none
Import & Export AD user information RRS feed

  • Question

  • Hi

    We are looking for a better option to bulk export and import AD users using commands other than LDIFDE / CSVDE, have to modify some properties say Description and then import to AD. Also we plan to export all user properties once in a month for audit purpose.

    Thanks in advance


    LMS

    Wednesday, November 9, 2016 5:51 AM

All replies

  • Wednesday, November 9, 2016 6:30 AM
  • To export all of your users:

    get-aduser -filter * | export-csv c:\FileName.csv

    I'm not sure what you are changing in the description field, if it is different for each user, you are going to need to work out the logic for that. If the description is going to be the same for all users then:

    import-csv c:\FileName.csv | new-aduser -Description "This is a description of the user"
    You might also want to add -path if you want them to go into a certain OU or CN.


    Thanks, Tim.


    • Edited by Tim Haintz Wednesday, November 9, 2016 11:28 AM
    Wednesday, November 9, 2016 11:25 AM
  • Is LDIFDE still valid with Windows 2012 R2 Domain Controllers for exporting and importing ? Following is the KB article - https://support.microsoft.com/en-us/kb/555636

    I remember we used e5. Exporting User Account attributes except attributes those can’t be imported: (Using –o switch)  with Windows 2003 DCs for exporting & importing after making changes 


    LMS

    Wednesday, November 9, 2016 11:41 AM
  • I thought your original question said that you don't want to use LDIFDE? Looking at the KB you sent, it only applies to 2003 servers and older.

    Thanks, Tim.

    Wednesday, November 9, 2016 11:50 AM
  • Actually I'm looking for an alternate solution to export all user properties and modify some settings and import them back. Even I tried LDIFDE as follow: ldifde -f Exportuser.ldf -s <Server1> -d "dc=Export,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -o "badPasswordTime,badPwdCount,lastLogoff,lastLogon,logonCount, memberOf,objectGUID,objectSid,primaryGroupID,pwdLastSet,sAMAccountType"

    Then edited the file, but failed to import with error :

    Add error on entry starting on line 1: Unwilling To Perform
    The server side error is: 0x209a Access to the attribute is not permitted because the attribute is owned by the Security
     Accounts Manager (SAM).
    The extended server error is:
    0000209A: SvcErr: DSID-031A1081, problem 5003 (WILL_NOT_PERFORM), data 0

    Any Idea??


    LMS

    Wednesday, November 9, 2016 12:13 PM
  • You cannot import the lastlogon, lastlogoff, badpwdcount, objectGUID, objectSID.  Only the system can set these properties.

    The great majority of user attributes cannot be imported depending on the subsystems installed (Exchange).


    \_(ツ)_/

    Wednesday, November 9, 2016 12:19 PM
  • Have you tried the PowerShell scripts I posted above?

    get-aduser -filter * -properties *

    Should give you everything you are asking for.


    Thanks, Tim. Please remember to mark the replies as answers if they help.

    Wednesday, November 9, 2016 12:27 PM
  • Have you tried the PowerShell scripts I posted above?

    get-aduser -filter * -properties *

    Should give you everything you are asking for.


    Thanks, Tim. Please remember to mark the replies as answers if they help.

    You cannot export everything as you will get mostly junk.  Complex objects and arrays cannot be sensibly exported without conversion.

    There are third party tools and scripts in the gallery that can do a sensible export with some exceptions.

    Complete backup and restore of user accounts can only be done via an authoritative backup of the complete AD instance:

    https://msdn.microsoft.com/en-us/library/bb727048.aspx


    \_(ツ)_/


    • Edited by jrv Wednesday, November 9, 2016 12:36 PM
    Wednesday, November 9, 2016 12:34 PM