Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Active Directory tools ease import/export of data

Expert Gary Olsen explains how to use LDIFDE import and CSVDE export features to better manage your Active Directory architecture.

In a previous article on LDIFDE,  Extracting AD info quickly and easily with LDIFDE, I explored using the LDIFDE.exe tool to export data. I covered an introduction to the tool itself, basic syntax as well as the fundamentals of using the LDAP search filter to narrow down the output.

In this article, I will discuss two additional features in this area: importing data and the use of CSVDE.exe, an additional utility with similar syntax as LDIFDE, allowing you to output data to or input data from a comma-separated file.

First, let's examine importing using LDIFDE. This can be done in the form of modifying already exported objects or by creating new ones. Objects can also be imported into other LDAP directory services; or objects that were exported from other services can be imported to AD with LDIFDE import. To import, you must use the –i option with the ldifde command, along with at least an input file name and the DC it is to connect to.

The following command imports the objects specified in the input file newusers.ldf on the server ATL-DC1:

 Ldifde –i –f newusers.ldf –s ATL-DC1

Modifying user attributes
Suppose the company had moved the engineering department to a new building on the other side of town, giving those users a new street address and postal code. We can script the change with LDIFDE by starting with a dump of the Engineering OU.

 C:>ldifde -f Address.ldf -s ATL-DC1 –d "ou=engineering,dc=company,dc=com" –p onelevel -r " (objectClass=user)" -l "cn,streetAddress,l,city,st,postalCode"

The Address.ldf output file (partial list):

 CN=Caroline Carter,OU=Engineering,DC=Company,DC=com changetype: add cn: Caroline Carter dn: CN=Tyler Olsen,OU=Engineering,DC=Company,DC=com changetype: add cn: Tyler Olsen l: Alpharetta st: GA postalCode: 30706 streetAddress: 123 Sycamore Court dn: CN=Abigail witbeck,OU=Engineering,DC=Company,DC=com changetype: add cn: kydon witbeck l: Dunwoody st: GA postalCode: 31212 streetAddress: 2109 Karel Court dn: CN=Carter Urbanawiz,OU=Engineering,DC=Company,DC=com changetype: add cn: Matt Urbanawiz l: Roswell st: GA postalCode: 30067 streetAddress: 345 Azalea Drive dn: CN=Lisa Lichfield,OU=Engineering,DC=Company,DC=com changetype: add cn: Lisa Lichfield

Now we can modify the exported Address.ldf file with the needed corrections and import it back into the Engineering OU. Using the exported Address.ldf, you can see that some users didn't have any address attributes and some had their home address listed. By simply editing that .ldf file and inserting the attributes for city, state, street address and postal code, we can quickly import them into the Active Directory. The address.ldf file is modified to change the address to 123 Sycamore Court, Roswell, GA 30706 as follows:

 dn: CN=Caroline Carter,OU=Engineering,DC=Company,DC=com changetype: modify replace: l l:Roswell - replace: st st: GA - replace: postalCode postalCode: 30706 - replace: streetaddress streetaddress: 123 Sycamore Court - dn: CN=Tyler Olsen,OU=Engineering,DC=Company,DC=com changetype: modify replace: l l:Roswell - replace: st st: GA - replace: postalCode postalCode: 30706 - replace: streetaddress streetaddress: 123 Sycamore Court -

This import file has some interesting caveats that will drive you crazy until you figure them out. To save you some time, here they are:

  • If you are making changes to an existing object, use the Modify changetype. Note that Caroline Carter didn't have any address attributes -- but we used modify rather than add.
  • The syntax to replace an attribute is:
  • Replace:<attribute>
  • <attribute>:<new value>
    • You can specify multiple attribute changes, but each one must be separated with a line containing only a hyphen (-).
    • The first attribute replaced is not separated from the changetype line with a hyphen (-).
  • Before starting a new Object, separate previous commands with a line containing only a hyphen and a blank line.

The LDIFDE command to import these changes to the AD are:

 ldifde –i -f Address.ldf -s ATL-DC1

The results can be viewed in the Users and Computers snap-in as shown in Figure 1.

Figure 1. User Properties of user Caroline Carter show modified values for address fields.

Adding new users
You can add users by creating a text file in the following format. Note that the ObjectClass must be specified and there is a blank line delimiter between the object specifications (and just when you thought you had that stuff with the hyphens figured out):

 dn: CN=Spencer Johnson,OU=Engineering,DC=company,DC=com changetype: add cn: Spencer Johnson objectClass: user l: Roswell st: GA postalCode: 30706 streetAddress: 123 Sycamore Court dn: CN=Carter Urbanawiz,OU=Engineering,DC=company,DC=com changetype: add cn: Carter Urbanawiz objectClass: user l: Roswell st: GA postalCode: 30706 streetAddress: 123 Sycamore Court dn: CN=Lisa Lichfield,OU=Engineering,DC=company,DC=com changetype: add cn: Lisa Lichfield objectClass: user l: Roswell st: GA postalCode: 30706 streetAddress: 123 Sycamore Court

This file can be used to import the objects to the AD with this command:

 Ldifde –i –f addusers.ldf –s atl-dcl

Note: Users imported with LDIFDE in this manner will be automatically disabled in Active Directory. Users can also be deleted by importing an ldf file and specifying the DN of the user and a changetype of delete:

 dn: CN=Carter Urbanawiz,"OU=Engineering,DC=company,DC=com changetype: delete dn: CN=Abigail Witbeck,OU=Engineering,DC=company,DC=com changetype: delete

There is a companion utility, CSVDE, that uses mostly the same commands as LDIFDE, but the input and output is in a comma-separated file. Figure 2 shows the results of taking the comma-separated output of the following command and importing it into an Excel spreadsheet:

 Csvde –f exportusers.ldf –s atl-dc1 –d ou=engineering,dc=company,dc=com" –p onelevel –r "(objectClass=user)"

Note: Import operations with CSVDE are "add" only, and CSVDE does not offer the ability to modify or delete objects.

Figure 2. Output of CSVDE command imported into Excel Spreadsheet.

Obviously there are more powerful scripting tools for bulk import and export of Active Directory objects, such as VBScript and ADSI and other tools in the Windows .NET Framework. The nice thing about LDIFDE and CSVDE is they are simple enough for the average non-programmer to use, and if you don't have the time or expertise to develop a complex script, these tools will probably do the job. There isn't a lot of help from Microsoft on this but I searched Google and found several sites offering e-books (online books) for a small fee. The most impressive one was Jumbo Scripts by Guy Thomas. It covers LDIFDE, CSVDE and Logon scripts. That site has a plethora of free "How To" pages as well as books containing samples of using LDIFDE, CSVDE and WSH for exporting and importing objects into Active Directory.

Gary Olsen is a systems software engineer for Hewlett-Packard in Global Solutions Engineering. He authored Windows 2000: Active Directory Design and Deployment and co-authored Windows Server 2003 on HP ProLiant Servers.

Dig Deeper on Windows administration tools