Active Directory export tool

Guest2

Guest2

Guest2

Soldato
Joined
6 May 2009
Posts
20,346
I need to export an Organizational Unit which has multiple other OU's, distribution groups, contacts, computers and other data.

Default 'Export List' only exports top level data is is not very useful if there are hundred of other sub levels.

I basically need to sift through an OU and move / remove anything that is no longer required

edit - I have LDAP Admin 2014 but to be honest have no idea how to use it (so havent as it looks like it could do some damage)
 
Last edited:
Why don't you use Powershell, or even csvde? Pretty sure you can export the entire contents of AD if you want, or limit it to certain sub-trees. With Powershell it would be something like:

Code: 
Get-ADUser -Filter * -Properties * | Select-Object -Property Name,SamAccountName,Description,EmailAddress,LastLogonDate,Manager,Title,Department,whenCreated,Enabled,Organization | Sort-Object -Property Name | ConvertTo-CSV

The LastLogonDate field will presumably show you user accounts which are no longer required, say they haven't logged on for 6 months. Then you could do something similar with Groups and Computers.
 
Swarfega said:
Export to do what with it?
Click to expand...

Get the data into an easier format such as in an Excel sheet. Then I would need to go through and contact owners to see if things can be moved/removed and as El Pew stated have things like a last modified column so I could easily see if an object has not been updated in say 3 years, contact the owner - then have a resolution column

So basically pull it all out into a much easier readable format so thousands of objects can hopefully be moved to the correct locations or removed completely
 
Powershell sounds like the best tool for the job. You can tell it to use only certain OU's with the -SearchBase switch.
 
Guest2 said:
So basically pull it all out into a much easier readable format so thousands of objects can hopefully be moved to the correct locations or removed completely
Click to expand...

If it's going to be this many objects then you might want to look at something like Forefront Identity Manager (soon to be renamed Microsoft Identity Manager), which you can use to automate the creation, modification and deletion of AD accounts. You can set it up so that accounts are automatically placed in the correct OU based on, say, department or location, then set them to be auto-disabled after x years of inactivity (with a notification email going out to the user and/or their manager if required). It can also auto-manage group management based on certain criteria.

It's a lot of work to set it up but it's very useful once it's up and running. Certainly less effort than manually going through the output of a Powershell script and fixing the accounts individually.
 
if you want an idiot proof tool try bulkdADUsers but, as the name suggests, it's only good for user accounts.

Otherwise powershell is worth learning or you can find hundreds of scripts out there that people have shared. get-adgroup, get-aduser and get-adobjects are the cmdlets I use the most with AD.

PS I find it reassuring to run these reporting tools with a non privileged account, just in case you're worried about doing any damage.
 
Thanks, I might look into the suggested tools.

I have been using Hyena and Hyena's built in Export tool. It took a couple of hours to learn but could then easily use the built in queries to dump out info to excel such as disabled accounts, last login etc. I still dont know a great deal about it but have at least exported info to excel that I can go on
 
edit - I am trying to get a custom LDAP query working that filters all users who have not set their password for a year

The field is pwdlastset. I have tried the following does this does not do anything

(&(objectClass=person)(objectClass=User)(pwdLastSet<=20130901000000Z))
 
You must log in or register to reply here.
Back
Top Bottom