6. Importing Users with LDIFDE
You can also use Ldifde.exe to import or export Active Directory
objects, including users. The LDAP Data Interchange Format (LDIF) is a draft Internet
standard for a file format that can be used to perform batch
operations against directories that conform to the LDAP standards.
LDIF supports both import and export operations, as well as batch
operations that modify objects in the directory. The LDIFDE command
implements these batch operations by using LDIF files.
The LDIF file format consists of a block of lines that,
together, constitute a single operation. Each line consists of an
attribute name followed by a colon and the value of the attribute. For
example, suppose you wanted to import user objects for two sales
representatives named Bonnie Kearney and Bobby Moore. The contents of
the LDIF file would look similar to the following example:
dn: CN=Bonnie Kearney,OU=User Accounts,DC=contoso,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Bonnie Kearney
sn: Kearney
title: Operations
description: Operations (London)
givenName: Bonnie
displayName: Kearney, Bonnie
company: Contoso, Ltd.
sAMAccountName: bonnie.kearney
userPrincipalName: [email protected]
mail: [email protected]
dn: CN=Bobby Moore,OU=User Accounts,DC=contoso,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Bobby Moore
sn: Moore
title: Legal
description: Legal (New York)
givenName: Bobby
displayName: Moore, Bobby
company: Contoso, Ltd.
sAMAccountName: bobby.moore
userPrincipalName: [email protected]
mail: [email protected]
Each operation begins with the DN attribute
of the object that is the target of the operation. The next line,
changeType, specifies the type of operation:
add, modify, or delete.
Multiple operations in a single file are separated by a blank line.
Modify or delete operations end with a line containing only a dash
(-), then the blank line.
As you can see, the LDIF file format is not as intuitive or
familiar as the comma-separated text format. However, because the LDIF
format is also a standard, many directory services and databases can
export LDIF files.
After creating or obtaining an LDIF file, you can perform the
operations specified by the file by using the LDIFDE command. From a command prompt, type ldifde /? for usage information. The two most
important switches for the LDIFDE command are:
-
-i Turn on Import mode. Without this
parameter, LDIFDE exports information. -
-f filename The file from which to
import, or to which to export.
For example, the following command imports objects from the file
named Newusers.ldf:
ldifde -i -f newusers.ldf
The command accepts a variety of modifications using parameters. The most useful parameters are summarized in
Table 1.
Table 1. LDIFDE Parameters
|
COMMAND |
USAGE |
|---|
|
GENERAL PARAMETERS
| |
-i
|
Import mode. (The default is Export
mode.) | |
-f filename
|
Import or export file name. | |
-s servername |
The domain controller to bind to for the
query. | |
-c FromDN ToDN
|
Convert occurrences of
FromDN to ToDN. This
is useful when importing objects from another domain, for
example. | |
-v
|
Turn on verbose mode. | |
-j path
|
Log file location. | |
-h
|
Enable Simple Authentication And Security Layer (SASL)
encryption. | |
-?
|
Help. | |
EXPORT-SPECIFIC
PARAMETERS | |
-d RootDN
|
The root of the LDAP search. The default is the root of the
domain. | |
-r Filter
|
LDAP search filter. The default is
(objectClass=*), meaning all objects. | |
-p SearchScope |
The scope, or depth, of the search. Can be
subtree (the container and all child
containers), base (the immediate child
objects of the container only), or
onelevel (the container and its immediate
child containers). | |
l list
|
Comma-separated list of attributes to include in
export for resulting objects. Useful if you want to export a
limited number of attributes. | |
-o list
|
List of attributes (comma-separated) to omit from
export for resulting objects. Useful if you want to export all
but a few attributes. | |
IMPORT-SPECIFIC
PARAMETER | |
-k
|
Ignore errors and continue processing if
Constraint Violation or Object Already Exists errors
appear. |
Tip
EXAM TIP
For the 70-640 certification exam, you should understand that
both CSVDE and LDIFDE are able to import and export objects by using
their respective file formats. Both commands are in the export mode
by default and require the -i parameter to
specify import mode. Only LDIFDE is capable of modifying existing
objects or removing objects. You can specify a user’s password with DSAdd, and you can import a
user’s password with LDIFDE, but not with CSVDE. If you create
users within a domain with a policy requiring
passwords, the accounts will be disabled until you reset their
passwords and enable the accounts.
Note
USER PASSWORDS
You can specify a user’s password in an LDIFDE add or modify
operation. To do so, you must configure the
unicodePwd attribute. The value of the password
is the user’s password, surrounded by double quotes, converted to
Base64. Because the attribute is Base64, the name of the attribute
is followed by two, rather than one colon. Finally, you must perform
the operation using SASL by including the -h
parameter of the LDIFDE command.
Practice Automating the Creation of User Accounts
In this practice, you create several user accounts with
automated methods discussed in this lesson. To perform the
exercises in this practice, you will need the following objects in
the contoso.com domain:
-
A first-level OU named User Accounts -
A first-level OU named Groups -
A global security group in the Groups OU named
Sales
EXERCISE 1 Create Users with a User
Account Template
In this exercise, you create a user account template that is
prepopulated with properties for sales representatives. You will
then create a user account for a new sales representative by
copying the user account template.
-
Log on to SERVER01 as Administrator. -
Open the Active Directory Users And Computers snap-in
and expand the domain. -
Right-click the User Accounts OU, choose New, and then
select User. -
In the First Name box, type _Sales, including the underscore
character. -
In the Last Name box, type Template. -
In the User Logon Name box, type _salestemplate, including the underscore
character. Click Next. -
Type a complex password in the Password and Confirm
Password boxes. -
Select the Account Is Disabled check box. Click Next.
Click Finish.
Notice that the underscore character at the beginning of
the account’s name ensures that the template appears at the
top of the list of users in the User Accounts OU. Notice also
that the icon of the user object includes a down arrow,
indicating that the account is disabled. -
Double-click the template account to open its Properties
dialog box. -
Click the Organization tab. -
In the Department box, type Sales. -
In the Company box, type Contoso,
Ltd. -
Click the Member Of tab, and then click Add. -
Type Sales, and then
click OK. -
Click the Profile tab. -
In the Profile Path box, type \\server01\profiles\%username% and then
click OK.
You have now created a template account that can be
copied to generate new user accounts for sales
representatives. Next, you will create an account based on the
user account template. -
Right-click _Sales Template and choose Copy. -
In the First Name box, type Jeff. -
In the Last Name box, type Ford. -
In the User Logon Name box, type jeff.ford. Click Next. -
Type a complex password in the Password and Confirm
Password boxes. -
Clear the Account Is Disabled check box. -
Click Next, and then click Finish. -
Open the properties of the Jeff Ford account and confirm
that the attributes you configured in the template were copied
to the new account.
EXERCISE 2 Create a User with the
DSAdd Command
In this exercise, you use the DSAdd command to create a
user account for Mike Fitzmaurice in the User Accounts OU.
-
Open Command Prompt, type the following command on one
line, and then press Enter:
dsadd user "cn=Mike Fitzmaurice,ou=User Accounts,dc=contoso,dc=com"
-samid mike.fitz -pwd * -mustchpwd yes -company "Contoso, Ltd." -email
[email protected] -
You are prompted to enter a password for the user twice.
Type a password that is complex and at least seven characters
long, the press Enter. You will not see the characters of the
password as you type. -
Switch to Active Directory Users And Computers, refresh
the view of the User Accounts OU, and then open the properties
of Mike’s user account. Confirm that the properties you
entered on the command line appear in the account.
EXERCISE 3 Import Users with
CSVDE
In the previous two exercises, you created users one at a
time. In this exercise, you use a comma-delimited text file to
import two users.
-
Open Notepad and enter the following three lines:
DN,objectClass,sn,givenName,sAMAccountName,userPrincipalName
"CN=David Jones,OU=User Accounts,DC=contoso,DC=com",user,
Jones,David,david.jones,[email protected]
"CN=Lisa Andrews,OU=User Accounts,DC=contoso,DC=com",user,
Andrews,Lisa,lisa.andrews,[email protected] -
Save the file to your Documents folder with the name
NewUsers.txt, and then close
Notepad. -
Switch to Command Prompt. -
Type cd
%userprofile%\Documents and press Enter. -
Type csvde -i -f NewUsers.txt
-k and press Enter.
The two users are imported. If you encounter any errors,
examine the text file for typographical problems. -
Switch to Active Directory Users And Computers, refresh
the view of the User Accounts OU, and then confirm that the
users were created successfully. -
Examine the accounts to confirm that first name, last
name, user principal name, and pre–Windows 2000 logon
name are populated according to the instructions in
NewUsers.txt.
EXERCISE 4 Import Users with
LDIFDE
Like CSVDE, LDIFDE can be used to import users. The LDIF
file format, however, is not a typical delimited text file. In
this exercise, you use LDIFDE to import two users.
-
Open Notepad and type the following lines. Be sure to
include the blank line between the two operations. Also note
that there are two colons after
unicodePwd.
DN: CN=April Stewart,OU=User Accounts,DC=contoso,DC=com
changeType: add
CN: April Stewart
objectClass: user
sAMAccountName: april.stewart
userPrincipalName: [email protected]
givenName: April
sn: Stewart
displayName: Stewart, April
mail: [email protected]
description: Sales Representative in the USA
title: Sales Representative
department: Sales
company: Contoso, Ltd.
unicodePwd::IgBQAGEAJAAkAHcAMAByAGQAIgA=
userAccountControl:512
DN: CN=Tony Krijnen,OU= User Accounts,DC=contoso,DC=com
changeType: add
CN: Tony Krijnen
objectClass: user
sAMAccountName: tony.krijnen
userPrincipalName: [email protected]
givenName: Tony
sn: Krijnen
displayName: Krijnen, Tony
mail: [email protected]
description: Sales Representative in The Netherlands
title: Sales Representative
department: Sales
company: Contoso, Ltd.
unicodePwd::IgBQAGEAJAAkAHcAMAByAGQAIgA=
userAccountControl:512
The value of the unicodePwd
attribute, IgBQAGEAJAAkAHcAMAByAGQAIgA=, is the Base64
enconding of the password, Pa$$w0rd,
surrounded by quotes.
The value of the userAccountControl
attribute, 512 (Hex 200), specifies an enabled, normal
user account. -
Save the file to your Documents folder with the name
“NewUsers.ldf.” Surround the
file name with quotes; otherwise, Notepad will add a .txt
extension. Then close Notepad.
Although you can import LDIF files with any extension,
it is conventional to use the .ldf extension. -
Switch to Command Prompt. -
Type cd
%userprofile%\Documents and press Enter. -
Type ldifde -i -f NewUsers.ldf -k
-h and press Enter.
The two users are imported. If you encounter any errors,
examine the text file for typographical problems. -
Switch to Active Directory Users And Computers, refresh
the view of the User Accounts OU, and then confirm that the
users were created successfully and that the accounts are
enabled. -
Examine the accounts to confirm that user properties are
populated according to the instructions in
NewUsers.ldf.
|
