Few days ago, KC forwarded me a question she got off one of blog posts. How do you export the list of mailbox-enabled users out of Active Directory? There are many ways of doing this, but one of easier (and the output can be worked with easily) is to use the built-in CSVDE tool to accomplish that.
csvde -f c:\dls.txt -r "(&(objectCategory=group)(proxyAddresses=*))"
csvde -f c:\users.txt -r "(&(objectCategory=user)(proxyAddresses=*))"
Run those off the DC itself and the export files will be in the root of the C: drive as specified above. Note that this will export ALL mail enabled objects (groups and users) and not just some that are associated with a specific SERVER (which is impossible in case of groups anyway as their membership does not have server boundary).
The CSV export file can then be opened in your spreadsheet program and you can get rid of data columns that are not needed for what you are trying to do.
To specify which attributes to export (so you can not have to customize the output):
-l list - List of attributes (comma separated) to look for in an LDAP search
To control the scope of the LDAP search:
-p SearchScope - Search Scope (Base/OneLevel/Subtree)
Now, you will notice that in above examples, I have used TWO attributes to get the match that I wanted. You can use the same LDAP syntax anywhere where LDAP queries are accepted - in CSVDE tool, in ESM when working with different filters, in AD Users and Computers, etc… Here is a quick rundown of how LDAP syntax works:
- = (EQUAL TO)
This is a simple LDAP argument that says a certain attribute must be equal to a certain value in order to be true. For example if we want to find all objects that have the first name of John we would use:
This would return all objects that have the first name of John. Red parentheses are here just to emphasize the beginning and end of the LDAP statement and the color has no bearing on it’s functionality.
- & (logical AND)
You would use this when you have more than one condition and you want a series of them to ALL be true. For example, if you had a situation where you wanted to find all of the people that have the first name of John AND live in Dallas you would use:
Notice that each argument is in its own set of parentheses. The entire LDAP statement must be encompassed in a main set of parentheses. The "&" operator tells us that each argument in must be true in order for this filter to apply to your object in question.
- ! (logical NOT)
The next operator can be used to exclude objects that have a certain attribute. Let’s suppose you need to find all objects except those that have the first name of John. You would use the following statement:
This would find all objects that don’t have the first name of John. Notice that the "!" operator goes directly in front of the argument and inside the argument’s set of parentheses. Since we only have one argument in this statement it is simply surrounded it with red parentheses for illustration.
- * (wildcard)
You would use the wildcard operator to represent a value that could be equal to anything. One such situation might be if you wanted to find all objects that have a value for title. You would then use:
This would return all objects that had the title attribute populated with a value. Another example might be if you knew an object’s first name started with "Jo" then you could use the following to find those:
This would then apply to all objects whose first name starts with "Jo".
- Advanced example:
We are getting 9548 events in the application log and we need to find all of the objects that are causing this. In this we case we need to find all of the disabled users (msExchUserAccountControl=2) that do NOT have a value for msExchMasterAccountSID. This would be:
NOTE : The ! operator in conjunction with the wildcard will look for objects where that attribute is NOT set to anything.
Here is a table of some more common ones other what I specified above:
LDAP Filter Operator
Less than or equal to
Greater than or equal to
For more info on LDAP - check this:
Understanding LDAP whitepaper:
Understanding LDAP TechNet briefing: