Get-ADUser and get their properties like all domain admins

In an effort to get a list of all domain administrator accounts i did some digging into the Active Directory PowerShell module and found some very interesting applications. For instance the following rule returns all members of the Domain Admins AD group.

$alldomainadmins=Get-ADGroupMember -Identity "Domain Admins"

When you have a variable of all AD domain admin objects you can do some interesting filtering. for instance you can get all domain admins with a certain common name:

 $alldomainadmins|where {$_.distinguishedName -like "*internal*"}

another interesting application of this is the search for disabled accounts and logoncount like this:

foreach($member in $alldomainadmins){

$testuser=Get-ADUser -Identity $member

$logoncount=Get-ADUser -Identity $member -pr logoncount

$create=Get-ADUser -Identity $member -pr whenCreated

If($testuser.enabled -ne "true"){ $testuser.Name +" = disabled and has logged on "+$logoncount.logoncount+" times "}

}

 You should have a go and play around with the Get-AD* cmdlets, they are very powerfull!

Have fun, till next time