In the past couple of months I’ve been working a lot with Active Directory and it’s RFC2307 schema extension. For testing purposes I had to backup and restore my user and computer objects a lot. So after building a PowerShell script to fill the RFC2307 attributes I decided to build a second script that would allow me to quickly backup, remove and restore user and computer objects in a single organizational unit (OU).

The script is fairly easy and it’ll save you a lot of typing. In essence it allows you to quickly backup your user and computer objects with the ldifde command. These user and computer objects will be cleared from all of their non-essential attributes, the password will also be cleared. When running this script, use an account with the appropriate rights.

Once you have a backup you can easily restore it. All users will lose their password an the accounts will, by default, be disabled. Before restoring the backup you’ll have the option to delete the existing users in the selected OU.

Before the script works you’ll need to configure four settings, you can find them by opening the file in your favorite text editor.

The first setting is the $dcHostname variable. This needs to be set to the FQDN of the Domain Controller on which you want the script to execute.

The second setting is the $ouDistinguishedName variable. This setting needs to contain the DN of the organizational unit in which you want to backup and restore your users and computers.

The third an fourth variables contain the filenames that will be used for backing up and restoring your users.

Example:

# Configure these variables, this is mandatory!
$dcHostname = "dc-01.contoso.com"
$ouDistinguishedName = "ou=Test OU,dc=contoso,dc=com"
$exportFile = "usersFile.ldf"
$importFile = "usersFile.ldf"

Before using this script, make sure you understand the following: - This will work only after you’ve configured the variables - This will work only when you’re running it with the appropriate rights - This script will only backup, remove and restore users in a specific OU - The backup will not contain the users password or non-essential attributes - After restoring you’ll need to re-enable all user and computer objects - Please, for the love of everything holy, don’t use it in your production enviroment

Using the script is very simple:

.\refresh_users.ps1 -mode export | remove | import

The mode parameter will accept export, remove or import. The different modes will do what you expect from them: Export will export all of the users in the configured OU, remove will remove all of the users in the configured OU and import will restore all of the users in the configured OU. There are two versions of the script: refresh_users.ps1 and refresh_computers.ps1.

refresh_users.ps1

param(
    [string]$mode = "default"
)
 
# Clear screen and load Active Directory module
Clear-Host
Import-Module ActiveDirectory

# Configure these variables first, it won't work without them!
$dcHostname = "dc-01.contoso.com"
$ouDistinguishedName = "ou=Test Users,dc=contoso,dc=com"
$exportFile = "usersFile.ldf"
$importFile = "usersFile.ldf"
	 
# What to do when the script parameter is "script.ps1 -mode export"
if($mode -eq "export"){
    write-Host " "
    Write-Host "Exporting users to " $exportFile "..."
    ldifde -f $ExportFile -s $dcHostname -d $ouDistinguishedName -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,samAccountName"
    Write-Host " "
 
}
	 
# What to do when the script parameter is "script.ps1 -mode remove"
if($mode -eq "remove"){
    write-Host " "
    Write-Host "Removing users..."
    Get-ADUser -SearchBase $ouDistinguishedName -Filter * | Remove-ADUser
    write-Host " "

}

# What to do when the script parameter is "script.ps1 -mode import"
if($mode -eq "import"){
    Write-Host " "
    Write-Host "Importing users from " $importFile "..."
    ldifde -i -f $importFile
    Write-Host " "

}

refresh_computers.ps1

param(
    [string]$mode = "default"
)
 
# Clear screen and load Active Directory module
Clear-Host
Import-Module ActiveDirectory
	 
# Configure these variables, this is mandatory!
$dcHostname = "dc-01.contoso.com"
$ouDistinguishedName = "ou=Test Computers,dc=contoso,dc=com"
$exportFile = "computersFile.ldf"
$importFile = "computersFile.ldf"

if($mode -eq "export"){
# What to do when the script parameter is "script.ps1 -mode export"
    write-Host " "
    Write-Host "Exporting computers to " $exportFile "..."
    ldifde -f $ExportFile -s $dcHostname -d $ouDistinguishedName -p subtree -r "(&(objectCategory=computer)(objectClass=Computer))" -l "cn,objectclass,samAccountName"
    Write-Host " "
 
} 

# What to do when the script parameter is "script.ps1 -mode remove"
if($mode -eq "remove"){
    write-Host " "
    Write-Host "Removing computers..."
    Get-ADComputer -SearchBase $ouDistinguishedName -Filter * | Remove-ADComputer
    write-Host " "

}
 
# What to do when the script parameter is "script.ps1 -mode import"
if($mode -eq "import"){
    Write-Host " "
    Write-Host "Importing computers from " $importFile "..."
    ldifde -i -f $importFile
    Write-Host " "
 
}