Eldingo said:
Hello All:
Can someone please help me how to export all the AD user information
including the security settings, like exact object location within the
directory. Thanks for your help!
Ciao
There are several command line utilities that can be used to export
attribute values for all users. For example dsquery and dsget can be used.
Or Joe Richards' free adfind utility. See this link:
http://www.joeware.net/freetools/tools/adfind/index.htm
A VBScript program can be used to document users. I have an example linked
here that exports the values of some attributes for all users to a comma
delimited file:
http://www.rlmueller.net/DocumentUsers.htm
This is just an example, but can be modified to document any attributes you
like. I also have an example VBScript program that documents all of the
attributes of any specified object in AD (such as a specified user) linked
here:
http://www.rlmueller.net/Document Attributes.htm
The distinguishedName attribute specifies where in the hierarchy of AD the
object resides. All of my examples document the value of that attribute. I'm
not sure what you mean by security settings, but the userAccountControl
attribute is a flag attribute that indicates such settings as whether or not
a password is required, or if the account is disabled. Permissions should be
assigned by making the user the member of groups, so you might want to
document group membership. An example of a VBScript program that documents
user group memberships is linked here:
http://www.rlmueller.net/List User Groups.htm
Finally, if you want to document the permissions assigned directly to the
user object, you must document the ACE's (Access Control Entries) within the
DACL (Discretionary Access Control List) of the user's security descriptor.
I have an example VBScript program for that linked here:
http://www.rlmueller.net/DACL.htm