Active Directory

How to Get All Users and Their Managers in Active Directory

Efficient user management in Active Directory begins with understanding reporting relationships, especially knowing who reports to whom. Knowing each user’s manager helps admins delegate permissions appropriately and quickly detect anomalies such as incorrect reporting structures. In this guide, we’ll show you how to get a list of users and their managers from Active Directory, so you can streamline identity management with confidence.

Find Users and Their Managers in Active Directory Using ADUC

Active Directory Permission Required

Domain User Least Privilege

Administrators Most Privilege

Open Active Directory Users and Computers (ADUC), right-click Saved Queries, and select New»Query.
Enter a Name, add an optional description, and ensure Include subcontainers is checked. Then, click Define Query.
From the Find drop down, select Custom Search. Then switch to the Advanced tab and enter the below LDAP query to get all users with manager attribute.
```
(&(objectCategory=person)(objectClass=user)(manager=*))
```
Click OK in both the dialog boxes, and the right pane will display the usernames of all users who have a manager assigned.
After retrieving all users with managers, right-click the desired user and select Properties.
Under the Organization tab, you can view the Manager assigned to that user.

Find Users and Their Managers in Active Directory Using ADUC

Generate a Report of AD Users and Their Managers Using PowerShell

Active Directory Permission Required

Domain User Least Privilege

Administrators Most Privilege

While ADUC helps you view user–manager relationships interactively, it doesn’t support viewing multiple users’ managers at once or exporting detailed reports.
To simplify reporting and retrieve all Active Directory users along with their assigned managers into a CSV file, use the below PowerShell script.
Before running it, replace <FilePath> with your desired file path where you want to save the output.

Windows PowerShell

 $users = Get-ADUser -LDAPFilter "(manager=*)" -Properties SAMAccountName, Enabled, Manager 
$managerCache = @{} 
$report = foreach ($user in $users) {           
            $mgrDN = $user.Manager 
            if (-not $managerCache.ContainsKey($mgrDN)) { 
          $managerCache[$mgrDN] = Get-ADUser $mgrDN -Properties Name, SAMAccountName, Mail, TelephoneNumber 
} 
       $mgr = $managerCache[$mgrDN] 
       [PSCustomObject]@{ 
       UserName              = $user.Name 
       UserSAMAccountName    = $user.SAMAccountName 
       UserAccountStatus         = if ($user.Enabled) {'Enabled'} else {'Disabled'} 
       ManagerName           = $mgr.Name 
       ManagerSAMAccountName = $mgr.SAMAccountName 
       ManagerEmail          = $mgr.mail 
       ManagerPhone          = $mgr.telephoneNumber 
      } 
} 
$report | Export-Csv "<FilePath>" -NoTypeInformation

This script retrieves users with managers with details such as user's name, SAM account name, account status, and manager’s name, login name, email, phone number, in a formatted table for easy review.

Generate a Report of AD Users and Their Managers Using PowerShell

Simple & Quick
Export Active Directory Users with Manager Report Using AdminDroid

AdminDroid Permission Required Delegated

Any user who has been delegated access to view reports by the Super Admin.

Log in to the AdminDroid Active Directory Companion.
Navigate to the Users with Manager report under AD Reports»Users»Managers.
This report displays all users with their managers, along with essential details like display name, SAM account name, account status, department, and more.
You can export the report in CSV, PDF, XLS, HTML, or other available formats for seamless reporting, easy sharing, or internal documentation.

Export Active Directory Users with Manager Report Using AdminDroid

AdminDroid Active Directory Reporter

Discover the Reporting Hierarchy of Active Directory Users with Manager Details

With AdminDroid’s Active Directory reporting capabilities, you can instantly retrieve all users along with their assigned managers, ensuring clean identity hierarchy. Below are some of the key capabilities that help you analyse accurate reporting chains across Active Directory to improve governance and strengthen overall directory security.

Get Real-Time Alerts Upon Active Directory User’s Manager Changes

Utilize the 'New Change' setting in the AdminDroid alert policy to get notified whenever a user’s manager is updated in Active Directory, ensuring the managerial permissions remain accurate.

Review AD Managers Report to Gain Insights About Direct Reports

Analyse the list of all managers in Active Directory to map each manager to their direct reports, evaluate workload distribution, and identify imbalances.

Monitor Active Directory Group Managers to Strengthen Access Governance

Track all group managers in Active Directory to prevent excessive delegation, reduce security exposure, and safeguard sensitive resources managed by security groups.

Track Contacts as Managers in AD to Maintain Accurate Communication Flows

Regularly review external partner contact objects assigned as managers in AD and update outdated entries when a project ends to maintain accurate reporting chains or organizational chart data.

Find Computer Manager Assignments in AD to Clarify Device Ownership

Check the managers assigned for AD computer objects to maintain accurate asset ownership and ensure every device has a responsible point of contact throughout its lifecycle.

Update Active Directory Direct Reports for Effective Manager Delegation

Assign direct reports in Active Directory to establish accurate reporting relationships, enabling proper delegation of authority while maintaining clear oversight.

Overall, AdminDroid’s Active Directory management tool helps validate reporting hierarchies and ensure ownership accountability for every object. With AdminDroid’s actionable insights, you can simplify managing user-manager relationships easily, and make your Active Directory stays organized.

Explore a full range of reporting options

Download Live Demo

Important tips

When employees change roles or departments, update their manager attribute in Active Directory to ensure proper accountability and prevent organizational hierarchy gaps.

Implement granular delegation using delegation wizard in AD, allowing managers to perform tasks like password resets without granting full administrative rights.

Limit the number of direct reports of a manager to provide adequate supervision, maintain effective communication, and avoid bottlenecks in decision‑making.

Common Errors and Resolution Steps

The following are the possible errors and troubleshooting tips when finding all users and their managers from Active Directory.

Error Set-ADUser : Cannot find an object with identity: '<ProvidedIdentity>' under: '<DomainDistinguishedName>'.

This error appears when PowerShell cannot locate the specified user account in Active Directory. It often happens if the -Identity (e.g., $TargetUser) is a display name or UPN instead of unique identifier such as SAM account name.

Fix Verify the exact user identity before running ‘Set-ADUser’. You can confirm the correct SAM account name using the following cmdlet:

Get-ADUser -Filter {Name -like "*<DisplayName>*"} | Select-Object Name, SAMAccountName

Error An object (User) with the following name cannot be found: "<UserName>".

This error occurs when you try to change a manager in ADUC using a name that doesn’t match the account’s exact identifier, or when the object has been deleted.

Fix Double-check that the user exists and that the name is spelled exactly as in Active Directory. To confirm the exact identifier, replace <Name> with the user’s name and run the cmdlet below.

Get-ADUser -Filter {Name -like "*<Name>*"} | Select-Object Name, SamAccountName, UserPrincipalName, DistinguishedName

Error The term 'Get-ADUser' is not recognized as the name of a cmdlet, function, script file, or operable program.

This error occurs when PowerShell cannot access the Active Directory module, either because the module is not loaded on a domain controller, or because the command is being run on a workstation that does not have RSAT installed.

Fix If you're running the cmdlet on a workstation, first install RSAT and then import the Active Directory module using the cmdlets below. On a domain controller, you only need to import the Active Directory module since it’s installed by default.

#To install the Active Directory module - Windows Server  
Install-WindowsFeature -Name RSAT-AD-PowerShell -IncludeAllSubFeature  

#To install the Active Directory module - Windows 10/11 Workstations 
Add-WindowsCapability -Online -Name Rsat.ActiveDirectory.DS-LDS.Tools~~~~0.0.1.0 

#To import Active Directory module 
Import-Module ActiveDirectory

Error The script failed due to call depth overflow.

This error occurs when the script that recursively traces a user’s manager chain finds a circular manager relationship (A → B → C → A). It can also happen if hierarchy is very long, causing PowerShell to reach its recursion limit.

Fix Check for and remove any circular manager references in Active Directory by verifying each user’s “Manager” attribute. Also, verify that no user is assigned as their own manager.

Active Directory

Frequently Asked Questions

Streamline the Management of User–Manager Assignments in Active Directory

How to update a user’s manager in Active Directory?

How to find a manager’s direct reports attribute in Active Directory?

How to get a user's management chain recursively in Active Directory?

What are the impacts of missing a manager attribute in Active Directory?

1. How to update a user’s manager in Active Directory?

Changing user’s manager in Active Directory is a common administrative task that helps maintain accurate reporting structures and access management. Keeping this attribute up to date is crucial, especially during role changes, promotions, or department transfers. Whether you want to update the manager for a single user or multiple users, the following approaches will help.

Change user’s manager using Active Directory Users and Computers

In the ADUC console, navigate to the OU or the saved query where the users whose manager you want to change is located.
Select the desired user(s), right-click, and choose Properties. Go to the Organization tab and click Change in the Manager field.
In the dialog box, enter the new manager’s name and click Check Names to verify it.
Click OK to confirm, then hit Apply and OK to save the manager update.

Assign Active Directory user’s manager using PowerShell

Run the following cmdlet by replacing <UserSAMAccountName> and <ManagerSAMAccountName> to update a user’s manager in Active Directory.

Set-ADUser -Identity "<UserSAMAccountName>" -Manager (Get-ADUser -Identity "<ManagerSAMAccountName>").DistinguishedName

If you want to bulk update manager attribute, create an input CSV file containing the users’ DisplayName and SAMAccountName as shown here.
Run the PowerShell script below, replacing <ManagerSAM> with the new manager’s SAM account name and <FileLocation> with the path to your CSV file.

Import-Csv -Path “<FileLocation>” | ForEach-Object { Set-ADUser -Identity $_.SamAccountName -Manager (Get-ADUser -Identity “<ManagerSAM>”).DistinguishedName }

Handle large-scale manager updates in one go with AdminDroid’s Active Directory management actions!

Navigate to ‘Add Manager’ management action in the AdminDroid Active Directory Companion and click ‘Want to process bulk users with filters?’ to update the manager for multiple users.
Apply a filter to quickly narrow down the required users and bulk select all the user accounts you want to update.
Perform the management action by selecting the new manager for users and complete all the update in just a few clicks.

2. How to find a manager’s direct reports attribute in Active Directory?

If a manager’s account is disabled or deleted, identifying their direct reports ensures none of those users are left with outdated manager attribute. This identification helps to prevent breaking of organizational chart lookups or disrupts in business processes. Thus, tracking direct reports in Active Directory helps to maintain an accurate organizational structure, keep reporting chains intact, and quickly update affected accounts.

List all users under a specific manager using ADUC

Open Active Directory Users and Computers (ADUC).
Navigate to the user account of the manager, right-click and select Properties.
Switch to the Organization tab, and in the Direct Reports section, you can view all users who report to this manager.

Get all users under a manager in Active Directory Using PowerShell

Run the following cmdlet to get all direct reports of a manager in Active Directory using PowerShell. Make sure to replace <ManagerSAMAccountName> with the manager’s SAM account name before proceeding.

$ManagerDN = (Get-ADUser –Identity “<ManagerSAMAccountName>”).DistinguishedName 
Get-ADUser -Filter "Manager -eq '$ManagerDN'" -Properties Name, SAMAccountName, Department | 
         Select-Object Name, SAMAccountName, Department | 
         Sort-Object Name | Format-Table -AutoSize

3. How to get a user's management chain recursively in Active Directory?

In large organizations, understanding a user’s complete management chain is crucial for maintaining clear reporting structures and accountability. While identifying a user’s direct manager is simple, tracing the hierarchy from the employee all the way to the top-level executive can be tedious and prone to errors when done manually.

However, you can use PowerShell to retrieve all employees who directly or indirectly report to a manager. This method recursively retrieves the management chain, streamlines the process, and provides accurate data for full hierarchical visibility.

Run the following script by replacing <UserSAMAccountName> with the target user’s SAM account name to retrieve their full management hierarchy in Active Directory.

function Get-ManagementChainOptimized {
  param (
    [Parameter(Mandatory=$true)]
    [string]$UserName
  )
  $CurrentID=$UserName
  $Chain=@()
  $Level=0
  Write-Host "Retrieving management chain for user: $UserName" -ForegroundColor Yellow
  do {
    $Level++
    $User=Get-ADUser -Identity $CurrentID -Properties Name,SAMAccountName,Manager,Title,DistinguishedName
    $ManagerDN=$User.Manager
    if ([string]::IsNullOrEmpty($ManagerDN)) {
      Write-Host "Chain ended: $($User.Name) has no manager assigned." -ForegroundColor Cyan
      break
    }
    $Manager=Get-ADUser -Identity $ManagerDN -Properties Name,SAMAccountName,Title,DistinguishedName
    $OU=($Manager.DistinguishedName -split ',',2)[1]
    $Chain+=[PSCustomObject]@{
      Level=$Level
      Name=$Manager.Name
      SAMAccountName=$Manager.SAMAccountName
      DistinguishedName=$Manager.DistinguishedName
      OU=$OU 
      JobTitle=$Manager.Title
    }
    $CurrentID=$Manager.SAMAccountName
  } while ($true)
  Write-Host "`n--- Management Chain Result ---`n"
  return $Chain | Format-Table -AutoSize
}
Get-ManagementChainOptimized -UserName "<UserSAMAccountName>"

4. What are the impacts of missing a manager attribute in Active Directory?

Assigning a manager in Active Directory is more than just an organizational detail, it plays a key role in reporting and access governance. While a missing manager attribute doesn’t immediately break core AD functions, but it severely affects dependent services that rely on accurate managerial details.

Limitations of accounts without a manager in Active Directory

Broken organizational hierarchy The attribute is essential for applications to map reporting lines. Without it, features like the classic Exchange Address Book or any internal HR portal that read AD for organization charts will fail to display the user's reporting structure correctly.
Delays in group access management In many organizations, group membership management are tied to the manager attribute. If “Manager can update membership list” setting is disabled, managers may not be recognized as responsible for their group memberships, forcing admins to manually handle updates. This increases administrative overhead and can lead to delays or errors in access management.
Ineffective account lifecycle management Many automated offboarding or de-provisioning processes rely on the manager attribute to route approvals and transfer responsibilities, such file ownership. If this attribute is missing, approval workflows can stall, and critical cleanup tasks may be delayed or disrupted.
Issues with file system permissions In environments using Dynamic Access Control (DAC), user attributes like the manager field play a key role in determining who can access confidential files or folders. When these attributes are missing or incorrect, the policy logic breaks, making it impossible for DAC to reliably enforce who should or shouldn’t have access.

Even though the manager attribute may seem like an informational attribute, it is a critical security and administrative pointer in some cases. Since the manager field is key for delegation, account lifecycle control, etc., assigning it to every user is essential to keep your directory structural and prevent operational failures.