Solved

active directory, export import users and passwords

Posted on 2008-10-28
4
4,371 Views
Last Modified: 2013-12-19
Whats the easiest way to export list of usernames and passwords in AD to a file so I can import them on a new server..

Does anyone have a script to achieve?
0
Comment
Question by:blahblah777
  • 2
4 Comments
 
LVL 35

Expert Comment

by:Joseph Daly
Comment Utility
You can export the usernames but I do not believe that AD allows you to export the passwords. As far as I know once the password is entered there is no way of retrieving it in plain text.
0
 
LVL 35

Expert Comment

by:Joseph Daly
Comment Utility
If you are doing a migration why wouldnt you just do DCPROMO on the new server to make it a domain controller. This will get all the information for all the users, once this is done and you have transferred the roles then you can DCPROMO the old server to remove it as a domain controller.
0
 
LVL 70

Expert Comment

by:KCTS
Comment Utility
Both the above are true!
passwords are not stored only the hash - so  they cannot be exported - the best option would be to add the new sever to the domain and then remove the old server (or you can leave the old one as well) here is the procedure

Install Windows 2003 on the new machine
Assign the new computer an IP address and subnet mask on the existing network

Make sure that the preferred DNS server on new machine points to the existing DNS Server on the Domain (normally the existing domain controller)

Join the new machine to the existing domain as a member server

If the new Windows 2003 server is the R2 version and the existing set-up is not then you need to run Adprep  from CD2 of the R2 disks on the existing Domain controller. Adprep is in the \CMPNENTS\R2\ folder on CD2
you need to run

adprep /forestprep
and
adprep /domainprep

From the command line promote the new machine to a domain controller with the DCPROMO command from the command line Select Additional Domain Controller in an existing Domain

Once Active Directory is installed then install DNS. You can do this through Add/Remove Programs->Windows Components->Networking Services->DNS.  If you are using Active Directory Integrated DNS then DNS will br replicated from the other DC/DNS.

Next make the new machine a global catalog server, go to Administrative Tools, Active Directory Sites and Services, Expand, Sites, Default first site and Servers. Right click on the new server and select properties and tick the Global Catalog checkbox. (Global catalog is essential for logon as it needs to be queried to establish Universal Group Membership)

If necessary install DHCP on the new DC. You can do this through Add/Remove Programs->Windows Components->Networking Services->DHCP.

You will then need to remove any existiing DHCP prior to authorising the new DHCP Server. When setting up the new DHCP server dont forget to set the default gateway (router) and DNS Servers. Talking of which all the clients (and the domain controllers themselves) need to have their Preferred DNS server set the new domain controller.

Both Domain Controllers by this point will have Active Directory, Global Catalog, DNS and the domain could function for a while at least should any one of them fail.

If you really want rid of the old DC then:-

Transfer all the FSMO roles to the new DC: See http://www.petri.co.il/transferring_fsmo_roles.htm

Check that you have:-
Made the other DC a global catalog:
Installed DHCP on the new DC, set up the scope and authorise it. (If using DHCP)
Make sure that all clients use the new DC as their Preferred DNS server (either by static or DHCP options)

Power down to old DC and make sure that all is well, once satisfied power on the old DC again, then run DCPROMO for remove it's domain controller status. This is essential to avoid replication errors

If you want to remove the machine from the domain then you can do so one it's DC role has been removed
0
 
LVL 2

Accepted Solution

by:
Gastrig earned 250 total points
Comment Utility
Or, if you are doing a duplication (or migration that is not "in place"), consider a migration tool.

ADMT, Active Directory Migration Tool, will do what you are wanting, and it is free:
http://www.microsoft.com/downloads/details.aspx?FamilyID=ae279d01-7dca-413c-a9d2-b42dfb746059&displaylang=en

Additionally you could look at "cost" solutions for migrations, such as Quest Migration Manager for AD and Exchange:
http://www.quest.com/migration-manager-for-active-directory/

QMM has a "sync" capability that would keep the two accounts "in sync", including passwords, over time.

So is this a one-time thing?  If so, is it for a small number of users?

0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Resolve DNS query failed errors for Exchange
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now