At some point in every Windows admin’s career, you’ll be asked one of the following:
- “Can you give me a list of all users in AD?”
- “Which accounts are disabled?”
- “Who has passwords that never expire?”
- “Can we get this in Excel… by today?”
Manually clicking through Active Directory Users and Computers works for maybe ten users. After that, it becomes slow, inconsistent, and prone to mistakes. This is where PowerShell becomes non-negotiable.
Exporting Active Directory users to CSV using PowerShell isn’t just faster—it’s repeatable, auditable, and scalable. Once you’ve built a few solid scripts, you’ll never go back to manual exports again.
This guide walks through practical, production-tested PowerShell techniques for exporting AD users to CSV—based on how this task is actually done in real enterprise environments.
Prerequisites: What You Need Before You Start
Before running any of the commands below, ensure the following:
- You are running PowerShell as Administrator
- The Active Directory module is installed
- Installed by default on domain controllers
- Available via RSAT on workstations and servers
- Your account has read permissions in Active Directory
You can verify the AD module is available with:
Get-Module -ListAvailable ActiveDirectory
If that returns nothing, RSAT isn’t installed—and none of the commands below will work.
The Foundation: Understanding Get-ADUser Exports
The core command you’ll use for almost every AD export is:
Get-ADUser
By default, this cmdlet:
- Returns only a small subset of attributes
- Does not include many fields admins expect (Department, Manager, etc.)
This is a common stumbling point. If an attribute isn’t explicitly requested, it won’t appear in your CSV—even if it exists in AD.
Basic Export: All AD Users to CSV
Here’s a clean, practical starting point that works in most environments:
Get-ADUser -Filter * -Properties DisplayName, SamAccountName, UserPrincipalName, Enabled, Department, Title |
Select-Object DisplayName, SamAccountName, UserPrincipalName, Enabled, Department, Title |
Export-Csv "C:\Exports\All_AD_Users.csv" -NoTypeInformation -Encoding UTF8
Why This Works Well
- Avoids loading unnecessary attributes
- Produces a clean CSV that opens correctly in Excel
- Exports only fields admins actually care about
Real-World Tip
Avoid using -Properties * unless you genuinely need every attribute. In large domains, it significantly slows performance.
Exporting Users from a Specific OU
In real environments, you’re often asked for department-specific exports, not the entire domain.
Get-ADUser -Filter * `
-SearchBase "OU=Sales,OU=Users,DC=domain,DC=local" `
-Properties DisplayName, Mail, Department |
Select DisplayName, Mail, Department |
Export-Csv "C:\Exports\Sales_Users.csv" -NoTypeInformation
When This Is Used
- Department audits
- Access reviews
- HR-driven reporting
Common Mistake
If your CSV comes out empty, double-check the OU distinguished name. One missing OU level breaks the query.
Exporting Disabled User Accounts (Security Gold)
Disabled accounts are one of the most overlooked security risks in Active Directory.
Get-ADUser -Filter 'Enabled -eq $False' `
-Properties DisplayName, SamAccountName |
Select DisplayName, SamAccountName |
Export-Csv "C:\Exports\Disabled_Users.csv" -NoTypeInformation
Why This Matters
- Disabled accounts often linger for years
- They’re frequently re-enabled without proper review
- Auditors love asking for this list
In mature environments, this export is often scheduled weekly.
Exporting Users with Passwords That Never Expire
From a security perspective, this is one of the highest-risk configurations you’ll find.
Get-ADUser -Filter * -Properties PasswordNeverExpires |
Where-Object { $_.PasswordNeverExpires -eq $true } |
Select DisplayName, SamAccountName |
Export-Csv "C:\Exports\Password_Never_Expires.csv" -NoTypeInformation
Real-World Insight
In nearly every environment I’ve audited:
- Service accounts are mixed with user accounts
- Some accounts are set this way “temporarily” and forgotten
This export often leads directly to policy clean-ups.
Exporting Recently Created Users (Onboarding Audits)
Useful for HR reconciliation and access validation:
$DaysBack = (Get-Date).AddDays(-30)
Get-ADUser -Filter * -Properties WhenCreated |
Where-Object { $_.WhenCreated -gt $DaysBack } |
Select DisplayName, SamAccountName, WhenCreated |
Export-Csv "C:\Exports\New_Users_Last_30_Days.csv" -NoTypeInformation
Practical Uses
- Verifying onboarding processes
- Checking account provisioning accuracy
- Spotting unexpected account creation
Exporting Users with Group Memberships (Advanced Reporting)
This is where things get more complex—and more useful.
Get-ADUser -Filter * -Properties MemberOf |
ForEach-Object {
[PSCustomObject]@{
Name = $_.Name
SamAccountName = $_.SamAccountName
Groups = ($_.MemberOf | ForEach-Object {
($_ -split ',')[0] -replace '^CN='
}) -join '; '
}
} |
Export-Csv "C:\Exports\User_Group_Memberships.csv" -NoTypeInformation
Why This Is Powerful
- Produces single-row per user output
- Human-readable group names
- Ideal for access reviews and compliance checks
Performance Note
In large domains, this script can take time. Test it during off-peak hours.
Best Practices for AD User CSV Exports
Based on years of doing this in production:
1. Never Export Sensitive Attributes Unnecessarily
Avoid:
- Password hashes
- Security identifiers unless required
- Logon tokens
2. Use Meaningful File Names
Include:
- Date
- Scope (OU, filter)
- Purpose
Example:
AD_Users_Sales_OU_2026-01-04.csv
3. Secure the Output Files
CSV files are data leaks waiting to happen if mishandled.
- Store them securely
- Delete when no longer needed
- Never email them unencrypted
Troubleshooting Common Issues
| Issue | Likely Cause | Fix |
|---|---|---|
| CSV is empty | Wrong OU path | Validate SearchBase |
| Missing attributes | Not loaded | Add to -Properties |
| Cmdlet not found | RSAT missing | Install AD module |
| Access denied | Insufficient rights | Use appropriate account |
Final Thoughts: PowerShell Is the Only Scalable Way to Audit AD
If you manage Active Directory at any meaningful scale, exporting users via PowerShell isn’t optional—it’s essential.
Once you build a small library of export scripts, you can:
- Respond to audit requests in minutes
- Maintain consistent reporting
- Spot security issues early
- Eliminate manual errors entirely
And perhaps most importantly—you stop being the admin who says “Give me a bit of time” and become the one who delivers answers immediately.
From my early days on the helpdesk through roles as a service desk manager, systems administrator, and network engineer, I’ve spent more than 25 years in the IT world. As I transition into cyber security, my goal is to make tech a little less confusing by sharing what I’ve learned and helping others wherever I can.