For audit purposes I needed to list all active directory users and prove that ex-employees were either deleted of disabled. There are a couple of techniques to produce the required output. I think the easiest was to make use of the csvde.exe.
Arguements for csvde.exe
CSV Directory Exchange
General Parameters
==================
-i Turn on Import Mode (The default is Export)
-f filename Input or Output filename
-s servername The server to bind to (Default to DC of computer's domain)
-v Turn on Verbose Mode
-c FromDN ToDN Replace occurences of FromDN to ToDN
-j path Log File Location
-t port Port Number (default = 389)
-u Use Unicode format
-? Help
Export Specific
===============
-d RootDN The root of the LDAP search (Default to Naming Context)
-r Filter LDAP search filter (Default to "(objectClass=*)")
-p SearchScope Search Scope (Base/OneLevel/Subtree)
-l list List of attributes (comma separated) to look for in an
LDAP search
-o list List of attributes (comma separated) to omit from input.
-g Disable Paged Search.
-m Enable the SAM logic on export.
-n Do not export binary values
Import
======
-k The import will go on ignoring 'Constraint Violation' and
'Object Already Exists' errors
Credentials Establishment
=========================
Note that if no credentials is specified, CSVDE will bind as the currently
logged on user, using SSPI.
-a UserDN [Password | *] Simple authentication
-b UserName Domain [Password | *] SSPI bind method
Example: Simple import of current domain
csvde -i -f INPUT.CSV
Example: Simple export of current domain
csvde -f OUTPUT.CSV
Example: Export of specific domain with credentials
csvde -m -f OUTPUT.CSV
-b USERNAME DOMAINNAME *
-s SERVERNAME
-d "cn=users,DC=DOMAINNAME,DC=Microsoft,DC=Com"
-r "(objectClass=user)"
No log files were written. In order to generate a log file, please
specify the log file path via the -j option.So to display whether a user is disabled or not we need to extract the “userAccountControl” property.
(more…)
