Modifying Directory Objects. Export and Import | Windows .NET Server 2003 Domains & Active Directory

There are, in fact, quite a number of tools that allow an administrator to create, delete, and modify one or more Active Directory objects. You should be familiar with all (or at least most) of them to be able to choose the most effective tool for a specific task. Let us list all of the main facilities provided on Windows 2000 and Windows .NET platforms:

Standard snap-ins installed by default (see Chapter 7, "Domain Manipulation Tools") — universal GUI tools that work with one object only, and in Windows 2000, have modest support for group operations.
- The Active Directory Users and Computers snap-in creates users, contacts, groups, computers, printers, shared folders, and OUs.
- The Active Directory Sites and Services snap-in creates sites, subnets, links, and connections.
- The Active Directory Domains and Trusts snap-in creates inter-domain trusts.
Standard Windows .NET command-line utilities that perform specialized operations and can be used for managing Active Directory objects from the command prompt.
- DsAdd.exe (see below) creates specific types of objects.
- DsMod.exe (see Chapter 12, "Manipulating Active Directory Objects") modifies properties of specific object types.
- DsRm.exe removes any objects.
- DsMove.exe moves any objects to another container as well as renames them.
Note
Pay attention to the fact that the DsMod.exe utility can pipe in results from DsQuery.exe, which significantly enhances the utility's flexibility and effectiveness.
Specialized administrative GUI tools (see Chapter 7 and Chapter 12) used for specific operations and for fine-tuning and troubleshooting Active Directory.
- The Active Directory Schema snap-in creates attributes and classes.
- The ADSI Edit snap-in, Ldp.exe and AdsVw.exe create objects of any type (including objects which cannot be created by any other tools), but are primarily useful for editing attributes.
Tools for import/export (see Chapter 12) — command-line utilities that could (and should) serve as powerful tools for administering large-scale Active Directory installation. LDIFDE can also be used for changing the attributes of a number of similar objects. On computers running Windows .NET, utilities from the Ds*.exe "family" might be a better choice in many cases.
- LDIFDE
- CSVDE
Utilities intended for specific tasks (see later in this chapter and the Remote Administration Scripts in the Windows 2000 Server Resource Kit).
- AddUsers.exe, CreateUsers.vbs, and others (e.g., NetDom.exe can be used for creating machine accounts in domains)
ADSI scripts (see Chapter 16, "Active Directory Service Interfaces (ADSI)" and Chapter 17, "Scripting Administrative Tasks") — the most flexible of the options and, in fact, a quite simple way to manipulate Active Directory objects (especially for periodic routine tasks and when a large number of objects are to be processed).

Using the Active Directory Users and Computers Snap-in

The Active Directory Users and Computers snap-in is, maybe, the main tool that an administrator will use daily to manage various domain resources. The procedure of creating and deleting Active Directory objects is basically the same for all types of objects. There are buttons on the Standard toolbar for some of the most used objects:

Create a new user in the current container
Create a new group in the current container
Create a new organizational unit in the current container

You can select one, several, or all created objects and move them into any container or OU in the current domain. As usual in Windows, use the <Shift> or <Ctrl> keys for selecting multiple objects.

The Windows .NET version of the Active Directory Users and Computers snap-in offers some improvements in the user interface: you can use drag-and-drop operations, and modify properties of several objects selected (for more details, see Chapter 7, "Domain Manipulation Tools").

It is possible to choose a user account as a template, and create users with the same properties (group memberships, profile settings, etc.) To start this process, select a "template" user and click Copy on its context menu.

Note

Organizational units can only be created in the OU or domain containers.

Note

If you want to move objects between different domains in the same tree or non-adjacent trees, you need to use the MoveTree utility from the Support Tools (see Chapter 13, "Migration Tools").

Caution

Built-in domain local groups cannot be deleted or moved from the Builtin container.

Adding Users and Groups to Domain

There are a few utilities (besides the batch import tools LDIFDE and CSVDE and custom scripts) that simplify the creation of a number of user accounts in a field or test environments.

Windows .NET Utility — DsAdd

A brand-new Windows .NET utility, DsAdd.exe, can create single computer, contact, group, OU, and user objects in AD-based domains. It uses the LDAP protocol only.

With DsAdd, you can create a local, global, or universal (if it is allowed) group and add specified members to it at the same time (not later!). For example:

    C:\>dsadd group CN=Admins, OU=Staff, DC=net, DC=dom -members      "CN=John, OU=Staff, DC=net, DC=dom" "CN=Tim, OU=Personnel, DC=net, DC=dom"

Here is an example of how to use DsAdd to create a user and add it to the specified groups:

    C:\>dsadd user CN=Alice, OU=Staff, DC=net, DC=dom -memberof      xg312 "CN=Admins, OU=Staff, DC=net, DC=dom"      "CN=Account Operators, CN=Builtin, DC=net, DC=dom"

CreateUsers.vbs Script (RK)

This script can only create users. It operates with both the WinNT and LDAP providers. The created accounts will be enabled. The following attributes are required (the minimal set of attributes):

WinNT — name and password
LDAP — cn, samAccountName, and password

Note

You can specify many other attributes, too; however, not any attribute available for an user object is permitted. Carefully test your command (and the input file, if present). Be sure that all specified attributes are consistent; otherwise, you could easily get an error message similar to:

    Error 0X80072035 occurred in settings properties for user cn=...

This error (8245) means that "The server is unwilling to process the request". One of the possible sources of this error is the incorrect "naming" attributes: cn, name, sn, distinguishedName, etc. Do not forget to enclose any attributes' values containing spaces in double quotes.

Here is the simplest example of how to create a user with CreateUsers.vbs:

    C:\>createusers WinNT://NET name:user01 password:psw1

The script must output the following:

    Working ...    Getting domain WinNT://NET ...    Creating user user01    Succeeded in creating user user01 in NET.

To disable output of informative messages, use the /q parameter.

New users will always be created in the Users container. You could move them to other containers (most probably, organizational units), but a better way would be to use the "LDAP-version" of the CreateUsers.vbs, which "understands" the Active Directory structure:

    C:\>createusers LDAP: //OU=Staff, DC=net, DC=dom cn: "User User01"      samAccountName: user-ldap01 password:psw1

Maybe the most intriguing issue is how to create a number of users at once. It is actually very easy. Create a file with the desired user properties and use the appropriate provider (WinNT or LDAP). For example, the following command will create users specified in a file in the Staff OU:

     createusers LDAP://OU=Staff, DC=net, DC=dom /i:newUsers.txt

The file of descriptions may be similar to the following:

    cn: "User01" samAccountName:user01 password:psw1    cn: "User02" samAccountName:user02 password:psw2    ...

AddUsers.exe (RK)

In comparison to CreateUsers.vbs, AddUsers.exe has a few additional features. Besides adding users and groups to a domain, it allows you to:

Dump account information (users and groups) to a file.
Specify the control account-creation options. By default, a new user must change his or her password at logon.
Delete users or groups. Account names can only be specified in the input file.
Create an input file in a spreadsheet program, such as Microsoft Excel, and save it in comma-delimited format, which the tool can use. A separator character other than a comma can be specified.

One negative aspect of AddUsers.exe is that the tool doesn't "see" the Active Directory structure.

Note

Using AddUsers.exe, you can successfully add users to existing groups, despite the "Group already exists" error message. The groups may be located in any container in Active Directory, not only in the "default" Users container.

A sample dump file produced by AddUsers.exe is placed below (the attributes' names are in bold braces and are not really included in the file). Such a file can easily be imported to a spreadsheet.

     [User]     {samAccountName, name, password, description, homeDrive, homeDirectory, profilePath, scriptPath}     Administrator,,,Built-in account for administering the       computer/domain,,,,     Guest,,,Built-in account for guest access to the computer/domain,,,,     JSmith,John Smith,,A test user,Z:,\\netdcl\UserData\JSmith,       \\netdcl\Profiles\JSmith,Users\Welcome.vbs...     [Global]     {samAccountName, description, member's account names...}     Domain Admins,Designated administrators of the domain,Administrator,     Domain Controllers,All domain controllers in the       domain,NETDC1$,NETDC4$,     Domain Users,All domain users,Administrator,HelpAssistant_67861b,     SUPPORT_388945a0, krbtgt,SUBDOM$,Bob,John,Pam,...     ...     [Local]     {samAccountName, description, member's account names...}     Administrators,Administrators have complete and unrestricted       access to the computer/domain,NET\Administrator,NET\Enterprise       Admins,NET\Domain Admins,     DC1Loca1Group,NET\John,NET\Lee,NET\Jessica,NET\Globa1Gr1,NET\UniGr2,       NET\DC1LocGr1,     ...

Notice in the last line that groups may contain other groups (the group names are shown in bold) including local groups (at the native and Windows .NET (version 2002) functional levels of a domain).

Caution

It is possible that this tool has problems displaying memberships in global and universal (placed in the [Global] section) groups. Test this in your environment before you do any real work!

As you can see, the dump file contains three sections: User, Global, and Local. The same format can be used for creating new users and groups. The irrelevant trailing commas, as well as unused sections, can be omitted in the input file. New groups may either be empty or contain the names of their members.

Modifying Group Membership

The Active Directory Users and Computers snap-in has a feature for "bulk" operations that permits you to add a number of selected users and contacts to a group. Point to an account (or choose a few accounts) and select the Add to a group command from the context or Action menu, or click the Add the selected objects to a group you specify button on the toolbar. Then specify a group in the Select Group window. In Windows .NET, you can also carry out drag-and-drop operations.

If you initially select an OU, the system asks whether you want to add all users and contacts from this container to the specified group. This feature is very helpful for administering OUs (but in Windows .NET, it is lacking).

To populate groups, you can use the LDIFDE and CSVDE tools, as well as the AddUsers.exe utility. LDIFDE is also able to delete members from groups.

On computers running Windows .NET, you can use the standard DsMod.exe utility that performs all modifications of groups. For example, the following command adds two new members to the Schema Admins group:

    C:\>dsmod group "CN=Schema Admins,CN=Users,DC=net,DC=dom" -addmbr      "CN=John Smith,OU=Staff,DC=net,DC=dom"      "CN=Pamela,OU=Staff,DC=net,DC=dom"

The -rmmbr parameter removes the specified members, and the ‘-chmbr parameter replaces all group members.