnabledScopes | ADCollection | R | DN's of Partitions |
| FeatureGUID | GUID | R | msDS-OptionalFeatureGUID |
| FeatureScope | ADCollection | R | msDS-OptionalFeatureFlags (bit masks 1, 2, and 8) |
| IsDisableable | Boolean | R | msDS-OptionalFeatureFlags (bit mask 4) |
| Name | String | R | name |
| ObjectClass | String | R | objectClass, most specific value |
| ObjectGUID | GUID | R | objectGUID converted to string |
| RequiredDomainMode | Integer | R | msDS-RequiredDomainBehaviorVersion |
| RequiredForestMode | Integer | R | msDS-RequiredForestBehaviorVersion |
The default and extended properties retrieved by the Get-ADOptionalFeature cmdlet are documented in the following Wiki article:
Active Directory: Get-ADOptionalFeature Default and Extended Properties
Get-ADDefaultDomainPasswordPolicy
The default properties retrieved by the Get-ADDefaultDomainPasswordPolicy cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute that the property is based on. The attributes are those of a domain object, with class domainDNS.
| Property | Syntax | R/RW | lDAPDisplayName |
| ComplexityEnabled | Boolean | RW | pwdProperties (bit mask 1) |
| DistinguishedName | String (DN) | R | distinguishedName |
| LockoutDuration | TimeSpan | RW | lockoutDuration |
| LockoutObservationWindow | TimeSpan | RW | lockoutObservationWindow |
| LockoutThreshold | Integer | RW | lockoutThreshold |
| MaxPasswordAge | TimeSpan | RW | maxPwdAge |
| MinPasswordAge | TimeSpan | RW | minPwdAge |
| MinPasswordLength | Integer | RW | minPwdLength |
| ObjectClass | String | R | objectClass, most specific value |
| ObjectGUID | Guid | R | objectGUID, converted to string |
| PasswordHistoryCount | Integer | RW | pwdHistoryLength |
| ReversibleEncryptionEnabled | Boolean | RW | pwdProperties (bit mask 16) |
The Get-ADDefaultDomainPasswordPolicy cmdlet does not expose any extended properties, and does not support the -Properties parameter.
The help for the Set-ADDefaultDomainPasswordPolicy cmdlet has incorrect or misleading information about the following parameters: ComplexityEnabled, LockoutDuration, LockoutObservationWindow, LockoutThreshold, MinPasswordLength, PasswordHistoryCount, and RevsibleEncryptionEnabled. The information in the table above is correct. In some cases the help states that the parameter assigns a value to a property with an ldapDisplayName that begins with "msDS-". No attributes of domain objects have any such names. In other cases the help states that the parameter assigns a value to a property of a password policy, most likely referring to attributes of a Password Settings Object (PSO). The help is probably referring to similar parameters of the Set-ADFineGrainedPasswordPolicy cmdlet. The Set-ADDefaultDomainPasswordPolicy cmdlet only assigns values to attributes of domain objects, corresponding to the default domain password policy.
Get-ADFineGrainedPasswordPolicy
The default properties retrieved by the Get-ADFineGrainedPasswordPolicy cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute of the Fine-Grained Password Policy object that the property is based on. These are objects of class msDS-PasswordSettings located in the container "cn=Password Settings Container,cn=System,dc=mydomain,dc=com", where the domain is mydomain.com.
| Property | Syntax | R/RW | lDAPDisplayName |
| AppliesTo | ADCollection | RW | msDS-PSOAppliesTo |
| ComplexityEnabled | Boolean | RW | msDS-PasswordComplexityEnabled |
| DistinguishedName | String (DN) | R | distinguishedName |
| LockoutDuration | TimeSpan | RW | msDS-LockoutDuration |
| LockoutObservationWindow | TimeSpan | RW | msDS-lockoutObservationWindow |
| LockoutThreshold | Integer | RW | msDS-lockoutThreshold |
| MaxPasswordAge | TimeSpan | RW | msDS-MaximumPasswordAge |
| MinPasswordAge | TimeSpan | RW | msDS-MinimumPasswordAge |
| MinPasswordLength | Integer | RW | msDS-MinimumPasswordLength |
| Name | String | R | cn (Relative Distinguished Name) |
| ObjectClass | String | R | objectClass, most specific value |
| ObjectGUID | Guid | R | objectGUID, converted to string |
| PasswordHistoryCount | Integer | RW | msDS-PasswordHistoryLength |
| Precedence | Integer | RW | msDS-PasswordSettingsPrecedence |
| ReversibleEncryptionEnabled | Boolean | RW | msDS-PasswordReverisbleEncryptionEnabled |
The default and extended properties retrieved by the Get-ADFineGrainedPasswordPolicy cmdlet are documented in the following Wiki article:
Active Directory: Get-ADFineGrainedPasswordPolicy Default and Extended Properties
Get-ADServiceAccount
The default properties retrieved by the Get-ADServiceAccount cmdlet are documented below. The column labeled "R/RW" documents whether the property is Read-Only (R) or Read-Write (RW). The last column documents the Active Directory attribute of the Service Account object that the property is based on. These are objects of class msDS-ManagedServiceAccount located in the container "cn=Managed Service Accounts,dc=mydomain,dc=com", where the domain is mydomain.com.
| Property | Syntax | R/RW | lDAPDisplayName |
| DistinguishedName | String (DN) | R | distinguishedName |
| Enabled | Boolean | RW | userAccountControl (bit mask not 2) |
| HostComputers | ADCollection | RW | msDS-HostServiceAccountBL |
| Name | String | R | cn (Relative Distinguished Name) |
| ObjectClass | String | R | objectClass, most specific value |
| ObjectGUID | Guid | R | objectGUID, converted to string |
| SamAccountName | String | RW | sAMAccountName |
| SID | String | R | objectSID converted to string |
| UserPrincipalName | String | RW | userPrincipalName |
The default and extended properties retrieved by the Get-ADServiceAccount cmdlet are documented in the following Wiki article:
Active Directory: Get-ADServiceAccount Default and Extended Properties
Notes
- The Get-Help cmdlet seems to indicate that the default properties distinguishedName, ObjectCategory, ObjectClass, and SID are read-write. However, the corresponding Active Directory attributes can only be modified by the system, so they are shown as Read-Only in the above tables. The same has been done for the DomainSID property of Get-ADDomain and the Domain and Forest properties of Get-ADDomainController.
- The Name property is revealed by the Get-Help cmdlet as Read-Only. This property cannot be modified directly. However, you can rename the object, which will modify the Name property. You can use the Rename-ADObject cmdlet to rename Active Directory objects.
- All properties based on the userAccountControl attribute in the tables above refer to a bit mask. The userAccountControl attribute is a 32-bit integer where each bit corresponds to a different setting. To check if a specific bit is set, you "OR" the userAccountControl value with the bit mask. A non-zero result means the bit is set.
- The Syntax "ADCollection" in the above tables means the corresponding Active Directory attribute is multi-valued. The Get-AD* cmdlets retrieve these properties as arrays.
- Some Active Directory attributes are not replicated to all Domain Controllers. A different value is saved on every Domain Contoller. The AD Modules only retrieve these attributes from one Domain Controller. Use the -Server parameter to specify which Domain Controller.
- Some Active Directory attributes are operational (also called constructed). That means that the value is not actually saved in Active Directory, but is calculated on request based on other attributes. Most of these attributes, such as canonicalName and primaryGroupToken, can be retrieved by the AD modules. However, an error is raised if you attempt to retrieve the tokenGroups attribute.
- If you request the objectSID attribute, which is a byte array in Active Directory, the value is displayed in the familiar friendly format, beginning with the string "S-1-5-21". This is the only known case where the PowerShell AD cmdlets convert the value of an AD attribute (not a default or extended property) for display (implying that code is invoked).
- The Search-ADAccount cmdlet exposes the PasswordExpired property. This property can be retrieved, but you cannot filter on this property. Also, this cmdlet supports a -PasswordExpired parameter to retrieve accounts where the password is expired. However, the parameter does not work. In both cases, this is probably because the msDS-User-Account-Control-Computed attribute is operational.
See Also
- Active Directory: Get-ADUser Default and Extended Properties
- Active Directory: Get-ADComputer Default and Extended Properties
- Active Directory: Get-ADGroup Default and Extended Properties
- Active Directory: Get-ADObject Default and Extended Properties
- Active Directory: Get-ADOrganizationalUnit Default and Extended Properties
- Active Directory: Get-ADServiceAccount Default and Extended Properties
- Active Directory: Get-ADOptionalFeature Default and Extended Properties
- Active Directory: Get-ADFineGrainedPasswordPolicy Default and Extended Properties
- Active Directory PowerShell Cmdlet Properties
- PowerShell Portal
- Wiki: Active Directory Domain Services (AD DS) Portal
- Wiki: Portal of TechNet Wiki Portals
- Active Directory: Glossary
Other Resources
- Active Directory Administration with Windows PowerShell
- Active Directory Cmdlets in Windows PowerShell
- What's New in AD DS: Active Directory Module for Windows PowerShell