Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 5049
  • Last Modified:

active directory, export import users and passwords

Whats the easiest way to export list of usernames and passwords in AD to a file so I can import them on a new server..

Does anyone have a script to achieve?
0
blahblah777
Asked:
blahblah777
  • 2
1 Solution
 
Joseph DalyCommented:
You can export the usernames but I do not believe that AD allows you to export the passwords. As far as I know once the password is entered there is no way of retrieving it in plain text.
0
 
Joseph DalyCommented:
If you are doing a migration why wouldnt you just do DCPROMO on the new server to make it a domain controller. This will get all the information for all the users, once this is done and you have transferred the roles then you can DCPROMO the old server to remove it as a domain controller.
0
 
KCTSCommented:
Both the above are true!
passwords are not stored only the hash - so  they cannot be exported - the best option would be to add the new sever to the domain and then remove the old server (or you can leave the old one as well) here is the procedure

Install Windows 2003 on the new machine
Assign the new computer an IP address and subnet mask on the existing network

Make sure that the preferred DNS server on new machine points to the existing DNS Server on the Domain (normally the existing domain controller)

Join the new machine to the existing domain as a member server

If the new Windows 2003 server is the R2 version and the existing set-up is not then you need to run Adprep  from CD2 of the R2 disks on the existing Domain controller. Adprep is in the \CMPNENTS\R2\ folder on CD2
you need to run

adprep /forestprep
and
adprep /domainprep

From the command line promote the new machine to a domain controller with the DCPROMO command from the command line Select Additional Domain Controller in an existing Domain

Once Active Directory is installed then install DNS. You can do this through Add/Remove Programs->Windows Components->Networking Services->DNS.  If you are using Active Directory Integrated DNS then DNS will br replicated from the other DC/DNS.

Next make the new machine a global catalog server, go to Administrative Tools, Active Directory Sites and Services, Expand, Sites, Default first site and Servers. Right click on the new server and select properties and tick the Global Catalog checkbox. (Global catalog is essential for logon as it needs to be queried to establish Universal Group Membership)

If necessary install DHCP on the new DC. You can do this through Add/Remove Programs->Windows Components->Networking Services->DHCP.

You will then need to remove any existiing DHCP prior to authorising the new DHCP Server. When setting up the new DHCP server dont forget to set the default gateway (router) and DNS Servers. Talking of which all the clients (and the domain controllers themselves) need to have their Preferred DNS server set the new domain controller.

Both Domain Controllers by this point will have Active Directory, Global Catalog, DNS and the domain could function for a while at least should any one of them fail.

If you really want rid of the old DC then:-

Transfer all the FSMO roles to the new DC: See http://www.petri.co.il/transferring_fsmo_roles.htm

Check that you have:-
Made the other DC a global catalog:
Installed DHCP on the new DC, set up the scope and authorise it. (If using DHCP)
Make sure that all clients use the new DC as their Preferred DNS server (either by static or DHCP options)

Power down to old DC and make sure that all is well, once satisfied power on the old DC again, then run DCPROMO for remove it's domain controller status. This is essential to avoid replication errors

If you want to remove the machine from the domain then you can do so one it's DC role has been removed
0
 
GastrigCommented:
Or, if you are doing a duplication (or migration that is not "in place"), consider a migration tool.

ADMT, Active Directory Migration Tool, will do what you are wanting, and it is free:
http://www.microsoft.com/downloads/details.aspx?FamilyID=ae279d01-7dca-413c-a9d2-b42dfb746059&displaylang=en

Additionally you could look at "cost" solutions for migrations, such as Quest Migration Manager for AD and Exchange:
http://www.quest.com/migration-manager-for-active-directory/

QMM has a "sync" capability that would keep the two accounts "in sync", including passwords, over time.

So is this a one-time thing?  If so, is it for a small number of users?

0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now