Active Directory Account Management

Tuesday Nov 21st 2000 by ServerWatch Staff

Management of large numbers of user accounts has always been a challenging task for Windows NT Administrators...

Active Directory and Account Manipulation Tools

Management of large numbers of user accounts has always been a challenging task for Windows NT Administrators. Using GUI interface for this purpose is not only error prone but also quickly turns you into another victim of Carpel Tunnel syndrome. What's the alternative? Fortunately, Windows 2000 offers several non-GUI based tools which can be used for querying, creating and modifying multiple accounts.

Two of these tools, are provided as a part of the operating system. The first one, CSVDE.exe allows you to export Active Directory information into comma separated value file. It also allows import information from a file in the same format into the Directory, which effectively creates new accounts. 

For example, you can use the following command to export all objects with the as part of their Distinguished Name (including both users and groups) into userlist.csv file:
csvde.exe -f userlist.csv -d "cn=users,DC=swynk,DC=com"

The following will export all objects of the user object class (user and computer accounts, but not groups):
csvde.exe -f userlist.csv -r "(objectClass=user)"

The import is less straightforward. Some of attributes are owned by the system, so when running the import using the same file format, errors will result. Running export with -m switch, excludes them (by using so called SAM logic). Once the list is known, it can be populated with data for new user accounts. 

For example, the following allows you to create Marcin Policht account in domain:
csvde.exe -i -f indata.csv
where the indata.csv contains the following fields
"CN=Marcin Policht,CN=Users,DC=swynk,DC=com",Marcin Policht,Marcin Policht,"CN=Marcin Policht,CN=Users,DC=swynk,DC=com","CN=Person,CN=Schema,CN=Configuration,DC=swynk,DC=com",user,Marcin Policht,MarcinPolicht,Marcin,Policht,

Unfortunately, you cannot use CSVDE for modifying or deleting existing accounts. If that's needed, you can resort to LDIFDE.exe (LDAP Data Interchange Format Directory Synchronization Tool).
You can also use LDIFDE for queries of the Active Directory content

The following will send the group membership for Marcin Policht in the domain to the console:
ldifde.exe -d "cn=Marcin Policht,cn=users,dc=swynk,dc=com" -l memberOf -f con

and this will display all computers in the San Francisco organizational unit of the domain:
ldifde.exe -d "ou=san francisco,dc=swynk,dc=com" -r "(objectclass=Computer)" -f con

If you are interested more in users, you can type (this will also scan all the subcontainers):
ldifde -s -d "ou=san francisco,dc=swynk,dc=com" -p subtree -r "(objectClass=person)" -f con

In order to perform modifications to existing accounts, first export them to a file, listing attributes you want to modify using -l switch. I decided to change area code of the phone number.

ldifde -s -d "ou=san francisco,dc=swynk,dc=com" -p subtree -r "(objectClass=person)" -f sfusers.ldf -l "l,telephoneNumber"
this creates the following sfusers.ldf file
dn: CN=Marcin Policht,OU=san francisco,DC=swynk,DC=com
changetype: add
telephoneNumber: (888) 111 2222

which allows you to modify the entries by running:
ldifde -i -f sfusers.ldf -s
where the sfusers.ldf contains the following:
dn: CN=Marcin Policht,OU=san francisco,DC=swynk,DC=com
changetype: modify
replace: telephoneNumber
telephoneNumber: (666) 111 2222
Do not forget the hyphen in the last line.

To delete this account, use the same syntax for the command line, but modify the content of the file, so it looks like the following
dn: CN=Marcin Policht,OU=san francisco,DC=swynk,DC=com
changetype: delete

Mobile Site | Full Site
Copyright 2017 © QuinStreet Inc. All Rights Reserved