To use this procedure, you’ll need access to the Directory Service command line tools (these come installed automatically with Windows Server 2003) and Microsoft Log Parser. With these two tools in hand, let’s proceed.
First, we’ll need to obtain a list of all the CNs in Active Directory for every user and/or every contact, regardless of their container. It may be possible to do this with Log Parser (using the ADS input format), but I couldn’t figure out how. Instead, I turned to the Directory Service command line tool dsquery. Here’s the command to use:
dsquery * “dc=example,dc=com†-scope subtree -filter “(|(objectCategory=user)(objectCategory=contact))†-limit 0 > output-file.txt
This creates a file (“output-file.txtâ€) with a list of the CNs for every user object and contact in your Active Directory domain (obviously, you’ll need to substitute the correct values in the query statement above—unless your domain is called example.com).
Using this file, then we use Log Parser to list only those CNs that occur more than once in this file. This will identify those objects that have the same name in the domain:
logparser -i:TEXTLINE -stats:off -o:NAT -rtp:-1 “SELECT Text AS objName, COUNT(*) FROM output-file.txt GROUP BY Text HAVING COUNT(*) > 1†> duplicates.txt
This produces a text file that lists each CN which is found more than once in the input file, along with a count of how many times it was found. Use this file to go to Active Directory Users and Computers, find the duplicate objects, and rename them as needed. You can then repeat the process until you don’t find any more duplicate names.
While this may seem like overkill for smaller Active Directory installations, this is certainly very applicable in larger organizations, particularly those with decentralized IT operations. Think about it—would you want to manually search through 15,000 objects to find the duplicates?
Tags: ActiveDirectory, Microsoft
2 comments
Comments feed for this article
Trackback link
http://blog.scottlowe.org/2006/08/17/finding-duplicate-names-in-active-directory/trackback/
Friday, August 25, 2006 at 10:48 am
Jerome Gicquel
Thanks for this article!
Thanks to you, I discovered the wondeful tool that is LogParser.
Now playing a bit around with those tools, you can get even more interesting information than what is just written here.
For example this is what I did:
1. Use CSVDE, instead of dsquery to select and export more than one field from the AD
[i]csvde -d “DC=example,DC=com” -r “(|(objectCategory=user)(objectCategory=contact))” -l cn,sn,givenName,showInAddressBook,proxyAddresses -f exp_example1.txt[/i]
=> In that example I only took the object of type [b]user[/b] and [b]contact[/b], plus I filter the attributes to be exported.
2. Use LogParser to give you “The combination surname + name which are are at least doubled in your AD”, i.e. the user/ contacts which have the same name.
[i]LogParser -i:CSV -o:CSV “SELECT sn, givenName, COUNT(*) INTO duplicate_cn.txt FROM exp_example1.txt WHERE showInAddressBook is not null AND distinguishedName NOT LIKE ‘%OU=Marketing,DC=example,DC=com’ GROUP BY sn,givenName HAVING COUNT(*) > 1″[/i]
=> Here I am filtering out the objects which have the option “Hide from Exchange Addres list”, as well as those which are contained in the OU “Marketing”.
=> The result goes into the file “duplicate_cn.txt” with the number of occurences. Please pay attention that this is not necessarily wrong to have some as you may have in big organisation people with exactly the same name.
Cheers,
Jerome
Friday, August 25, 2006 at 9:35 pm
slowe
Jerome,
Log Parser is a wonderful tool. Every time I use it, I find new ways to use it. Enjoy!