How to export Exchange-related stuff out of the active directory


Few days ago, KC forwarded me a question she got off one of blog posts. How do you export the list of mailbox-enabled users out of Active Directory? There are many ways of doing this, but one of easier (and the output can be worked with easily) is to use the built-in CSVDE tool to accomplish that.


 


For groups:


csvde -f c:\dls.txt -r "(&(objectCategory=group)(proxyAddresses=*))"


 


For users:


csvde -f c:\users.txt -r "(&(objectCategory=user)(proxyAddresses=*))"


 


Run those off the DC itself and the export files will be in the root of the C: drive as specified above. Note that this will export ALL mail enabled objects (groups and users) and not just some that are associated with a specific SERVER (which is impossible in case of groups anyway as their membership does not have server boundary).


 


The CSV export file can then be opened in your spreadsheet program and you can get rid of data columns that are not needed for what you are trying to do.


 


To specify which attributes to export (so you can not have to customize the output):


 


-l list - List of attributes (comma separated) to look for in an LDAP search


 


To control the scope of the LDAP search:


 


-p SearchScope - Search Scope (Base/OneLevel/Subtree)


 


Now, you will notice that in above examples, I have used TWO attributes to get the match that I wanted. You can use the same LDAP syntax anywhere where LDAP queries are accepted - in CSVDE tool, in ESM when working with different filters, in AD Users and Computers, etc… Here is a quick rundown of how LDAP syntax works:


 



  1. =   (EQUAL TO)

 


This is a simple LDAP argument that says a certain attribute must be equal to a certain value in order to be true. For example if we want to find all objects that have the first name of John we would use:


 


(givenName=John)


 


This would return all objects that have the first name of John. Red parentheses are here just to emphasize the beginning and end of the LDAP statement and the color has no bearing on it’s functionality.


 



  1. &   (logical AND)

 


You would use this when you have more than one condition and you want a series of them to ALL be true.  For example, if you had a situation where you wanted to find all of the people that have the first name of John AND live in Dallas you would use:


 


(&(givenName=John)(l=Dallas))


 


Notice that each argument is in its own set of parentheses.  The entire LDAP statement must be encompassed in a main set of parentheses.  The "&" operator tells us that each argument in must be true in order for this filter to apply to your object in question.


 



  1. !   (logical NOT)

 


The next operator can be used to exclude objects that have a certain attribute.  Let’s suppose you need to find all objects except those that have the first name of John.  You would use the following statement:


 


(!givenName=John)


 


This would find all objects that don’t have the first name of John.  Notice that the "!" operator goes directly in front of the argument and inside the argument’s set of parentheses.  Since we only have one argument in this statement it is simply surrounded it with red parentheses for illustration.


 



  1. *  (wildcard)

 


You would use the wildcard operator to represent a value that could be equal to anything.  One such situation might be if you wanted to find all objects that have a value for title.  You would then use:


 


(title=*)


 


This would return all objects that had the title attribute populated with a value.  Another example might be if you knew an object’s first name started with "Jo" then you could use the following to find those:


 


(givenName=Jo*)


 


This would then apply to all objects whose first name starts with "Jo".


 



  1. Advanced example:

 


We are getting 9548 events in the application log and we need to find all of the objects that are causing this.  In this we case we need to find all of the disabled users (msExchUserAccountControl=2) that do NOT have a value for msExchMasterAccountSID.  This would be:


 


(&(msExchUserAccountControl=2)(!msExchMasterAccountSID=*))


 


NOTE : The ! operator in conjunction with the wildcard will look for objects where that attribute is NOT set to anything.


 


Here is a table of some more common ones other what I specified above:


 


LDAP Filter Operator


Description


=


Equal


~=


Approximately Equal


<=


Less than or equal to


>=


Greater than or equal to


&


AND


|


OR


!


NOT


 


For more info on LDAP - check this:


 


Understanding LDAP whitepaper:


http://www.microsoft.com/windows2000/techinfo/howitworks/activedirectory/ldap.asp


 


Understanding LDAP TechNet briefing:


http://www.microsoft.com/technet/community/events/network/tnq40004.mspx


 


- Nino Bilic

Comments (4)
  1. Sodaboy says:

    Ldifde has helped me out quite a bit. I wanted to mention the saved queries with the 2003 dsa also is a great way to filter what you want out of AD. Users on specific mail stores, addresses, groups… pretty much whatever you want. And you can export them easily out of the mmc.

  2. Karan says:

    Great article Nino… Thanks!

  3. Rick says:

    It would be great to be able to modify the exported file and then import it back to Exchange. Kinda like back in the old 5.5 days. That would be really nice.

    I’ve been looking for a replacement tool for some time but have not found any luck. I would appreciate any suggestions.

  4. Nino Bilic says:

    It all depends what you want to do :)

    There is a quick and painless way to export/import AD objects or modify them in bulk, and it is called the ADModify tool. You can get it here:

    ftp://ftp.microsoft.com/PSS/Tools/Exchange%20Support%20Tools/ADModify/

    ADModify is a GUI wrapper around LDIFDE. LDIFDE is the tool that can be used to export/import pretty much any AD object (some attributes can not be modified by it though, but some you can not modify even in ADSIEdit), and it allows modifications. That is as
    opposed to CSVDE which does not allow modifications to existing objects.

    So – ADModify might be a very easy answer here, depending on what is being exported. If more attributes are needed, then LDIFDE is the tool of choice. Run LDIFDE /? on the Command Line to see the options… it is not very pretty, and will take some trial and
    error, but it should work.

Comments are closed.

Skip to main content