Essential Tools to Manage Active Directory
CSVDE
The Comma-Separated Values Data Exchange tool, known as CSVDE, allows you to import new objects into Active Directory using a CSV source file; it also provides you with the ability to export existing objects to a CSV file. CSVDE can’t be used to modify existing objects; when you are using this tool in import mode you can only create brand-new objects.
Exporting a list of existing objects with CSVDE is fairly simple. Here’s how you’d export your Active Directory objects to a file called ad.csv:
csvde –f ad.csv
The –f switch indicates that the name of the output file follows. But you must be aware of the fact that, depending on your environment, this basic syntax could result in a huge and unwieldy output file. To restrict the tool to export objects only within a particular organizational unit (OU), you could modify the statement as follows:
csvde –f UsersOU.csv –d ou=Users,dc=contoso,dc=com
Let’s further say that you’re only interested in exporting user objects into your CSV file. In that case, you can add the –r switch, which allows you to specify a Lightweight Directory Access Protocol (LDAP) filter for the search, and the –l switch, which restricts the number of attributes that are exported (note that the following is all on one line):
csvde –f UsersOnly.csv –d ou=Users,dc=contoso,dc=com –r
"(&(objectcategory=person)(objectclass=user))" –l
DN,objectClass,description
The –i switch allows you to import objects into Active Directory from a source CSV file. However, creating user objects with CSVDE has one critical limitation: you can’t set user passwords with it. Because of this, I’d avoid using CSVDE to create user objects.
LDIFDE
Active Directory provides a second built-in tool for bulk user operations, called LDIFDE, and it is more powerful and flexible than CSVDE. In addition to creating new objects, LDIFDE can also modify and delete existing objects and even extend the Active Directory schema. The trade-off for LDIFDE’s flexibility is that the necessary input file, which is referred to as an LDIF file with the extension .ldf, uses a more complex format than the simple CSV file. (With a little work you can also configure user passwords, but I’ll get to that in a moment.)
Let’s start with a simple example, exporting users in an OU to an LDF file (note that the following is all on one line):
ldifde -f users.ldf -s DC1.contoso.com -d "ou=UsersOU,dc=contoso,dc=com"
–r "(&(objectcategory=person)(objectclass=user))"
As with most command-line tools, you can find a full explanation of the LDIFDE switches by running the LDIFDE /? command. (Note that the switches are actually the same for both the CSVDE and LDIFDE commands.)
The real power of LDIFDE is in creating and manipulating objects. Before doing this, however, you first need to create an input file. The following creates two new user accounts called afuller and rking; to create the input file, enter the text in Notepad (or your favorite plain-text editor) and save it as NewUsers.ldf:
dn: CN=afuller, OU=UsersOU, DC=contoso, DC=com changetype: add cn: afuller objectClass: user samAccountName: afuller dn: CN=rking, OU=UsersOU, DC=contoso, DC=com changetype: add cn: rking objectClass: user samAccountName: rking
Once you’ve finished creating the file, run the following command:
ldifde –i –f NewUsers.ldf –s DC1.contoso.com
The only new switch here is -i, which, you can probably guess for yourself, denotes that this is an import operation instead of an export.
When modifying or deleting existing objects, the syntax for the LDIFDE command doesn’t change; instead, you modify the contents of the LDF file. To change the description field of the user accounts, create a text file called ModifyUsers.ldf, such as the one shown in Figure 2.
Figure 2 The ModifyUsers LDF file (Click the image for a smaller view)
Figure 2 The ModifyUsers LDF file (Click the image for a larger view)
You import the changes by running the same LDIFDE command syntax as before, specifying the new LDF file name after the -f switch. The LDF format for deleting objects is even simpler; to delete the users you’ve been working with, create a file called DeleteUsers.ldf and enter the following:
dn: CN=afuller OU=UsersOU, DC=contoso, DC=com changetype: delete dn: CN=rking, OU=UsersOU, DC=contoso, DC=com changetype: delete
Note that unlike CSVDE, LDIFDE is capable of configuring user passwords. Before you can configure the unicodePWD attribute for a user account, however, you must configure secure sockets layer/transport layer security (SSL/TLS) encryption on your domain controllers.
Moreover, LDIFDE can create and modify any type of Active Directory object, not just user accounts. The following LDF file, for example, will create a custom schema extension called EmployeeID-example in the schema of the contoso.com forest:
dn: cn=EmployeeID-example,cn=Schema, cn=Configuration,dc=contoso,dc=com changetype: add adminDisplayName: EmployeeID-Example attributeID: 1.2.3.4.5.6.6.6.7 attributeSyntax: 2.5.5.6 cn: Employee-ID instanceType: 4 isSingleValued: True lDAPDisplayName: employeeID-example
Because LDIFDE files use the industry-standard LDAP file format, third-party applications that need to modify the Active Directory schema will often supply LDF files you can use to examine and approve the changes before applying them to your production environment.
In addition to tools for bulk import and export operations, Windows Server 2003 also includes a built-in toolset that lets you create, delete, and modify various Active Directory objects as well as perform queries for objects that meet certain criteria. (Note that these tools, dsadd, dsrm, dsget, and dsquery, are not supported under Windows 2000 Active Directory.)
Recommended:
Friday Video: Windows Sounds and logos | Windows Live: Folder Share
September 14th, 2008 at 5:28 pm
[...] [...]