My initial thoughts on this are this:
1) you could do that with a script pretty easily, but that
method would be terribly inefficient and cause a lot of traffic (if I understand
what you want to do correctly.)
2) a db would be a better suited tool for this task.
Something like access or SQL would be able to find dups based on whatever field
you choose. You would just need to populate the db appropriately.
Access even has the query built in. The advantage here is that you iterate all
objects in the forest only once, vs. finding the objects one at a time. In
your psuedo, you have it as "output all samaccountname, sn, and givenname(s) to
a file. Iterate through the file searching on each one for all occurrences
and return those to a file". With that, you'd have a LOT of little files
all over the place. With a DB, you could have the data local and hack and
splice until you find the dups pretty easily.
I think changing to csvde vs. ldifde would be easier to
import into a db. It is for me.
My $0.02 (USD) anyway.
Al
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of "Sanz de Le�n, Juan Carlos"
Sent: Thursday, June 03, 2004 3:22 PM
To: '[EMAIL PROTECTED]'
Subject: RE: [ActiveDir] In search for dupl�cate accounts
Wow!!
Thanks very much for your help Brent. After your response, some coments
that come to mind... maybe you or other LDIFDE experts out there could give me
some experiences..
How could I have LDFDE OUTPUT the (for example,
sAMAccountName,givenName) and then use it as INPUT into the search you
comented below in another LDIFDE command. In the form of a LOOP.
such that the process would be as follows:
a) Output the sAMAccountName, Surname, givenName to console
or text file.. -->
b) and next have LDIFDE input that information and search
the GC(3268) for a duplicate in a loop until all users in the forest have been
processed.
This
would run in a "for loop" until all users in the forest have been completed....(
the results would then go to a text file).
I know
how to export attribute information from Active Directory using LDIFDE (part
a)... what I don't know is how to make it read it in a LOOP until EOF and have
it as INPUT into another LDIFDE search.
Or
something like that...
Any
ideas from anyone out there would be greatly appreciated.
Juan Carlos
-----Mensaje original-----You will need to know what values you are trying to find. For example, people with duplicate surnames and givenNames or duplicate sAMAccountNames in a forest can be determined by using ldifde. The syntax can be a little tricky to the uninitiated but it is similar to ldapsearch in the unix world. For example, if you know the name of the user Foo Bar with givenName Foo and surname Bar and you wanted to search the forest for all users with that surname and givenName combination and have the output directed to your console window, then you would issue the command:
De: Brent Westmoreland [mailto:[EMAIL PROTECTED]
Enviado el: jueves, 03 de junio de 2004 17:31
Para: [EMAIL PROTECTED]
Asunto: Re: [ActiveDir] In search for dupl�cate accounts
Ldifde -f con -r "(&(objectCategory=person)(surname=Bar)(givenName=Foo))" -t 3268 -d "dc=forest,dc=corp" -l "surname, givenName"
Lets step through the syntax
Ldifde = c:\windows\system32\ldifde.exe if this executable isn't on your workstation, you should be able to get it off of your win2k DC.
-f con = the -f switch specifies the output file of the command and con is console. So in essence you will be issuing the ldifde command and directing the output back to your cmd window. You could also specify a filename if you wanted to dump it into a text file.
-r = The -r switch indicates the search filter, here you specify the key=value pairs to search for in the directory. You can & the values; meaning that you can search for (key=value) and (differentkey=differentvalue). You can | the values meaning you can search for (key=value) or (differentkey=differentValue). You can also ! The values meaning that you search for (key=value) but not (differentKey=differentValue). Search filtering is an art as much as a science and several on this list can provide a great deal of input on using efficient filters if you are looking to retrieve specific entries.
-t = 3268 specifies the port number to contact, because you want to specify all users in the forest it is best to contact your global catalog.
-d = The searchbase, again if you want to search for all users in the forest you will need to specify the root DC entry of the forest.
-l = the -l switch limits the output returned, without limiting the output of each entry you might return a lot of information that would be useless. For example if you are looking for duplicate surname and givenName combinations, then you probably wouldn't want to return the exchangeMTA.
You can get more help by typing ldifde /?
I use it quite often to track down duplicates with great success... Hope it works for you.
Brent
From: "Sanz de Le�n, Juan Carlos" <[EMAIL PROTECTED]>
Reply-To: <[EMAIL PROTECTED]>
Date: Thu, 3 Jun 2004 16:50:17 +0200
To: "'[EMAIL PROTECTED]'" <[EMAIL PROTECTED]>
Subject: [ActiveDir] In search for dupl�cate accounts
Greetings gurus,
Does anyone know of a tool or script that will search the FOREST for duplicate W2k ACCOUNTS ? We have a forest with about 45 W2K domains... And duplicates are becoming a problem.
Has anyone ever try to search for duplicates at the forest Level rather than domain level?
Any tricks to what I want to accomplish.
Thanks in advance,
JCS
Sent using the Microsoft Entourage 2004 for Mac Test Drive.
