Help needed in getting all AD users and groups

  • Mysterio

    SSC Enthusiast

    Points: 197

    I have very limited knowledge with server management. I need to extract AD users and groups. Specifically, all AD users and groups.

    Questions I have:

    1. if this is going to be done through PowerShell, does the script need to run on the DC server?

      what privileges do I need to run the script? How will the script be scheduled/execute? Do I need to create a service account/managed account to run the script?

    2. What is the best way to do this; best means the most efficient, and also easiest to maintain/create. I need to get a daily list.

    Note: all servers are on-premise, no cloud/azure solutions. All run Windows Server of some 2008+ version

    What I've done: I had a good look at this example, but it seems more advanced than it needs to be.

     

  • Phil Parkin

    SSC Guru

    Points: 244662

    Please note that this is a SQL Server forum. If your question relates to SQL Server, please make the connection clear and we will try to help.

    If the answer to your question can be found with a brief Google search, please perform the search yourself, rather than expecting one of the SSC members to do it for you.
    See https://www.sqlservercentral.com/articles/forum-etiquette-how-to-post-datacode-on-a-forum-to-get-the-best-help/ for details of how to post T-SQL code-related questions.

  • Mysterio

    SSC Enthusiast

    Points: 197

    Sorry Phil for the lack of connection. I am creating a table in SQL Server that needs to have AD users and their groups. The job is supposed to be run by an SSIS package. The expected frequency is once a day for the update. I am not sure if PowerShell is the best option, but the example I included (from this forum) used .NET.

     

    I also explored an SP that does the same thing, but honestly there were a lot of concerns over it (because MS has deprecate its support and I am not sure what privileges are needed to run it)

    • This reply was modified 4 weeks, 1 day ago by  Mysterio.
  • Phil Parkin

    SSC Guru

    Points: 244662

    Does this help?

    PoSh is a good option, IMO.

    If the answer to your question can be found with a brief Google search, please perform the search yourself, rather than expecting one of the SSC members to do it for you.
    See https://www.sqlservercentral.com/articles/forum-etiquette-how-to-post-datacode-on-a-forum-to-get-the-best-help/ for details of how to post T-SQL code-related questions.

  • Mysterio

    SSC Enthusiast

    Points: 197

    Do you happen to know if I need to be an admin to run this? And also, do I need to be an admin on the AD? Does it need to run on DC?

    Thank you

  • palandri

    Old Hand

    Points: 319

    I have found the Scripting Guy helpful over the years.  Check out some of the links on the third paragraph on this page:

    https://devblogs.microsoft.com/scripting/hey-scripting-guy-how-can-i-search-active-directory-and-produce-a-report/

  • frederico_fonseca

    SSChampion

    Points: 14708

    you don't need to be a admin to get AD information out of. although your AD admins may have locked it down so normal users are unable to "read" AD if that is the case they can as easily give the user you have your SQL Agent running under (hopefully a MSA/GMSA by now) the required privileges to read AD.

     

    you do not need to run it on AD but you need to install the Active Directory cmdlets on the server where you execute the extract - see https://4sysops.com/wiki/how-to-install-the-powershell-active-directory-module/

    having this executed by a SSIS package is a waste of time - all work can easily be done on a single powershell script

  • schleep

    SSChampion

    Points: 12551

    The .Net directory searcher and PoSh is the way to go. The AD cmdlets and the QAD cmdlets (Qwest AD -  or OneIdentity now, as mentioned in one of the links) are simple to use and nice for a small number of items; when you get into the > 500 groups, not so much.

    I found the best way for me was to search the groups, break out the members, writing that to a .txt, then do a bulk import from a job on SQL Server (I have multiple SQL Servers importing the file). It is possible to write the results directly from PoSh using a Bulk Import as well.

     

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic. Login to reply