Management of large numbers of user accounts has always been a challenging task for Windows NT Administrators…
Active
Directory and Account Manipulation Tools
Management of large numbers of user accounts has always been a challenging task for
Windows NT Administrators. Using GUI interface for this purpose is not only error prone but
also quickly turns you into another victim of Carpel Tunnel syndrome. What’s the alternative? Fortunately, Windows 2000 offers several non-GUI based tools which can be used for querying, creating and modifying multiple accounts.
Two of these tools, are provided as a part of the operating system. The first one,
CSVDE.exe allows you to export Active Directory information into comma separated value file. It also allows
import information from a file in the same format into the Directory, which effectively creates new accounts.
For example, you can use the following command to export all objects with the users.swynk.com as part of their Distinguished Name (including both users and groups) into userlist.csv file:
csvde.exe -f userlist.csv -d “cn=users,DC=swynk,DC=com”
The following will export all objects of the user object class (user and computer accounts, but not groups):
csvde.exe -f userlist.csv -r “(objectClass=user)”
The import is less straightforward. Some of attributes are owned by the system, so when running the import using the same file format, errors will result. Running export with -m switch, excludes them (by using so called SAM logic). Once the list is known, it can be populated with data for new user accounts.
For example, the following allows you to create Marcin Policht account in swynk.com domain:
csvde.exe -i -f indata.csv
where the indata.csv contains the following fields
DN,cn,displayName,distinguishedName,objectCategory,objectClass,name,sAMAccountName,givenName,sn,userPrincipalName
“CN=Marcin Policht,CN=Users,DC=swynk,DC=com”,Marcin Policht,Marcin Policht,”CN=Marcin Policht,CN=Users,DC=swynk,DC=com”,”CN=Person,CN=Schema,CN=Configuration,DC=swynk,DC=com”,user,Marcin Policht,MarcinPolicht,Marcin,Policht,MarcinPolicht@swynk.com
Unfortunately, you cannot use CSVDE for modifying or deleting existing accounts. If that’s needed, you can resort to
LDIFDE.exe (LDAP Data Interchange Format Directory Synchronization Tool).
You can also use LDIFDE for queries of the Active Directory content
The following will send the group membership for Marcin Policht in the swynk.com domain to the console:
ldifde.exe -d “cn=Marcin Policht,cn=users,dc=swynk,dc=com” -l memberOf -f con
and this will display all computers in the San Francisco organizational unit of the swynk.com domain:
ldifde.exe -d “ou=san francisco,dc=swynk,dc=com” -r “(objectclass=Computer)” -f con
If you are interested more in users, you can type (this will also scan all the subcontainers):
ldifde -s dc01.swynk.com -d “ou=san francisco,dc=swynk,dc=com” -p subtree -r “(objectClass=person)” -f con
In order to perform modifications to existing accounts, first export them to a file, listing attributes you want to
modify using -l switch. I decided to change area code of the phone number.
ldifde -s dc01.swynk.com -d “ou=san francisco,dc=swynk,dc=com” -p subtree -r “(objectClass=person)” -f sfusers.ldf -l “l,telephoneNumber”
this creates the following sfusers.ldf file
dn: CN=Marcin Policht,OU=san francisco,DC=swynk,DC=com
changetype: add
telephoneNumber: (888) 111 2222
which allows you to modify the entries by running:
ldifde -i -f sfusers.ldf -s dc01.swynk.com
where the sfusers.ldf contains the following:
dn: CN=Marcin Policht,OU=san francisco,DC=swynk,DC=com
changetype: modify
replace: telephoneNumber
telephoneNumber: (666) 111 2222
–
Do not forget the hyphen in the last line.
To delete this account, use the same syntax for the command line, but modify the content of the file, so it looks like the following
dn: CN=Marcin Policht,OU=san francisco,DC=swynk,DC=com
changetype: delete