Wednesday, February 24, 2010

Manage user accounts with LDIFDE tool

The LDAP Data Interchange Format Directory Exchange utility (LDIFDE.exe), on the other hand, is much more powerful. It comes bundled in the default installation of Windows 2000 Server, Advanced Server, and Datacenter Server. In this article, I will show you the power of LDIFDE and explain how to use it to add, modify, and remove users in your Active Directory tree.

Modifying Active Directory information
I will now go over the process of creating new users in Active Directory using this utility. I have created an organizational unit named newusers, which I will use for all of the examples.

Example 1—importing new users
In this example, I will import two new users—NewUser and AnotherUser—into Active Directory. To do this, I will create a text file named Import.ldf with the following data:
dn: CN=New User,OU=newusers,DC=slowe,DC=com
changetype: add
cn: New User
objectClass: user
samAccountName: NewUser

dn: CN=Another User,OU=newusers,DC=slowe,DC=com
changetype: add
cn: Another User
objectClass: user
samAccountName: AnotherUser

This might look a little intimidating, and the format is definitely not as simple as the one used with the addusers utility, so let's take a closer look at what's going on.

A new user is being created in a specific organizational unit (newusers, in this case) and the user’s name fields are being set up.

To import this information, I will use the following command:
ldifde -v -i -s w2ks -f import.ldf

Again, the –v indicates that I want verbose output for this command, while the next parameter, -i, indicates import mode. By default, LDIFDE uses export mode unless this parameter is present. The -s and –f parameters specify the server and the name of the import file, respectively.

The output from this command is shown in Listing D.

When I browse to the newusers organizational unit in the Active Directory Users And Computers GUI tool after this process is finished, I find that there are two new users matching the descriptions above.

Example 2—Modifying information
You can also use LDIFDE to modify the information for a user, if necessary—such as when a user changes offices or gets married. For this example, I will modify the address of the two users I just created. Since they work in the same office and have the same address, this is what will be in the import file I use:
dn: CN=New User,OU=newusers,DC=slowe,DC=com
changetype: modify
replace: streetAddress
streetAddress: 1450 Bum Street
-
replace: l
l: Somewheretown
-
replace: st
st: Somestate
-
replace: postalCode
postalCode: 90210
-

dn: CN=Another User,OU=newusers,DC=slowe,DC=com
changetype: modify
replace: streetAddress
streetAddress: 1450 Bum Street
-
replace: l
l: Somewheretown
-
replace: st
st: Somestate
-
replace: postalCode
postalCode: 90210
-

This needs a little more explanation. The line beginning with dn indicates which Active Directory object is being worked with. In the case, it is being modified as indicated by the changetype line. Next, the import file is requesting a replacement of the object’s street address, the data for which is given on the next line followed by a dash, which indicates that this modification record is to continue. Next, l (locality or city), st (state), and postalCode (postal code) are all modified. Note the blank line between the last dash of the first record and the first line of the second record. This is critical. If you don’t include it, the modification won’t work. To execute these modifications, I issue this command:
ldifde -v -i -s w2ks -f modify.ldf

The output is similar to the previous example. When I look in the GUI utility, I see that the address records for both users were properly modified and match the information I entered into Modify.ldf.

Example 3—Deleting objects from Active Directory
Upper management has finally realized that these two new users weren’t worth the stock options they were given, so they're being let go. To delete two users, you would normally use the GUI, but for demonstration purposes, I am going to show you how to do it with LDIFDE.

First, I need to create a file that will tell LDIFDE what to do. Here is what that command file, named Delete.ldf, will contain:
dn: CN=New User,OU=newusers,DC=slowe,DC=com
changetype: delete

dn: CN=Another User,OU=newusers,DC=slowe,DC=com
changetype: delete

This is pretty self-explanatory. To execute the commands in this file, I type
ldifde -v -i -s w2ks -f delete.ldf

Once I finish, I can verify that the users are indeed gone from Active Directory by going to the GUI tool once again.

Summary
LDIFDE is a powerful utility that can be useful in adding, deleting, and modifying user accounts in Active Directory. As an example, I am currently working on a set of scripts to create Exchange contacts (as objects) in Active Directory for people who exist in a Microsoft SQL Server database of business contacts, with an automatic update every hour. I am using LDIFDE to do the importing into ADS. Of course, with this power comes some complexity. You will need to practice a little with this utility—preferably on a test network—before trying to make mass changes to your live Active Directory.

No comments:

Post a Comment