Export Users and Groups from AD

Posted on 2011-04-18
Last Modified: 2013-11-05
What command should I use in order to export from Active Directory the following information?:

all the groups and the users that belong to every group
all the users with the following attributes: username, full name, description, password expires option, password required, account disabled, account locked, last login
Question by:darkbluegr
    LVL 17

    Expert Comment

    by:Tony Massa

    There are a few issues here:
    Last Login (lastLogon) isn't stored on one DC...however, you could use the lastLogonTimeStamp option (assuming you're on 2003 Native Mode).  This value is replicated by default every 2 weeks, so it's not very accurate for normal users.  It's used as a way to find stale accounts.

    The userAccountControl uses a bitmask operator to determine quite a few things related to the user account status: (account disabled and pwd required, included)

    The utilities above will export everything you specify in the filter and attributes.
    LVL 37

    Expert Comment

    by:Adam Brown
    If you download (and can install) the Quest Active Roles Powershell Cmdlets (available here: )

    The attached scripts should pull the group information you want. I'll add another one in a second.
    get-qadgroup | %{$group = $
    "_________" >> c:\groupstuff.csv
    "$group" >> c:\groupstuff.csv
    "_________" >> c:\groupstuff.csv
    get-qadgroupmember $| select name,type >> c:\groupstuff.csv}

    Open in new window

    LVL 37

    Accepted Solution

    Here's the user information you want. The password not required flag is kinda tricky because it is basically a numerical value in the UserAccountControl property...Best way I can think of doing that is with a separate script. It's the second script. First will export everything else.

    get-qaduser | select displayname,samaccountname,description,passwordstatus,accountisdisabled,accountislockedout,lastlogon,lastlogontimestamp | export-csv c:\userdata.csv

    Open in new window

    get-qaduser -properties useraccountcontrol| %{$status,$name = $_.useraccountcontrol,$_.samaccountname
    if ($status -eq 32)
    {$name >> C:\nopasswordrequired.txt}

    Open in new window


    Author Closing Comment

    thanks so much!

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    This is my first article in EE and english is not my mother tongue so any comments you have or any corrections you would like to make, please feel free to speak up :) For those of you working with AD, you already are very familiar with the classi…
    A quick step-by-step overview of installing and configuring Carbonite Server Backup.
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    737 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now