Help needed in getting all AD users and groups

  • I have very limited knowledge with server management. I need to extract AD users and groups. Specifically, all AD users and groups.

    Questions I have:

    1. if this is going to be done through PowerShell, does the script need to run on the DC server?

      what privileges do I need to run the script? How will the script be scheduled/execute? Do I need to create a service account/managed account to run the script?

    2. What is the best way to do this; best means the most efficient, and also easiest to maintain/create. I need to get a daily list.

    Note: all servers are on-premise, no cloud/azure solutions. All run Windows Server of some 2008+ version

    What I've done: I had a good look at this example, but it seems more advanced than it needs to be.

     

  • Please note that this is a SQL Server forum. If your question relates to SQL Server, please make the connection clear and we will try to help.

    The absence of evidence is not evidence of absence.
    Martin Rees

    You can lead a horse to water, but a pencil must be lead.
    Stan Laurel

  • Sorry Phil for the lack of connection. I am creating a table in SQL Server that needs to have AD users and their groups. The job is supposed to be run by an SSIS package. The expected frequency is once a day for the update. I am not sure if PowerShell is the best option, but the example I included (from this forum) used .NET.

     

    I also explored an SP that does the same thing, but honestly there were a lot of concerns over it (because MS has deprecate its support and I am not sure what privileges are needed to run it)

    • This reply was modified 4 years, 5 months ago by  Mysterio.
  • Does this help?

    PoSh is a good option, IMO.

    The absence of evidence is not evidence of absence.
    Martin Rees

    You can lead a horse to water, but a pencil must be lead.
    Stan Laurel

  • Do you happen to know if I need to be an admin to run this? And also, do I need to be an admin on the AD? Does it need to run on DC?

    Thank you

  • I have found the Scripting Guy helpful over the years.  Check out some of the links on the third paragraph on this page:

    https://devblogs.microsoft.com/scripting/hey-scripting-guy-how-can-i-search-active-directory-and-produce-a-report/

  • you don't need to be a admin to get AD information out of. although your AD admins may have locked it down so normal users are unable to "read" AD if that is the case they can as easily give the user you have your SQL Agent running under (hopefully a MSA/GMSA by now) the required privileges to read AD.

     

    you do not need to run it on AD but you need to install the Active Directory cmdlets on the server where you execute the extract - see https://4sysops.com/wiki/how-to-install-the-powershell-active-directory-module/

    having this executed by a SSIS package is a waste of time - all work can easily be done on a single powershell script

  • The .Net directory searcher and PoSh is the way to go. The AD cmdlets and the QAD cmdlets (Qwest AD -  or OneIdentity now, as mentioned in one of the links) are simple to use and nice for a small number of items; when you get into the > 500 groups, not so much.

    I found the best way for me was to search the groups, break out the members, writing that to a .txt, then do a bulk import from a job on SQL Server (I have multiple SQL Servers importing the file). It is possible to write the results directly from PoSh using a Bulk Import as well.

     

Viewing 8 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply