2

I have a really simple question. What is better to use? AD Module (ie. Get-ADComputer) or DirectoryServices .NET Class when trying to connect to AD and pull all computers, users, and groups from a Domain. Or does it not matter at all?

The key factors I judge on for which method to use are:

  1. Which method's scripts will run faster?
  2. Which puts less load on the network / AD
  3. What limitations may each method have?

I know that the AD Module is only installed default on Win Server 2008 R2 and later, so that is a down side obviously given on an older server, the module isn't installed by default. But in today's world that really shouldn't be much of a problem given there aren't a lot of environments with all servers older than 2008 R2.

All I am trying to do is extract to a .csv all User objects (and some important fields/attributes), all Computer objects, and all Group objects. So basically "searching" the AD objects and looping through each result row and then saving to a table to export to .csv.

JPBlanc
  • 70,406
  • 17
  • 130
  • 175
Murf
  • 487
  • 5
  • 9
  • I am not sure if this is too broad or not. If nothing else it could really depend on what you are doing and the data you are trying to return. Simple queries would be more terse and readable with the activedirectory module. IIRC the .net ones will almost always be faster but I have nothing to back that up. – Matt Nov 23 '15 at 02:04
  • All i am trying to do is extract to a .csv all User objects (and some important fields/attributes), all Computer objects, and all Group objects. So basically "searching" the AD objects and looping through each result row and then saving to a table to export to .csv. – Murf Nov 23 '15 at 02:36
  • 1
    You can write sample code for both of them and measure their execution time with `Measure-Object` ? – sodawillow Nov 23 '15 at 07:24

2 Answers2

3

The ActiveDirectory cmdlets are far, far more intuitive than using System.DirectoryServices, however you may lose some of the control that System.DirectoryServices offers. For most cases, especially for people new to PowerShell, I would recommend using the ActiveDirectory cmdlets.

As far as speed, like @sodawillow suggested, you can measure the execution time of each and then use the fastest. I could give you anecdotes, but they would not be representative of everyone's experiences.

Benjamin Hubbard
  • 2,797
  • 22
  • 28
  • thanks this is a great answer. Could you please provide your insights/thoughts/opinion though? You said "I could give you anecdotes...". I would be very interested in your experience regardless of whether it can be generally agreed to or accepted. – Murf Dec 02 '15 at 18:09
  • @TrackABill.com - I ran some simple tests retrieving all user objects on a domain using both methods. Tens of thousands of objects. Ran the tests ten times each, and using DirectoryServices was about 3 times faster every time. Don't take that as proof. That's just how it was for me in this case. Recommend running your own tests if speed is a big deal for you. For me, unless speed is crucial, I would still stick with the AD cmdlets for ease of use and readability. – Benjamin Hubbard Dec 04 '15 at 19:05
  • Thanks! This helps a lot. Really appreciate it. One last question... I ran my script against a domain with 50k computer objects, 30k groups, and 120k users. Is it normal that it would take about an hour to run? Thanks! – Murf Dec 06 '15 at 20:22
  • It really depends on the script. I would recommend opening a new question for that. – Benjamin Hubbard Dec 07 '15 at 14:22
0

I add your last comment to the question, because it just discribes a small tool which is present on Windows Servers from a long time.

Csvde.exe use a syntax very close to Ldifde.exe, and it allow you to extract Active-Directory object using the LDAP query syntax. As far as I understand, these tools are powered by ADSI.

You can have a look to this answer.

Community
  • 1
  • 1
JPBlanc
  • 70,406
  • 17
  • 130
  • 175