Get-ADUser WhenChanged and WhenCreated are empty for some users

Question

I've built a PowerShell 5.1 script to export all the users in the DB and save all the data in to a CSV file. The script allows you to set a date back in time so you can decide since when you'd like your users to be exported.

After some testing a realized that not all the users are exported, and upon further investigation I realized that the property WhenChanged and WhenCreated are not present for each user. Despite the AD UI showing the property with the right data, as seen in the screenshot bellow.

When I run the following command:

Get-ADUser -filter * -Properties LastLogonDate, userPrincipalName, initials, WhenCreated, whenChanged | Select-Object userPrincipalName, initials, whenCreated, whenChanged

I get the following result:

 userPrincipalName  initials whenCreated            whenChanged          
-----------------  -------- -----------            -----------          
                            11/9/2017 2:06:29 PM   1/24/2018 4:26:48 PM 


                            11/9/2017 2:07:47 PM   11/22/2017 4:12:52 PM
mp@mycompany.local MP       11/14/2017 3:14:45 PM  2/14/2018 4:02:51 AM 
dg@mycompany.local DG       11/15/2017 12:51:25 PM 2/21/2018 2:12:52 PM 
ae@mycompany.local AE                                                   
mm@mycompany.local MM                                                   
rw@mycompany.local RW                                                   
kk@mycompany.local KK                                                   
ap@mycompany.local AP                                                   
js@mycompany.local JS                                                   
cb@mycompany.local CB       11/17/2017 12:21:32 PM 11/22/2017 4:41:35 PM


aw@mycompany.local                                                      
tt@mycompany.local TT

As you can see the user with the initials TT has no value despite the screenshot showing that it has them. Despite me creating this user today, and changing few values the same day.

Questions

What am I missing?
Is it a problem with AD itself or just the command?

score 2 · Accepted Answer · answered Feb 23 '18 at 13:47

The solution to the problem is to right click on the PowerShell shortcut and select Run as Administrator. You have to do this even if you are an Administrator already. If you do that and run the command again all your data will be there.

userPrincipalName  initials whenCreated            whenChanged
-----------------  -------- -----------            -----------
                            11/9/2017 2:06:29 PM   1/24/2018 4:26:48 PM
                            11/9/2017 2:06:29 PM   11/9/2017 2:06:29 PM
                            11/9/2017 2:06:29 PM   11/9/2017 2:06:29 PM
                            11/9/2017 2:07:47 PM   11/22/2017 4:12:52 PM
mp@mycompany.local MP       11/14/2017 3:14:45 PM  2/14/2018 4:02:51 AM
dg@mycompany.local DG       11/15/2017 12:51:25 PM 2/21/2018 2:12:52 PM
ae@mycompany.local AE       11/16/2017 1:11:30 PM  11/22/2017 4:11:37 PM
mm@mycompany.local MM       11/16/2017 1:12:02 PM  11/22/2017 4:11:37 PM
rw@mycompany.local RW       11/16/2017 1:12:40 PM  11/22/2017 4:11:37 PM
kk@mycompany.local KK       11/16/2017 1:13:13 PM  11/22/2017 4:11:37 PM
ap@mycompany.local AP       11/16/2017 1:14:15 PM  11/22/2017 4:11:37 PM
js@mycompany.local JS       11/16/2017 1:14:50 PM  11/22/2017 4:11:37 PM
cb@mycompany.local CB       11/17/2017 12:21:32 PM 11/22/2017 4:41:35 PM
                            11/22/2017 3:37:49 PM  2/16/2018 2:50:25 PM
                            11/22/2017 3:38:43 PM  2/17/2018 3:58:24 PM
aw@mycompany.local          11/22/2017 4:02:18 PM  11/22/2017 4:41:36 PM
tt@mycompany.local TT       2/21/2018 1:21:13 PM   2/21/2018 1:59:17 PM

score 0 · Answer 2 · answered Jul 22 '22 at 21:11

Like you, when I ran this command:

Get-ADObject -filter 'sAMAccountName -eq "xxxxxx"' | select whenchanged

the date was always empty. I found this article: https://www.itprotoday.com/powershell/view-all-properties-ad-objects-powershell that showed me how to list all properties on an object:

Get-ADObject -filter 'sAMAccountName -eq "xxxxxx"'  -properties *

Which lead me to this variation of my query to appropriately show the whenChanged (or any other property for that matter):

Get-ADObject -filter 'sAMAccountName -eq "xxxxxx"'  -properties *| select whenchanged

Note that you can replace the "*" with a comma delimited list of properties you care about - this likely has performance implications if you have large datasets or limited ram.

Hope this helps others.

score 0 · Answer 3 · answered Aug 29 '24 at 19:35

While the accepted answer works, it's not always feasible to run as administrator. For example, you run a scheduled task with a service account (which is not a Domain Admin). Standard practice is to delegate control of the attribute you want. However, this attribute isn't listed for User objects.

For this, you must use the ADSI MMC snap-in. Connect to the default naming context, and find your OU. Right-click properties, and go to the "Advanced" section of the security tab. Add a new permission, select your user, "Applies to" should be "Descendant User Objects", click "Clear All" (as this is the only attribute we wish to grant access to), and navigate to the bottom to find "Read whenCreated".

After waiting a minute, you shouldn't need to log out or relaunch any processes.

Get-ADUser WhenChanged and WhenCreated are empty for some users

Questions

3 Answers3