- Use PowerShell splatting and PSBoundParameters to pass parameters - Wed, Nov 9 2022
- Using PowerShell with $PSStyle - Mon, Jan 24 2022
- Clean up user profiles with PowerShell - Mon, Jun 9 2014
If you’ve been following my last few articles you know that the beauty of PowerShell lies in its scalability. For the sake of my demonstration I’m going to assume I’ve been asked to export members of the Engineering department using the Microsoft Active Directory module. I’ll break things down into discrete steps but you could easily combine them into a single pipelined expression.
Get the users
Getting the users is pretty simple.
PS C:\> $users = get-aduser -filter "department -eq 'Engineering'"
get-aduser
As you can see in the figure I have 52 user accounts. Or rather I have the stub of a user account. The Microsoft cmdlets will only give you what you ask for so you have to decide what information you need to export. If you want to get all properties, use a wildcard.
PS C:\> $users = get-aduser -filter "department -eq 'Engineering'" -Properties *
Or you can be more selective:
PS C:\> $select = get-aduser -filter "department -eq 'Engineering'" -Properties City,Title,Department,GivenName,Surname
Export to CSV
Now, you might think you’re almost done.
PS C:\> $users | export-csv S:\engineering.csv
While the command will complete, if you look at the results in Notepad or Microsoft Excel, you’ll see that some properties, like MemberOf don’t export. The CSV format only works well when you select flat properties. Above, I defined a second variable with the properties I wanted so let me export that along with other standard properties like Enabled and DistinguishedName.
PS C:\> $select | export-csv s:\select-engineering.csv
Although depending on your version of PowerShell you might need to exclude the stream properties. Or be very specific about what you want to export.
PS C:\> $select | Select DistinguishedName,Name,Givenname,Surname,Title,Department, City,samAccountname,UserPrincipalName,SID | Export-CSV S:\select-engineering.csv
If you need to use the CSV file outside of PowerShell you might need to include the –NoTypeInformation parameter. Otherwise, you can always re-import them into PowerShell, even on a totally different computer, and work with the objects.
PS C:\> import-csv .\select-engineering.csv | out-gridview -Title "Engineering"
Export to CSV
Export to XML
In PowerShell, the best way to export a complete, rich object is with XML. If you are planning on later re-importing the account information into PowerShell, use Export-CliXML.
PS C:\> $users | export-clixml s:\engineering.xml
This will capture everything included nested properties like MemberOf.
PS C:\> import-clixml S:\engineering.xml | select -first 1 name,memberof
Name MemberOf
---- --------
Devon Robello {CN=Chicago Engineering,OU=Groups,OU=Employees...You can certainly export a subset of selected properties as well. Again, you have to consider why you are exporting and what you intend to do with the data. An advantage of the XML format is that the property types are maintained so WhenCreated is stored as a DateTime whereas in the CSV everything is a string.
The other XML option is to create a file that is more of a standard XML. First, convert the user accounts to an XML document.
PS C:\> [xml]$doc = $users | convertto-xml
Then you can save the file to disk.
PS C:\> $doc.Save("c:\work\AllEngineering.xml")Now you have an XML file that can be used anywhere.
Summary
When exporting user accounts from Active Directory I can’t stress enough that you plan ahead and consider what you intend to do with the information, as well as what information you really need to export. It may seem simple to grab everything but that will take time and generate some large file sizes, especially when using XML. Of course none of this will get the user’s password. Even so, depending on your Active Directory and what you export there might be sensitive information so be sure to secure your exports.
In the next post you will learn how to import users to Active Directory from a CSV file with PowerShell.
Hi All
I used CSVDE command to pull all users AD groups but in between I am getting the groups in the format of ASCII. How to have all the groups details in readable format.
I think you are missing the point of the article. You should move on from using CSVDE and begin using PowerShell. I really don’t know what you mean by a “readable” format.
After reading this post I am starting to wonder if I should bother with exporting/importing capability for Users and OUs. In my situation, the only reason I considered exporting was if I had to rebuild the DC01 from scratch, and DC02 did not have the latest users because it too was down due to RAID failure. I guess, in my ignorance, it seemed simple enough to export/import the data since setting up the DC was pretty straight forward. Should I just not bother with exporting/importing and just rely on System State backups?
In your example, a System State restore would be much better. Exporting and importing will create the user account, but the SID will be different, as would things like the original creation date if that is important to you. There are situations for both Export/Import and backups. You have to decide what makes sense for your problem.
Thanks for that Article! It would have saved me a lot of time, if just I had googled a bit better. I just recently had to build a Lab DC which looks as much as Prod as possible. Of course it had a different Domain Name and some protected properties needed to be omited. Foolishly I used LDIF for that task. I had a good time reformatting the .LDF files…
Thanks,
This is a lot better than downloading a Powershell module from TechNet and then still wonder why it didn’t work. I just needed a list of accounts enabled on the DC. I was able to do that with 3 or 4 simple lines.
Thanks for the article, this has helped a ton. Is there a way to export this information and have the “Distinguished Name” broke out into separate columns? So the break down of OU’s they are in.
Help Please! I am using the following script to pull all the information/properties for an AD:
$users = get-aduser -filter “department -eq ‘Engineering'” -Properties *
I am trying to add the users that I get from running the command above, on to another AD on another domain. I am using the following command to the the adduser:
Import-Csv .\Desktop\import1.csv | New-ADUser -Enabled $true -AccountPassword (ConvertTo-SecureString test1234! -AsPlainText -Force) -Path “OU=nogales,DC=sbinet,DC=local” -PassThru
For some reason unknown, I am getting the following error:
New-ADUser : Pipeline input cannot be processed because the default value of
parameter ‘KerberosEncryptionType’ cannot be retrieved. Exception getting
“KerberosEncryptionType”: “Object reference not set to an instance of an
object.”
At line:1 char:36
+ Import-Csv .\Desktop\import3.csv | New-ADUser -Enabled $true
-AccountPassword (C …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~
+ CategoryInfo : ReadError: (@{AccountExpira…mePage=bah.com}:
Object) [New-ADUser], ParameterBindingParameterDefaultValueException
+ FullyQualifiedErrorId : GetDefaultValueFailed,Microsoft.ActiveDirector
Management.Commands.NewADUser
Any ideas?? I appreciate any help you guys can provide!!