All attributes for a given user can be given by querying the user for the attribute allowedAttributes. If you want to know what attributes you can manipulate you can query for allowedAttributesEffective. There are also some ADSI functions around that too to get the generic attribute set but note that it will not reflect the attributes on a specific user due to dynamic auxillary classes that may be attached to the individual user object. For instance, say I have an app called joeware-something and I have a dynamic aux class called joewareSomethingClass1 with attributes joewareSomethingAtt1 and joewareSomethingAtt2 and I dynamically attach that aux class to user bob but not user steve. Getting the generic list of attributes will not show those additional attribs but querying the user bob for the attribute allowedAttributes will show them. The difficult part about what you are asking for in terms of the info for the members is that groups store DNs only. So you will query for a group and return members and you will get DNs. You then have to go look up those DNs and get the additional attributes. The problem with CSVDE and LDIFDE is that you can't really do that directly, you could do it through a script that gets the results of the query for the DNs and then goes back and calls out an additional time for each member to get the additional attributes. This will work, it will be slow depending on how many members there are though with a lot of overhead spinning up the apps for every query. You could do this using dsquery and dsget piping as well as mentioned by Phil, again, lots of overhead for app instantiation. Consider if you have 100 members, that will be 1 query to get the group and the members, then another 100 queries to get the info for each member. This gets even more involved if you have group nesting or you want to get primary group membership as well. Quite honestly, you can use just a raw LDAP app to easily get this kind of info, you need an app that is dedicated to getting this info OR a script with intelligence. With K3 MSFT helped *a little* with something called attribute scoped queries. This will allow you to specify a group and tell the DC to get the additional info for the members. The issue here though is that it only works for members who have presence in the current "scope". It won't chase DNs to other DCs to get info on them so if you just do that without validating the return set you could be missing info. Good try but generally, it is too dangerous for many people to use unless they are really up on what can happen. I haven't seen many people using this and those that I have, a good percentage of them are not aware of the implications. See the following example, three queries, one normal LDAP ASQ query that misses the Child1 group, one GC query that hits the group, and one phantom root query that hits the group. If I had been querying a DC that wasn't a GC, the last two would have failed as well. [Sun 01/14/2007 22:06:29.53] F:\Dev\CPP\AdMod>adfind -e -default -f name=administrators member AdFind V01.34.00cpp Joe Richards ( <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED]) November 2006 Using server: 2k3dc02.joe.com:389 Directory: Windows Server 2003 Base DN: DC=joe,DC=com dn:CN=Administrators,CN=Builtin,DC=joe,DC=com >member: CN=newadmin,CN=Users,DC=joe,DC=com >member: CN=fastmofo,CN=Computers,DC=joe,DC=com >member: CN=Domain Admins,CN=Users,DC=child1,DC=joe,DC=com >member: CN=Domain Admins,CN=Users,DC=joe,DC=com >member: CN=Enterprise Admins,CN=Users,DC=joe,DC=com >member: CN=administrator,CN=Users,DC=joe,DC=com
1 Objects returned [Mon 01/15/2007 1:08:56.90] F:\Dev\CPP\AdMod>adfind -e -b CN=Administrators,CN=Builtin,DC=joe,DC=com -f * -asq member name AdFind V01.34.00cpp Joe Richards ( <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED]) November 2006 Using server: 2k3dc02.joe.com:389 Directory: Windows Server 2003 dn:CN=administrator,CN=Users,DC=joe,DC=com >name: administrator dn:CN=Enterprise Admins,CN=Users,DC=joe,DC=com >name: Enterprise Admins dn:CN=Domain Admins,CN=Users,DC=joe,DC=com >name: Domain Admins dn:CN=fastmofo,CN=Computers,DC=joe,DC=com >name: fastmofo dn:CN=newadmin,CN=Users,DC=joe,DC=com >name: newadmin 5 Objects returned [Mon 01/15/2007 1:09:38.57] F:\Dev\CPP\AdMod>adfind -e -gc -b CN=Administrators,CN=Builtin,DC=joe,DC=com -f * -asq member name AdFind V01.34.00cpp Joe Richards ( <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED]) November 2006 Using server: 2k3dc02.joe.com:3268 Directory: Windows Server 2003 dn:CN=administrator,CN=Users,DC=joe,DC=com >name: administrator dn:CN=Enterprise Admins,CN=Users,DC=joe,DC=com >name: Enterprise Admins dn:CN=Domain Admins,CN=Users,DC=joe,DC=com >name: Domain Admins dn:CN=Domain Admins,CN=Users,DC=child1,DC=joe,DC=com >name: Domain Admins dn:CN=fastmofo,CN=Computers,DC=joe,DC=com >name: fastmofo dn:CN=newadmin,CN=Users,DC=joe,DC=com >name: newadmin 6 Objects returned [Mon 01/15/2007 1:09:48.78] F:\Dev\CPP\AdMod>adfind -e -pr -b CN=Administrators,CN=Builtin,DC=joe,DC=com -f * -asq member name AdFind V01.34.00cpp Joe Richards ( <mailto:[EMAIL PROTECTED]> [EMAIL PROTECTED]) November 2006 Using server: 2k3dc02.joe.com:389 Directory: Windows Server 2003 dn:CN=administrator,CN=Users,DC=joe,DC=com >name: administrator dn:CN=Enterprise Admins,CN=Users,DC=joe,DC=com >name: Enterprise Admins dn:CN=Domain Admins,CN=Users,DC=joe,DC=com >name: Domain Admins dn:CN=Domain Admins,CN=Users,DC=child1,DC=joe,DC=com >name: Domain Admins dn:CN=fastmofo,CN=Computers,DC=joe,DC=com >name: fastmofo dn:CN=newadmin,CN=Users,DC=joe,DC=com >name: newadmin 6 Objects returned -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm _____ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Haritwal, Dhiraj Sent: Wednesday, January 10, 2007 4:33 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Export Group's Members details Hi, How can I export the details of the members of a group like their firstname, lastname, display name, smtp address etc... I had tried with both csvde & ldifde but not able to get all the information. Also is there any list which can show all the attributes of a user. Dhiraj Haritwal _____ This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. - This mail is sent via Sony Asia Pacific Mail Gateway. _____
