3

I work in the IT support department of a branch of a huge company.

I have to take care of a database with all the users, computers, etc. I'm trying to find a way to automatically update the database as much as possible, but the IT infrastructure guys doesn't give me enough privileges to use Active Directory in order to dump the users, nor they have the time to give me the information that I need.

Some days ago I found Active Directory explorer from Sysinternals that allows me to browse through Active Directory, and I found all the information that I need there (username, real name, date when it was created, privileges, company, etc.). Unfortunately I'm unable to export the data to a human readable format. I'm just able to take a snapshot of the whole database in a machine-readable format. Doing the snapshot takes hours and I'm afraid that the infrastructure guys won't like me doing entire snapshots on a regular basis.

Do you know of any tool (command-line is preferable) that would allow me to retrieve the values of the keys or export it to XML, CSV, etc?

John Gardeniers
  • 27,262
  • 12
  • 53
  • 108
Kovags
  • 133
  • 1
  • 5

3 Answers3

3

Use the older command line tools for Active Directory to dump to CSV: http://support.microsoft.com/kb/298882

Or use the newer PowerShell suite to export into CSV, Excel, etc. If you aren't up on your Powershell syntax the PowerGUI tool is outstanding. http://www.powergui.org

Or use the not-too-old but not-too-new VBScript methods. Here is a sample VBScript that exports all properties from all users to Excel: http://gallery.technet.microsoft.com/scriptcenter/4d192f4d-2830-4a3e-9352-64a7e696a36e

Microsoft has tons of PowerShell and VBScript examples here: http://gallery.technet.microsoft.com/ScriptCenter/

MDaubs
  • 196
  • 3
  • +1 for powershell. Poster works in IT support, he better learns powershell anyway ;) – TomTom Mar 08 '11 at 06:23
  • I've been using powershell a little lately, but I can't find the ActiveDirectory module for Windows XP. The VBS script worked the way I wanted, tho :) – Kovags Mar 10 '11 at 14:10
3

I'm re-interpreting your question as:

How do I export data out of AD in a format easy to process, either as a complete dump or object by object?

You need to go and become familiar with Powershell and the ActiveDirectory module. You can do things like this:

Import-Module ActiveDirectory
$me = Get-ADUser myUsername -Properties givenName,sn
Write-Output "My name is $($me.givenName) $($me.sn)."

or this:

Import-Module ActiveDirectory
$subsetUsers = Get-ADUser -Filter * -SearchBase "ou=someou,dc=mydomain,dc=com"

or this:

Import-Module ActiveDirectory
$allUsers = Get-ADUser -Filter *
Write-Output "I've found $($allUsers.Count) users in this domain - writing to CSV."
$allUsers | Export-CSV "myOutputFile.csv"

Powershell is your best friend ever.

Neobyte
  • 3,177
  • 25
  • 29
  • +1. Good esxample. Also, powershell geets used for more and more things. Anyone in IT support better becomes good at that like yesterday ;) – TomTom Mar 08 '11 at 06:24
  • Unfortunately I can't install the ActiveDirectory module in my Windows XP box :( – Kovags Mar 10 '11 at 14:20
  • Correct, you will need to use an operating system that isn't 10 years old. :P Windows 7 and 2008 R2 should both have the module available. – Neobyte Mar 11 '11 at 02:56
  • I wish that was an option :p – Kovags Mar 11 '11 at 10:59
2

First off, try and work with the infrastructure team, if you can explain to them exactly what data you need they may be able to set something up for you automatically.

There are 2 things I will recommend here:

CSVDE/LDIFDE. These are command line utilities that can export any information you want. If you want something to process use csvde, if you want full backups or ability to change select attributes consider ldifde.

http://technet.microsoft.com/en-us/library/cc787549%28WS.10%29.aspx

http://msdn.microsoft.com/en-us/library/ms870068%28v=exchg.65%29.aspx

Softerra LDAP broswer is a great GUI tool you can use to browse "raw" AD.

http://ldapbrowser.com/

Look for the free version called ldap browser, not ldap administrator. From here you can right click any object and ldifde export.

pablo
  • 3,020
  • 1
  • 18
  • 23
  • Don't fight the law. It helps if you explain how you're trying to make their lives easier. – gWaldo Mar 05 '11 at 15:43
  • It's not the law, there are actually no guidelines telling what us in IT can do or not. All that I could find was some outdated policies written in 2004, but they're for the other users. I'm not doing anything wrong and if they question me about anything, I can easily explain my reasons and the benefits that it's going to bring to the company. – Kovags Mar 05 '11 at 17:52
  • Thanks. I'll check it next wednesday and choose the most correct answer. – Kovags Mar 05 '11 at 17:54