Get one or more Active Directory service accounts.

      Get-ADServiceAccount [-Identity] ADServiceAccount
         [-AuthType {Negotiate | Basic}] [-Credential PSCredential]
            [-Partition string] [-Properties string[]]
               [-Server string] [CommonParameters]

      Get-ADServiceAccount -Filter string [-ResultPageSize int]
         [-ResultSetSize Int32] [-SearchBase string]
            [-SearchScope {Base | OneLevel | Subtree}]
               [-AuthType {Negotiate | Basic}] [-Credential PSCredential]
                  [-Partition string] [-Properties string[]]
                     [-Server string] [CommonParameters]

      Get-ADServiceAccount -LDAPFilter string [-ResultPageSize int]
         [-ResultSetSize Int32] [-SearchBase string]
            [-SearchScope {Base | OneLevel | Subtree}]
               [-AuthType {Negotiate | Basic}] [-Credential PSCredential]
                  [-Partition string] [-Properties string[]]
                     [-Server string] [CommonParameters]

   -AuthType {Negotiate | Basic}
       The authentication method to use: Negotiate (or 0), Basic (or 1)
       A Secure Sockets Layer (SSL) connection is required for Basic authentication.

   -Credential PSCredential
       A user account that has permission to perform this action.
       The default is the current user unless the cmdlet is run from an AD PowerShell provider drive
       in which case the account associated with the drive is the default.

       "MSAccount64" or "Domain01\MSAccount64" or a PSCredential object.

   -Filter string
       A query string that retrieves Active Directory objects.
       This string uses the PowerShell Expression Language syntax:

       filter ::= "{" FilterComponentList"}"
       FilterComponentList ::= FilterComponent | FilterComponent JoinOperator FilterComponent | NotOperator FilterComponent
       FilterComponent ::= attr FilterOperator value | "(" FilterComponent")"
       FilterOperator ::= "-eq" | "-le" | "-ge" | "-ne" | "-lt" | "-gt"| "-approx" | "-bor" | "-band" | "-recursivematch" | "-like" | "-notlike"
       JoinOperator ::= "-and" | "-or"
       NotOperator ::= "-not"
       attr ::= PropertyName | LDAP_Name_of_the_attribute
       value::= <compare this value with an attr by using the specified FilterOperator>

   -Identity ADServiceAccount
       An AD service account object, specified with one of the following values.
       (The identifier in parentheses is the LDAP provider name for the attribute.)

          Distinguished Name 
            Example: CN=WebAccount,CN=ManagedServiceAccounts, DC=corp,DC=SS64,DC=com 
          GUID (objectGUID) 
            Example: 599c3d2e-f72d-4d20-8a88-030d99495f20
          Security Identifier (objectSid) 
            Example: S-1-5-21-3165297888-301567370-576410423-1103
          Security Accounts Manager (SAM) Account Name (sAMAccountName)
            Example: WebAccount$

       The cmdlet searches the default naming context or partition to find the object.
       If two or more objects are found, the cmdlet returns a non-terminating error.

       This parameter can also get this object through the pipeline or you can set this
       parameter to an object instance.

       This example shows how to set the parameter to a distinguished name.
          -Identity  "CN=WebAccount,CN=ManagedServiceAccounts,DC=corp,DC=SS64,DC=com"

       This example shows how to set this parameter to a group object instance named "accountInstance".
          -Identity $accountInstance

   -LDAPFilter string
       An LDAP query string that is used to filter AD objects.
       Use this parameter to run existing LDAP queries. 
       See also Help about_ActiveDirectory_Filter.

       For example to search an OU for names beginning with "sara".
       -LDAPFilter "(name=sara*)" -SearchScope Subtree -SearchBase "DC=demo,DC=SS64,DC=com"

   -Partition string
       The distinguished name of an AD partition.
       string must be one of the naming contexts on the current directory server.
       The cmdlet searches this partition to find the object defined by the -Identity parameter. 
         -Partition "CN=Configuration,DC=Europe,DC=Test,DC=SS64,DC=com"
         -Partition "CN=Schema,CN=Configuration,DC=Europe,DC=Test,DC=SS64,DC=com"
       In many cases, a default value will be used for -Partition if no value is specified.

   -Properties string[]
       The properties of the output object to retrieve from the server (comma-separated list).
       Use this parameter to retrieve properties that are not included in the default set.

       To discover the properties available, use Get-Member
       To display all of the attributes that are set on the object, specify * (asterisk).

       Specify the property Name or for non default/extended properties, the LDAP provider Name of the attribute.

   -ResultPageSize int
       The number of objects to include in each page for an AD Domain Services query.
       default = 256

   -ResultSetSize Int32
       The maximum number of objects to return for an AD Domain Services query.
       To receive all objects, set this to $null. Ctrl+c will stop the query and return of objects.
       default = $null.

   -SearchBase string
       An Active Directory path to search under.
       -SearchBase "ou=training,dc=demo,dc=ss64,dc=com"

       The scope of an AD search.
       Possible values for this parameter are:
       Base or 0        Search only the current path or object.
       OneLevel or 1    Search the immediate children
       Subtree or 2     Search the current path/object and all children

   -Server string
       The AD Domain Services instance to connect to, this may be a Fully qualified domain name,
       NetBIOS name or Fully qualified directory server name (with or without port number).

       Examples:  demo

Get-ADServiceAccount gets a service account or performs a search to retrieve multiple service accounts.

The -Identity parameter specifies the AD service account to get. Identify a service account by its distinguished name Members (DN), GUID, security identifier (SID), or Security Accounts Manager (SAM) account name. Alternatively set the parameter to a service account object variable, or pass a service account object through the pipeline.

To search for and retrieve more than one service accounts, use the -Filter or -LDAPFilter parameters.


Retrieve Service-Account with samAccountName 'SS64':

PS C:\> Get-ADServiceAccount -Identity SS64

Retrieve the Service account with a given SID:

PS C:\> Get-ADServiceAccount -Identity S-1-5-21-169507390-2970359163-3438059097-29772

Find the Service Accounts installed on the computer "CN=Server64,DC=SS64,DC=com":

PS C:\> Get-ADServiceAccount -Filter {HostComputers -eq "CN=Server64, DC=SS64,DC=com" }

‚ÄúThen I came up with this crazy idea just to walk out on the stage with no band at all and just start singing whatever came to mind. I actually fought the idea for a while because it seemed almost too radical, but it became obvious what I was supposed to be doing” ~ Bobby McFerrin

Related PowerShell Cmdlets

Set-adServiceAccount - Modify an AD service account.
Get-adComputerServiceAccount - Get the service accounts that are hosted by an AD computer.
Active Directory Management Gateway Service - Required to manage AD Domain Services with PowerShell. - Configure Standalone and Group Managed Service Accounts.

Copyright © 1999-2023
Some rights reserved