July 13, 2020 at 8:21 pm
I have very limited knowledge with server management. I need to extract AD users and groups. Specifically, all AD users and groups.
Questions I have:
what privileges do I need to run the script? How will the script be scheduled/execute? Do I need to create a service account/managed account to run the script?
Note: all servers are on-premise, no cloud/azure solutions. All run Windows Server of some 2008+ version
What I've done: I had a good look at this example, but it seems more advanced than it needs to be.
July 13, 2020 at 8:24 pm
Please note that this is a SQL Server forum. If your question relates to SQL Server, please make the connection clear and we will try to help.
The absence of evidence is not evidence of absence
- Martin Rees
The absence of consumable DDL, sample data and desired results is, however, evidence of the absence of my response
- Phil Parkin
July 13, 2020 at 8:26 pm
Sorry Phil for the lack of connection. I am creating a table in SQL Server that needs to have AD users and their groups. The job is supposed to be run by an SSIS package. The expected frequency is once a day for the update. I am not sure if PowerShell is the best option, but the example I included (from this forum) used .NET.
I also explored an SP that does the same thing, but honestly there were a lot of concerns over it (because MS has deprecate its support and I am not sure what privileges are needed to run it)
July 13, 2020 at 8:38 pm
Do you happen to know if I need to be an admin to run this? And also, do I need to be an admin on the AD? Does it need to run on DC?
Thank you
July 13, 2020 at 8:54 pm
I have found the Scripting Guy helpful over the years. Check out some of the links on the third paragraph on this page:
July 14, 2020 at 8:06 am
you don't need to be a admin to get AD information out of. although your AD admins may have locked it down so normal users are unable to "read" AD if that is the case they can as easily give the user you have your SQL Agent running under (hopefully a MSA/GMSA by now) the required privileges to read AD.
you do not need to run it on AD but you need to install the Active Directory cmdlets on the server where you execute the extract - see https://4sysops.com/wiki/how-to-install-the-powershell-active-directory-module/
having this executed by a SSIS package is a waste of time - all work can easily be done on a single powershell script
July 20, 2020 at 11:52 am
The .Net directory searcher and PoSh is the way to go. The AD cmdlets and the QAD cmdlets (Qwest AD - or OneIdentity now, as mentioned in one of the links) are simple to use and nice for a small number of items; when you get into the > 500 groups, not so much.
I found the best way for me was to search the groups, break out the members, writing that to a .txt, then do a bulk import from a job on SQL Server (I have multiple SQL Servers importing the file). It is possible to write the results directly from PoSh using a Bulk Import as well.
Viewing 8 posts - 1 through 7 (of 7 total)
You must be logged in to reply to this topic. Login to reply