Export Users and Groups from AD

Posted on 2011-04-18
Medium Priority
Last Modified: 2013-11-05
What command should I use in order to export from Active Directory the following information?:

all the groups and the users that belong to every group
all the users with the following attributes: username, full name, description, password expires option, password required, account disabled, account locked, last login
Question by:darkbluegr
  • 2
LVL 17

Expert Comment

by:Tony Massa
ID: 35419155

There are a few issues here:
Last Login (lastLogon) isn't stored on one DC...however, you could use the lastLogonTimeStamp option (assuming you're on 2003 Native Mode).  This value is replicated by default every 2 weeks, so it's not very accurate for normal users.  It's used as a way to find stale accounts.

The userAccountControl uses a bitmask operator to determine quite a few things related to the user account status: (account disabled and pwd required, included)

The utilities above will export everything you specify in the filter and attributes.
LVL 44

Expert Comment

by:Adam Brown
ID: 35420486
If you download (and can install) the Quest Active Roles Powershell Cmdlets (available here:
http://www.quest.com/powershell/activeroles-server.aspx )

The attached scripts should pull the group information you want. I'll add another one in a second.
get-qadgroup | %{$group = $_.name
"_________" >> c:\groupstuff.csv
"$group" >> c:\groupstuff.csv
"_________" >> c:\groupstuff.csv
get-qadgroupmember $_.name| select name,type >> c:\groupstuff.csv}

Open in new window

LVL 44

Accepted Solution

Adam Brown earned 2000 total points
ID: 35420555
Here's the user information you want. The password not required flag is kinda tricky because it is basically a numerical value in the UserAccountControl property...Best way I can think of doing that is with a separate script. It's the second script. First will export everything else.

get-qaduser | select displayname,samaccountname,description,passwordstatus,accountisdisabled,accountislockedout,lastlogon,lastlogontimestamp | export-csv c:\userdata.csv

Open in new window

get-qaduser -properties useraccountcontrol| %{$status,$name = $_.useraccountcontrol,$_.samaccountname
if ($status -eq 32)
{$name >> C:\nopasswordrequired.txt}

Open in new window


Author Closing Comment

ID: 35710781
thanks so much!

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
Microsoft Office 365 is a subscriptions based service which includes services like Exchange Online and Skype for business Online. These services integrate with Microsoft's online version of Active Directory called Azure Active Directory.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …

579 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question