WinDeveloper O365 Mailer FREE for 1 Year

WinDeveloper IMF Tune
WinDeveloper IMF Tune
  • Home
  • General
  • Extracting Information from Active Directory (Part 1)

Extracting Information from Active Directory (Part 1)

Alexander Zammit

Alexander Zammit Photo

Software Development Consultant. Involved in the development of various Enterprise software solutions. Today focused on Blockchain and DLT technologies.

  • Published: Feb 13, 2007
  • Category: General
  • Votes: 4.6 out of 5 - 5 Votes
Cast your Vote
Poor Excellent

Active Directory stores various Exchange configuration settings. If we need a list of email addresses, domain controllers, or legacy DNs for ExMerge, the Active Directory export tools will do the job.

Active Directory hosts objects that together define the core elements of a Windows network. Computer and User objects are two examples of the many object types residing here.

Exchange was one of the first to embrace the extensibility opportunities AD provided. From Exchange 2000, AD absorbed the Exchange configuration objects and user mailbox information. The directory brought together the information for Windows users and Exchange mailboxes. Since then, AD continued to play this important role in all subsequent releases including the latest Exchange 2007.

Today we look at some tools allowing us to extract information from Active Directory. Microsoft provides a good number of these. The ones we will discuss, LDIFde.exe and CSVde.exe, are installed with Windows 200x Server.

Our discussion will mainly focus on the export of user objects. However the same could be applied to any other AD object.

What is a User?

In Active Directory terminology a user is an object of class "user". To an Exchange administrator this definition may need to be broadened to include all objects that are listed at the address book. However to begin with let's have a look at how a user looks like when exported using the LDIFde.exe command:
ldifde -f c:\temp\user1.txt -d cn=user1,cn=users,dc=vertical,dc=local -v

In this case I am extracting a user named "user1" and saving it to an external file. Looking at the exported data we see how a user object, like any other AD object, boils down to a bunch of properties. Here is how the exported data looks like:

LDIFde User1 Export

The following are some user object properties of interest to Exchange administrators.

dn: CN=user1,CN=Users,DC=vertical,DC=local
The Distinguished Name DN identifies exactly where the object is located within the directory. This is similar to a reversed directory path. The path starts from the object name, and traverses the directory upwards to the root.

cn: user1
The Common Name CN is the object name, the first part in the object DN.

proxyAddresses: SMTP:user1@vertical.local
proxyAddresses: X400:c=US;a= ;p=First Organizati;o=Exchange;s=user1;
proxyAddresses are the set of user addresses. These are generated and maintained by the Exchange Recipient Update Service RUS. Typically here we find SMTP and X400 addresses. However other address types may also be present, such as those used in FAX server gateways.

mailNickname: user1
The mailNickname is the SMTP email alias. In Exchange this is often used to identify objects that are to appear in an Address book.

legacyExchangeDN:
/o=First Organization/ou=First Administrative Group/cn=Recipients/cn=user1
The legacyExchangeDN is another type of distinguished name. This used to be the DN format in Exchange 5.5 and earlier versions. Today we still encounter these especially when dealing with MAPI applications such as ExMerge.

Using LDIFde.exe and CSVde.exe

LDIFde and CSVde are two very similar command-line applications. Both allow us to import and export information to/from Active Directory. Furthermore the two applications support almost the same set of input parameters. As an example here is how to export a user with each of these tools:
ldifde -f c:\temp\user1.txt -d cn=user1,cn=users,dc=vertical,dc=local -v
csvde -f c:\temp\user1.txt -d cn=user1,cn=users,dc=vertical,dc=local -v

Don't waste too much energy looking for differences. It's the same set of parameters. This is great since learning how to use one application takes us a long way in using the other.

The main difference between the two is the file format used for importing/exporting data. LDIFde.exe uses the Lightweight Data Interchange Format. CSVde.exe uses the more familiar Comma Separated Value format.

When it comes to advanced directory operations, LDIFde.exe is the most appropriate. However here we won't really need this extra power. On the other hand CSVde.exe gives us a file format that can be easily opened in MS Excel or MS Access. This is very handy when going through a large number of objects.

Command Line Parameters

To get to the application help screen run the command without any parameters. Here is how the CSVde.exe help looks like (the one for LDIFde.exe is very similar).

CSVde Help

Going through all the parameters is beyond the scope. Instead we will discuss the most important ones. Both applications run in export mode by default. As a minimum we typically need to add the -f and -d parameters. -f identifies the file where the exported data is to be saved. -d identifies the DN of the directory location from where the export is to start. This can be the DN of a specific object as we did in case of user1 above, or it could be the DN for a container holding other objects and containers.

Getting used to constructing DNs is our first step. Unfortunately the seemingly cryptic format tends to discourage some. However, when dealing with user objects this is quite easy. Just open the AD Users and Computers MMC console from which we can deduce the DN for any container/object:

Active Directory Users and Computers

In general we need to remember that when converting the domain FQDN (vertical.local) to an AD DN we need to use the 'DC=' (DC=vertical,DC=local). When dealing with organizational units we use 'OU=' and when dealing with other containers and objects we use 'CN='. Building the final DN starts from the container/object of interest and moves upwards towards the root. So the DN for the user Alex under the Malta organizational unit is just a matter of bringing together all the parts:
CN=alex,OU=Malta,DC=vertical,DC=local

Alternatively we could use another tool from Microsoft, ADSIEdit. Get the Windows 200x Server CD and install the support tools. Next browse to the 'Support Tools' directory under Program Files and run ADSIEdit.msc. See how the ADSIEdit tree view shows the exact name composing the DN.

ADSI Edit

We already learned enough to start exporting AD objects. Just remember to enclose any DNs containing whitespace in double quotes. The following shows how we can export all three users under the Malta OU:
ldifde -f c:\temp\Malta.txt -d ou=malta,dc=vertical,dc=local -v
csvde -f c:\temp\Malta.txt -d ou=malta,dc=vertical,dc=local -v

This will export all domain controller objects:
ldifde -f c:\temp\DCs.txt -d "ou=domain controllers,dc=vertical,dc=local" -v
csvde -f c:\temp\DCs.txt -d "ou=domain controllers,dc=vertical,dc=local" -v

Final Tips

Today we saw how AD objects look like. The ability to construct DNs gave us the key to perform our first directory exports. However using these basic export commands can return an overwhelming number of objects. In the second part of this article, we will perform more selective exports with the help of filters. Finally MS Excel and MS Access will help us review the exported results.

References

LDAP Query Basics

Copyright © 2005 - 2024 All rights reserved. ExchangeInbox.com is not affiliated with Microsoft Corporation