Today we will be discussing how to export users from Active Directory. I will be using the ldifde command to perform this operation.
LDIFDE is a command line utility that is used to import or export information from Active Directory.
Warning: Before attempting this please make sure you have a valid backup.
When exporting users from Active Directory it is recommended to know what attributes are needed. By having this information ahead of time you will ensure you only have the data that is needed.
When you are exporting users there are certain attributes that should be omitted if the ldif file will be used as an import file into another Active Directory environment. Those attributes are as follows: badPasswordTime, badPwdCount, lastLogoff, lastLogon, logonCount, memberOf, objectGUID,objectSid, primaryGroupID, pwdLastSet, and sAMAccountType
The following switches will be used to perform the export: -f, -s, -d, -p, -r, and –o
Explanations of the switches are explained below.
-f - this is the file that you are exporting to
-s - This specifies what server you want to run the command against. This is not a required switch since ldifde can select a DC at random. It is recommended that it be used.
-d - Specifies the RootDN – defaults to Naming Context
-p – This is the search scope that ldifde will perform (options are base/one level and subtree)
-r - Specifies the filter that will be used. In our command we are filtering on the User class
-o - This switch tells ldifde what attributes to omit
The following command will export the user accounts and all attributes that have a value with the exception of the attributes mentioned above.
ldifde -f Exportuser.ldf -s <Domain Controller Name Here> -d "dc=YourDomain,dc=Com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -o "badPasswordTime,badPwdCount,lastLogoff,lastLogon,logonCount, memberOf,objectGUID,objectSid,primaryGroupID,pwdLastSet,sAMAccountType"
In the next example I will show you how to export only a few of the available attributes.
ldifde -f Exportuser.ldf -s <Domain Controller Name Here> -d "dc=YourDomain,dc=Com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,userPrincipalName,objectclass,samAccountName"
Once you have determined what you need exported and executed your command your output should look similar to the following (depending on what you are exporting). The following only displays the output of 1 user.
dn: CN=John Doe,CN=Users,DC=YourDomain,DC=Com
cn: John Doe
distinguishedName: CN=John Doe,CN=Users,DC= YourDomain,DC=Com
displayName: John Doe
name: Your Name
mail: John Doe@YourDomain.com
Note: If you plan to import your users into Active Directory you are required to have the following attribues: objectclass and samAccountName