CSVDE Imports user accounts into Active Directory
CSVDE is the type of program that you learn for a specific task and then forget about. Therefore, what you need are a few tried and tested examples to get started. The classic job for CSVDE is to import user accounts into a Windows domain. We often use CSVDE to create users on a test network, our main use for CSVDE is to research LDAP names. What we do is a quick export of Active Directory into a .csv file. Then open that .csv export file with Excel and study the LDAP fields in the first row of the spreadsheet.
Comma – Delimit data with a comma, not tab.
Separated – Split a string of data.
Value -Values, rather than properties.
Data – Deal with data, and don’t worry about the objects.
Exchange – Move data from the spreadsheet into Active Directory (or vica versa).
Think of CSVDE as the engine that drives data into or out of Active Directory. This CSVDE engine has two directions, export and import. The data consists of Active Directory accounts in CSV format. Excel, or a similar spreadsheet, is marvelous at dropping the comma-separated data into columns.
To actually export from Active Directory, all you need is CSVDE -f filename.csv. As export is the default mode, there is no -e switch, so just issue CSVDE, the -f switch and a suitable name.
Whenever you transfer data in the other direction, from the file into Active Directory, you must actively switch CSVDE into import mode. This is why you need the extra the -i parameter.
For example CSVDE -i -f filename.csv.
LDIFDE
So you want to use LDIFDE to import users into Active Directory, I suggest that you start with LDIFDE export. My reasoning is this, LDIFDE is a difficult command to master, however, the export switch is far easier to learn than the import. In addition there is less scope for damaging Active Directory when you are exporting.
The key switch is (-i) without this tiny -i switch (Lower case I), LDIFDE will just export information or raise an error message. To master importing user accounts, you must understand the LDAP attributes. Also you need ‘Active Directory Users and Computer’ available for inspecting the users’ properties. Once you have written all the data in your ” .ldf” file then just import the data with a command like this:
ldifde -i -f accounts.ldf -s MyServer
In this example, you use LDIFDE to add a new user named Bill Gates to the Developers organizational unit.
- Start Notepad, and create a new file called Newuser.ldf. (Save the file as with an .ldf extension.)
(Note you will need to substitute the information for your domain!) - Edit the LDIF file Newuser.ldf, and add the following text :
dn: CN=BillGates, OU=Developers, DC=squidworks, DC=net
changetype: add
cn: Bill Gates
objectClass: user
samAccountName: Bill
givenName: Bill
sn: Gates - Save the LDIF file.
- Run LDIFDE to import the new user into Active Directory. Open a ‘dos box’, start run, CMD, then type the following command, and then press Enter.
ldifde –i -f newuser.ldf -s MyServer - To confirm that the new user has been created, check your Active Directory users and computers snap-in.
When you need to delete objects, firsly you need their dn: attributes. Secondly, on the next line, write a statement for changetype: delete.
Example: If you saved these entries into a file called leavers.ldf
dn: CN=BillGates,CN=Users,DC=cp
changetype: delete
You may needed to add a null value when you have to clear the login script field and have it controlled by a GPO. The following worked for us.
dn: CN=Example User,OU=Example OU,DC=example,DC=network,DC=com
changetype: modify delete: scriptPath-The absence of scriptpath: on the subsequent line after replace: causes an empty/null field to be inserted.
Okay, can you please provide a “crystal clear” LDIFDE example of how to import, as well as file format; i.e., one record per line, ending with “-” on the last line, followed by a blank line – and also be sure and include with more than one record; BUT, especially, please include a ‘working example’ that contains one or more “null/blank” fields – because that is the “real world.” i.e., I may have department: (null or no value)
replace: extensionAttribute1 (null or no value)
And, in fact, I have both! I have contractors/consultants who do NOT have ‘dept #’ and we utilize extentionAttribute1, but in many cases it is null. I have tried EVERY MS Example and others, which say to use a
“colon” after the attribute; i.e. “department:” – but none of it works!
Please provide any assistance, if possible. Thanks.
here’s my “privacy-modified” example, fyi.
I get the infamous “Failed on line nn. The last token starts with “-“. Extraneous attribute name in a mod-spec list.
dn: CN=Tim Taylor,OU=Network,OU=MYUsers,DC=forest1,DC=local
changetype: modify
replace: description
description: Senior Consultant
replace: givenName
givenName: Timothy
repalce: sn
sn: Taylro
replace: department
department:
replace: physicalDeliveryOfficeName
physicalDeliveryOfficeName:
replace: extensionAttribute1
extensionAttribute1:
–
dn: CN=Charles Schultz,OU=Network,OU=MYUsers,DC=forest1,DC=local
changetype: modify
replace: description
description: Senior Cartoonist
replace: givenName
givenName: Charles
replace: sn
sn: Schultz
replace: department
department: 123
replace: physicalDeliveryOfficeName
physicalDeliveryOfficeName:
replace: extensionAttribute1
extensionAttribute1:
–
I have tried WITH and WITHOUT a space following the nulls – no good; same error! I mean, do I seriously need an ADDITIONAL script, with a ‘delete’ in it? And/or modify the script to delete the data in the field? i.e., if extensionAttriute1 has data in AD, but my HR spredsheet says, “This should be blank/null;” I have yet to see ANY working description of how to make that work – try it yourself, and please let me know – I would be forever grateful.
Again, please use “more than one AD record” (at least 2). Thanks.