Stupid AD tricks

One classic problem I’ve seen with using AD as an generic account repository is that you might end up running up against the LDAP page size limits pretty quickly if you need to do any kind of data extraction or reporting. I have one directory instance that contains a number of user accounts including email addresses. Many of the accounts share email addresses and we needed a method to quickly extract all of the unique email addresses from the directory.

The usual approach is to use Powershell and the Directory objects or WMI, but right away I started hitting the default 1000 entry limits when issuing requests for (mail=*). To make things worse, that part of the directory is a flat structure so I can’t even look through subordinate OUs. I could of course write a loop that requests user accounts by letter prefix but that seemed like overkill, and still wouldn’t protect me from the day that a letter prefix goes over 1000 accounts.

But Active Directory comes with some very useful interrogation tools in the form of ldifde.exe and csvde.exe. Even better, Powershell plays nicely with properly formatted CSV files, making it easy to extract a specific column.

So instead of a 30 line script with various loops and objects, I can accomplish the task with the following three lines:

csvde -f mails.txt -d "OU=Users,OU=MyApp,ou=Applications,DC=mycompany,DC=net" -r "(mail=*)" -l mail
$list = Import-Csv mails.txt
$list | foreach-Object { $_.mail } | select-object -unique

It’s also worth noting that csvde and ldifde play nicely with AD-LDS, the stripped down LDAP server at the core of Active Directory, without bogging you down with all of the constraints and overhead associated with managing a network of Windows computers.