Public/Get-UserADDetails.ps1
|
function Get-UserADDetails { <# .SYNOPSIS Retrieves comprehensive Active Directory details for a user. .DESCRIPTION Queries Active Directory for a single user and returns account properties including status, password info, group memberships, direct reports, and organizational data. Manager and group DNs are resolved to friendly names. .PARAMETER Identity User identifier: SAMAccountName, UPN, email address, or display name. .OUTPUTS PSCustomObject with full AD account details. .EXAMPLE Get-UserADDetails -Identity "jsmith" .EXAMPLE Get-UserADDetails -Identity "john.smith@contoso.com" #> [CmdletBinding()] param( [Parameter(Mandatory, Position = 0, ValueFromPipeline, ValueFromPipelineByPropertyName)] [ValidateNotNullOrEmpty()] [string]$Identity ) process { # Resolve identity to a consistent user object $resolved = Resolve-UserIdentity -Identity $Identity Write-Verbose "Resolved user: $($resolved.SAMAccountName) ($($resolved.DisplayName))" # Fetch the full set of AD properties $adProps = @( 'SamAccountName', 'UserPrincipalName', 'DisplayName', 'Mail', 'Title', 'Department', 'Manager', 'physicalDeliveryOfficeName', 'DistinguishedName', 'Enabled', 'LockedOut', 'PasswordLastSet', 'PasswordExpired', 'PasswordNeverExpires', 'LastLogonDate', 'WhenCreated', 'MemberOf', 'DirectReports', 'AccountExpirationDate', 'Description' ) try { $adUser = Get-ADUser -Identity $resolved.SAMAccountName -Properties $adProps -ErrorAction Stop } catch { throw "Failed to retrieve AD details for $($resolved.SAMAccountName): $($_.Exception.Message)" } # Resolve manager DN to display name $managerName = $null if ($adUser.Manager) { try { $mgr = Get-ADUser -Identity $adUser.Manager -Properties DisplayName -ErrorAction Stop $managerName = $mgr.DisplayName } catch { Write-Warning "Could not resolve manager DN: $($adUser.Manager)" $managerName = $adUser.Manager } } # Resolve group membership DNs to names $groupNames = @() if ($adUser.MemberOf) { foreach ($groupDN in $adUser.MemberOf) { try { $grp = Get-ADGroup -Identity $groupDN -ErrorAction Stop $groupNames += $grp.Name } catch { # Fall back to extracting CN from DN if ($groupDN -match '^CN=([^,]+)') { $groupNames += $Matches[1] } else { $groupNames += $groupDN } } } $groupNames = $groupNames | Sort-Object } # Resolve direct report DNs to display names $directReportNames = @() if ($adUser.DirectReports) { foreach ($reportDN in $adUser.DirectReports) { try { $rpt = Get-ADUser -Identity $reportDN -Properties DisplayName -ErrorAction Stop $directReportNames += $rpt.DisplayName } catch { if ($reportDN -match '^CN=([^,]+)') { $directReportNames += $Matches[1] } else { $directReportNames += $reportDN } } } $directReportNames = $directReportNames | Sort-Object } [PSCustomObject]@{ SAMAccountName = $adUser.SamAccountName UPN = $adUser.UserPrincipalName DisplayName = $adUser.DisplayName Email = $adUser.Mail Title = $adUser.Title Department = $adUser.Department Manager = $managerName Office = $adUser.physicalDeliveryOfficeName DistinguishedName = $adUser.DistinguishedName Enabled = $adUser.Enabled LockedOut = $adUser.LockedOut PasswordLastSet = $adUser.PasswordLastSet PasswordExpired = $adUser.PasswordExpired PasswordNeverExpires = $adUser.PasswordNeverExpires LastLogonDate = $adUser.LastLogonDate Created = $adUser.WhenCreated MemberOf = $groupNames DirectReports = $directReportNames AccountExpirationDate = $adUser.AccountExpirationDate Description = $adUser.Description } } } |