for Windows 2003 Domain Controllers

This batch exports organizational units, user accounts, computer accounts, security groups and group memberschip, etc. to text files so that the can be used te recreate the same configuration on an other domain controller in e differenty domain. This can be used in a migration or disaster recovery scenario. Refer to system administration scripts for background.

The commands used in this script are available from Windows 2003 Server on. On Windows 2000 domain controllers, you will have to resort to ADSI scripts to do the same

		REM Koen Noens
		REM june 2003
		REM script to enumerate an active directory on Windows 2003

		@echo OFF

		REM Create directory for output
		MD adconf

		REM list Organizational Units by distinguished name
		Dsquery ou > .\adconf\ou.txt

		REM list Computeraccounts
		dsquery computer | dsget computer -dn -SAMid -desc > .\adconf\computers.txt

		REM list Groups
		dsquery groups | dsget group -dn -SAMid -scope  > .\adconf\groups.txt

		REM list Users
		dsquery user | dsget user -dn -SAMid  > .\adconf\users.txt

		REM enumerate users and their group membership (WARNING : see comments)
		dsquery user | dsget user -dn -memberof  > .\adconf\users_groups.txt


Users and Group membership

Enumerating users and their group membership may be more complicated than shown here. The statement used here works fine to create an input file if a user is member of 1 and only one group. This is something we tried to achieve in the Active Directory Design, but in case the business logic requires that we make users member of more than one group, we may have to approach this differently (re. getGroupMembership).

Koen Noens
june 7, 2005