Active Directory Domain Servers > Search Active Directory: How to Find AD Objects

Search Active Directory: How to Find AD Objects

by
How to search active directory for ad objects

In this article, you will learn how to search Active Directory to find AD objects such as users, computers, OUs, and groups. There are several options for searching AD, you can use the built-in Active Directory Users and Computers console (ADUC), PowerShell, or third party tools. In this guide, I’ll show you examples of all three.

Search Active Directory using ADUC Console

1. Click the find icon

Using Active Directory Users and Computers click the find Icon.

2. Select the object type

In the find drop down select the object type you want to search for. In this example, I’m going to search for specific user accounts and select from the entire directory. If you want to search in a specific container or OU click the browse button.

3. Enter keywords to search

In the fields provided (depending on what object you selected) enter the keywords you want to search and click the Find Now button. In my example, I’m looking for all the users that have Smith in their name. I entered smith in the Name: field and clicked the Find Now button.

Example 2: Search Active Directory for OUs

In this second example, I’m searching for all Organizational Units that start with the letters “mar”. I select Organizational Units in the Find Box, enter “mar” in the Name: field and click Find Now. My search returned three OUs that contain the words mar.

Example 3: Custom Active Directory Search

The custom search allows you to search within an object and search for very specific details, such as City, State, Zip, address, and basically any field that exists in an object. Common queries are a quick and easy way to find disabled accounts, non expiring passwords, and accounts that have not been logged into for a certain amount of time.

In this example, I’m going to search for users

With the find object window open select custom search -> Field -> “User” and then “City”

custom active directory search

You can see from the above screenshot all the different fields from the User object that you can select and use in your search.

In the conditions field select “starts with” and in the value field enter “spr”.

This will show me all the cities that start with “spr”. You could also set the condition to “Is (exactly)” and enter the complete city name in the value field.

find users by custom search

You can verify the results by opening one of the search results and then click on the address tab.

verify search results

Example 4: Find All Disable Accounts using Common Queries

In this example, I’ll show you how to find disabled users in AD using the built in common queries.

Select “common queries” from the find drop down menu. Then Click the box for disabled accounts and click the “find now” button.

find all disabled accounts in active directory

My search found 15 accounts that are disabled.

Example 5: Search Active Directory for non expiring passwords using Common Queries

In this example, I’ll show you how to find user accounts that have non expiring passwords. This can be a major security risk and it is important to find and review them,.

Click the box that says “Non expiring passwords” and click the “find now” button

search active directory for non expired passwords

My search returned 8 accounts where the password was set to non expire. I would recommend running this search in your AD environment and identifying any accounts that are set to non expire. Your users should not be set up with non-expiring passwords and are typically only used for service accounts.

Example 5: Find Accounts that have not logged in for 30 days.

Select “30 days” from the days since last logon drop down and click “Find Now”.

You can see from the drop down you can select 30, 60, 90, 120 or 180. I would recommend searching for accounts that have not logged in for 90 days or more and verify the accounts are still valid. You may be surprised as to how many accounts are in your domain that has never logged on.

find accounts that have not logged in

My search returned two accounts that have not been logged into for 30 days.

Search Active Directory Using PowerShell

PowerShell is a great option to search AD to find users, computers, groups and other objects. Below are the commands and links to the various PowerShell cmdlets for searching AD.

  • Get-ADUser – This command is used to search for AD user accounts. In this article, I provide ten different examples of how to search AD for user accounts.
  • Get-ADComputer – This command is used to search Active Directory for computer accounts.
  • Get-ADGroup – Search for single or multiple AD groups. I provide several examples in this article, including how to run a wildcard search.
  • Get-ADGroupMember – Gets members of an Active Directory group. I break down the steps to search for a group and display the group members. I also show you how to export the results to a CSV file.

As you can see searching Active Directory is pretty easy using the Active Directory Users and Computers console but it does have its limitations. For more advanced searches and to quickly export AD objects then I recommend looking at the PowerShell cmdlets I listed.

I hope you enjoyed this article, if you have questions or comments please leave a comment.

Recommended Tool: Permissions Analyzer for Active Directory

Get instant visibility into user and group permissions in your Active Directory domain.

With Permissions Analyzer you can quickly view assigned and inherited permissions for any user or group.

Don’t let permission problems slow you down or put your data at risk. Get Permissions Analyzer for Active Directory today and take control of your permission management.

Download Free Tool

Leave a Comment