Get-ADUser -Identity doesn't support UPN or forest functionality?

Question

Get-ADUser -Identity doesn't support UPN or forest functionality?

Greg Corey 21

I was very surprised to discover that the -Identity switch for "Get-ADUser" doesn't support UPN. It already supports GUID and SID in addition to DistinguishedName and sAMAccountName. Is there a plan to add support for UPN?

Also, is there really no way to do a forest search with Get-ADUser? Couldn't you add a -Forest flag or detect the correct domain in the forest based on the "DC=" elements of DN or the user SID sans RID (or the search base if specified)?

Something like this works -- but seems crazy. Am I missing something?
get-adforest | select -ExpandProperty Domains | % { Try { get-aduser -server $_ -identity "someuser" } catch {} }

Accepted answer

1 additional answer

Your answer

Answer 1

Rich Matheisen 47,901

You can use a Global Catalog server to search the entire forest. Use the -Server parameter and add ":3268" (the GC port number) at the end of the server name.

For example:

Get-ADUser -Identity "someuser" -Server GCServerName:3268

To use the UPN instead of using the -Identity parameter and being restricted to using a DN, GUID, SID, or sAMAccountName, use -Filter instead. The drawback to using -Filter is that if it fails to find a match it won't throw an exception so you have to check to see if there was anything returned instead of relying on "-ErrorAction Stop" and Try/Catch.

Evgenij Smirnov 541 Reputation points

2020-11-26T20:22:24.763+00:00

I would not necessarily see not throwing an exception as a drawback, though. Catching an exception is usually a relatively pricey operation, resources-wise.
Rich Matheisen 47,901 Reputation points

2020-11-26T20:43:22.39+00:00

I mentioned that because his code sample was using Try/Catch. :-)
Greg Corey 21 Reputation points

2020-11-30T21:02:02.6+00:00
Rich, that's a great workaround, thank you. It doesn't work to find sAMAccountName results outside of the domain (using "-Identity"), but it does work with a DN.

I'll post enhancement requests on UserVoice as Ian suggested as I feel UPN should be a supported -Identity value and forest queries shouldn't require you to specify a server or the GC port.

This isn't user friendly:

Get-ADDomainController -Discover -Service "GlobalCatalog" | % { $myGC = "$_"; $myGC += ':3268'; get-aduser -filter "name -eq 'administrator'" -server "$myGC" }

And this doesn't get the "administrator" account outside of the current domain:

Get-ADDomainController -Discover -Service "GlobalCatalog" | % { $myGC = "$_"; $myGC += ':3268'; get-aduser -Identity 'administrator' -server "$myGC" }

Answer 2

Anonymous

Hi @Greg Corey ,

You can submit your feedback over here
https://windowsserver.uservoice.com/forums/301869-powershell

Best Regards，
Ian

============================================

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

Share via

Get-ADUser -Identity doesn't support UPN or forest functionality?

1 additional answer

Your answer