Using LDIFDE to export users from Active Directory
Today we will be discussing how to export users from Active Directory. I will be using the ldifde command to perform this operation.
LDIFDE is a command line utility that is used to import or export information from Active Directory.
Warning : Before attempting this please make sure you have a valid backup.
When exporting users from Active Directory it is recommended to know what attributes are needed. By having this information ahead of time you will ensure you only have the data that is needed.
Non-importable Attributes
When you are exporting users there are certain attributes that should be omitted if the ldif file will be used as an import file into another Active Directory environment. Those attributes are as follows: badPasswordTime, badPwdCount, lastLogoff, lastLogon, logonCount, memberOf, objectGUID,objectSid, primaryGroupID, pwdLastSet, and sAMAccountType
Switches
The following switches will be used to perform the export: -f, -s, -d, -p, -r, and –o
Explanations of the switches are explained below.
-f - this is the file that you are exporting to
-s - This specifies what server you want to run the command against. This is not a required switch since ldifde can select a DC at random. It is recommended that it be used.
-d - Specifies the RootDN – defaults to Naming Context
-p – This is the search scope that ldifde will perform (options are base/one level and subtree)
-r - Specifies the filter that will be used. In our command we are filtering on the User class
-o - This switch tells ldifde what attributes to omit
Commands
The following command will export the user accounts and all attributes that have a value with the exception of the attributes mentioned above.
Example:
ldifde -f Exportuser.ldf -s <Domain Controller Name Here> -d "dc=YourDomain,dc=Com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -o "badPasswordTime,badPwdCount,lastLogoff,lastLogon,logonCount, memberOf,objectGUID,objectSid,primaryGroupID,pwdLastSet,sAMAccountType"
In the next example I will show you how to export only a few of the available attributes.
Example 2:
ldifde -f Exportuser.ldf -s <Domain Controller Name Here> -d "dc=YourDomain,dc=Com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName, userPrincipalName,objectclass,samAccountName"
Once you have determined what you need exported and executed your command your output should look similar to the following (depending on what you are exporting). The following only displays the output of 1 user.
Output:
dn: CN=John Doe,CN=Users,DC=YourDomain,DC=Com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: John Doe
sn: Doe
givenName: John
distinguishedName: CN=John Doe,CN=Users,DC= YourDomain,DC=Com
instanceType: 4
whenCreated: 20090122031550.0Z
whenChanged: 20090122031551.0Z
displayName: John Doe
uSNCreated: 73758
uSNChanged: 73763
name: Your Name
userAccountControl: 512
codePage: 0
countryCode: 0
accountExpires: 9223372036854775807
sAMAccountName: jdoe
userPrincipalName: jdoe@YourDomain.com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=YourDomain,DC=Com
mail: John Doe@YourDomain.com
Note: If you plan to import your users into Active Directory you are required to have the following attribues: objectclass and samAccountName
References:
https://support.microsoft.com/kb/555636