我试图让所有的用户记录及其关联组的转储用户ID重新验证工作。我的保安人员希望它以CSV格式。

I'm trying to get a dump of all user records and their associated groups for a user ID revalidation effort. My security officer wants it in CSV format.

这个伟大的工程：

Get-ADUser -Filter * -Properties * | Select-Object -Property Name,SamAccountName,Description,EmailAddress,LastLogonDate,Manager,Title,Department,whenCreated,Enabled,Organization | Sort-Object -Property Name | ConvertTo-CSV

然而，这不包括用户是其成员的组

However, that does not include the groups the user is a member of.

在这样的尝试都失败了：

Attempts at something like this have failed:

Get-ADUser -Filter * -Properties * | Select-Object -Property Name,SamAccountName,Description,EmailAddress,LastLogonDate,Manager,Title,Department,whenCreated,Enabled,Organization, @{$_.MemberOf |Get-Group|ForEach-Object {$_.Name}} | Sort-Object -Property Name | ConvertTo-CSV

这也失败了：

Get-ADUser -Filter * -Properties * | Sort-Object -Property Name | ForEach-Object {
    $_ | Format-List -Property Name,SamAccountName,Description,EmailAddress,LastLogonDate,Manager,Title,Department,whenCreated,Enabled
    $_.MemberOf | Get-ADGroup | ForEach-Object {$_.Name} | Sort-Object
}  | ConvertTo-CSV

我可能失去了一些东西简单。 任何帮助将大大AP preciated。 谢谢！

I'm probably missing something simple. Any help would be greatly appreciated. Thanks!

推荐答案

从Windows Server操作系统执行下面的命令对整个活动主任的转储：

From a Windows Server OS execute the following command for a dump of the entire Active Director:

csvde -f test.csv

这个命令非常广泛，会给你超过必要的信息。要限制记录仅用户记录，你会反而想：

This command is very broad and will give you more than necessary information. To constrain the records to only user records, you would instead want:

csvde -f test.csv -r objectClass=user 

您可以进一步限制命令给你，你需要相关的搜索请求的唯一领域，如：

You can further restrict the command to give you only the fields you need relevant to the search requested such as:

csvde -f test.csv -r objectClass=user -l DN, sAMAccountName, department, memberOf

如果您有一个Exchange服务器和一个活生生的人相关联的每个用户都有一个邮箱（而不是一般的占亭/实验室工作站）可以代替sAMAccountName赋中使用的mailNickname。

If you have an Exchange server and each user associated with a live person has a mailbox (as opposed to generic accounts for kiosk / lab workstations) you can use mailNickname in place of sAMAccountName.