Bulk Import and Export of AD Objects

Microsoft provided a simple, but powerful, set of tools in Windows 2000 and Windows Server 2003 to bulk import and export AD objects between domains or OUs within a forest or between forests. Further, you should be able to copy objects between Windows 2000 or Windows Server 2003 and any LDAP v3-compliant directory service. The ability to do that depends on the compliance of each directory service to the LDAP standard. The tools Microsoft has provided, native to Windows 2000 and Windows Server 2003, are LDIFDE .exe and CSVDE.exe.

Microsoft has published two documents on LDIFDE:

• Step-by-Step Guide to Bulk Import and Export to Active Directory at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/AD/windows2000/howto/bulkstep.asp .

• Microsoft KB article 237677, "Using LDIFDE to import and export directory objects to Active Directory."

However, both of these have errors ”or at least some of the syntax is not clear. In addition, the examples stop at a single user object. Adding more objects requires some unusual separators between the entries. This section provides a very basic guide to using these tools with examples that work and explanations to make it easy to do the first time.

LDIFDE and CSVDE have pretty much the same options and functionality, except CSVDE imports or exports objects using a CSV file. You can export users, for example, into a CSV file and then import them into an Excel spreadsheet. CSVDE also cannot be used to delete or modify objects. These are particularly powerful tools, allowing you to dump objects and attributes from the AD to a plain text file where you can modify it and import it back into the domain. They are provided native to Windows 2000 and Windows Server 2003 products, but the executable for each can be copied from the %windir%system32 directory to an XP or Windows 2000 Professional client.

Suppose your company had just moved to a new campus of buildings and the address and ZIP code changed. Rather than editing each user account to reflect those attributes, you could dump the users, address, and ZIP code fields into a text file; use an editor to do a mass change to add the new address to everyone's account; and import them back into the AD. Following are a few examples to help you understand the basics.

Export All Objects

To export all objects in the domain ”Company.com ”using ATL-DC1 as a server, follow these steps:

1. Click Start, point to Programs, point to Accessories, and click the Command Prompt. (or go to Start, Run, and type CMD in the prompt window).

2. At the command prompt, type the following (the system responses are noted below the command line):

 C:>ldifde -f  Export.ldf -s ATL-DC1 Connecting to "ATL-DC1" Logging in as current user using SSPI Exporting directory to file Export.ldf Searching for entries... Writing out entries---------------- --------------------- 115 entries exported 

Edit the Export.ldf file (text), which will be large (depending on the number of objects in the domain). Note that each of the entries has a lot of unneeded information relating to the server, such as FSMO role, "reps from" and "reps to" for replication, and user account information (logon hours, account expiration date, and instanceType ). A typical entry for a user in this file looks like this:

 dn: CN=Gary Olsen,CN=Users,DC=Company,DC=com changetype: add AccountExpires: 9223372036854775807 badPasswordTime: 0 badPwdCount: 0 codePage: 0 cn: Gary Olsen countryCode: 0 displayName: Gary Olsen givenName: Gary instanceType: 4 lastLogoff: 0 lastLogon: 0 logonCount: 0 distinguishedName: CN=Gary Olsen,CN=Users, ,DC=Company,DC=com objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=Company,DC=com objectClass: user objectGUID:: 4QiWdzpEYk2UTNL6iz/msA== objectSid:: AQUAAAAAAAUVAAAA/j9VVfSHVADdy8sQWwQAAA== primaryGroupID: 513 pwdLastSet: 126270827951240348 name: Gary Olsen sAMAccountName: golsen sAMAccountType: 805306368 sn: Fortenberry userAccountControl: 512 userPrincipalName: golsen@company.com uSNChanged: 100977 uSNCreated: 100972 whenChanged: 20010219185955.0Z whenCreated: 20010219185824.0Z 

Export Filters

There are a number of Export specific filters to help refine the exported data. These can be found in the online help and are shown in Table 10.2.

Table 10.2. Ldifde Export Filters

The list attribute can include any attribute you want. For instance, if you have changed the company address, you can export all the user objects affected and their address (street address, city, state, postal code), and then modify it and import it back in with the changes. The trick is to find out what the attributes label really is. For instance, in the Users and Computers snap-in, looking at the properties of a user, there is a field for "city". However, the attribute label is really "l", so you would have to use "l" in the list of attributes in the ldifde command. An easy way to see attributes is with the LDP or ADSIEDIT tools. Figure 10.15 shows how you expose the attributes of a user to see what the label is. Note that you don't see the word "city", but I know that the city for this user is Alpharetta so my view from LDP shows the attribute is "l".

Figure 10-15. Using the LDP tool to expose attributes that can be used for export or import via ldifde.exe.

The best way to understand how these filters work is by way of example, provided in the following section.

Examples

The export command shown in the preceding section can be further refined by specifying various filters. The “d argument specifies the rootDN for the search to start. To further refine the previous export command, you can specify the Users container and use the “n option to eliminate data, such as certificate data, and get a cleaner output. For example:

 D:/>ldifde -f users.ldf s ATL-DC1 -n d "cn=users,dc=company,dc=com" Connecting to "ATL-DC1", Logging in as current user using SSPI Exporting directory to file users.ldf Searching for entries... Writing out entries........ 23 entries exported 

In the next example, we'll filter the search so we only find the user accounts in the Engineering OU, and further that we only return the full name (cn) , streetAddress, city ( l ), state ( st ), and ZIP code ( postalCode) , and further that we set the scope to one level . This example uses the “r , -l , and “p filter options:

 C:>ldifde -f Address.ldf -s ATL-DC1 d "ou=engineering,dc=company,dc=com" p onelevel -r "(objectClass=user)" -l"cn,streetAddress,l,city,st,postalCode"              Connecting to "ATL-DC1"              Logging in as current user using SSPI              Exporting directory to file EngineeringUsers.ldf              Searching for entries...              Writing out entries.........              9 entries exported 

Notice the exported data of the user lists only what we asked for. However, we made a mistake ”we added "city" as a value in the list string. There is no attribute called "city"; the value for city is "l". There was no error returned, but there was no value for "city" either. Also note that some user accounts don't have some of the values, such as streetAddress . Again, there are no errors, but there are no values either. Here are a few of the exported users:

 cn: CN=Caroline Carter,OU=Engineering,DC=Company,DC=com changetype: add cn: Caroline Carter dn: CN=Gary Olsen,OU=Engineering,DC=Company,DC=com changetype: add cn: Gary Olsen l: Alpharetta st: GA postalCode: 30706 streetAddress: 123 Sycamore Court dn: CN=kydon witbeck,OU=Engineering,DC=Company,DC=com changetype: add cn: kydon witbeck l: Dunwoody st: GA postalCode: 31212 streetAddress: 2109 Karel Court dn: CN=Matt Urbanawiz,OU=Engineering,DC=Company,DC=com changetype: add cn: Matt Urbanawiz l: Roswell st: GA postalCode: 30067 streetAddress: 345 Azalea Drive dn: CN=Mitzi Santoto,OU=Engineering,DC=Company,DC=com changetype: add cn: Mitzi Santoto 

Another trick is using the objectCategory to refine the search. The sample here would be limited to a search of the objectCategory "Person", making it more efficient than the previous examples:

 ldifde -f Engineering.ldf -s ATL-DC1 d "ou=Engineering,dc=company,dc=com" p subtree r " (objectCategory=CN=Person,CN=Schema,CN=Configuration, DC=company,dc=com)" 

This creates an LDIF file named Engineering.ldf, by connecting to the server named ATL-DC1 and executing a subtree search of the Engineering OU for all objects of the category Person. Note that objectCategory is an indexed attribute designed to enhance search performance.

Importing Objects into AD

Probably the most powerful feature of LDIFDE is the capability to import objects into the AD. This can be in the form of modifying already exported objects or newly created objects. Objects can also be imported into other LDAP Directory Services (DS) or objects that were exported from other services can be imported into AD with LDIFDE import. To import, you must use the “i option with the ldifde command, along with at least an input file name and the DC it is to connect to. The following command imports the objects specified in the input file newusers.ldf on the server ATL-DC1:

 Ldifde i f newusers.ldf  s ATL-DC1 

Modifying User Attributes

Following the example of the engineering organization moving to a new office address, we can modify the exported Address.ldf file with the needed corrections and import it back into the engineering OU. Using the output from the previous example, you can see that some users didn't have any address attributes and some had their home address listed. By simply editing that .ldf file and inserting the attributes for city, state, street address and postal code, we can quickly import them into the AD. The address.ldf file is modified to change the address to 123 Sycamore Court, Roswell, GA 30706 as follows :

 dn: CN=Caroline Carter,OU=Engineering,DC=Company,DC=com changetype: modify replace: l l:Roswell - replace: st st: GA - replace: postalCode postalCode: 30706 - replace: streetaddress streetaddress: 123 Sycamore Court - dn: CN=Tyler Olsen,OU=Engineering,DC=Company,DC=com changetype: modify replace: l l:Roswell - replace: st st: GA - replace: postalCode postalCode: 30706 - replace: streetaddress streetaddress: 123 Sycamore Court - 

This import file has some interesting caveats that will drive you crazy until you figure them out. To save you some time, here they are:

• If you are making changes to an existing object, use the Modify changetype . Note that Caroline Carter didn't have any address attributes, but we used modify rather than add.

• The syntax to replace an attribute is

   Replace: <attribute> <attribute>: <new value> 

  
  

• You can specify multiple attribute changes, but each one must be separated with a line containing only a hyphen (-).

• The first attribute replaced is not separated from the changetype line with a hyphen (-).

• Before starting a new object, separate previous commands with a line containing only a hyphen and a blank line.

• The ldifde command to import these changes to the AD is

   ldifde i -f Address.ldf -s ATL-DC1 

  
  

The results can be viewed in the Users and Computers snap-in, as shown in Figure 10.16.

Adding New Users

Users can be added by creating a text file in the following format. Note that the ObjectClass must be specified and there is a blank line delimiter between the object specifications (and just when you thought you had that stuff with the hyphens figured out):

 dn: CN=Spencer Johnson,OU=Engineering,DC=company,DC=com changetype: add cn: Spencer Johnson objectClass: user l: Roswell st: GA postalCode: 30706 streetAddress: 123 Sycamore Court dn: CN=Carter Urbanawiz,OU=Engineering,DC=company,DC=com changetype: add cn: Carter Urbanawiz objectClass: user l: Roswell st: GA postalCode: 30706 streetAddress: 123 Sycamore Court dn: CN=Lisa Olsen,OU=Engineering,DC=company,DC=com changetype: add cn: Lisa Olsen objectClass: user l: Roswell st: GA postalCode: 30706 streetAddress: 123 Sycamore Court 

This file can be used to import the objects to the AD with this command:

 Ldifde i f addusers.ldf s atl-dcl 

Users can also be deleted by importing an ldf file and specifying the DN of the user and a changetype of delete :

 dn: CN=Caroline Urbanawiz,OU=Engineering,DC=company,DC=com changetype: delete dn: CN=Abigail Witbeck,OU=Engineering,DC=company,DC=com changetype: delete 

CSVDE

There is a companion Utility, CSVDE, that uses mostly the same commands as LDIFDE, but the input and output is in a comma-separated file. Figure 10.17 shows the results of taking the comma-separated output of the following command and importing it into an Excel spreadsheet:

 Csvde f exportusers.ldf s atl-dc1 d "ou=engineering,dc=company,dc=com" p onelevel r "(objectClass=user)" 

Figure 10.17. Output of CSVDE command imported into Excel Spreadsheet.

Obviously there are more powerful scripting tools for bulk import and export of AD objects, such as VBScript, ADSI, and other tools in the Windows .NET Framework. The nice thing about LDIFDE and CSVDE is they are simple enough for the average nonprogrammer to use, and if you don't have the time or expertise to develop a complex script, these tools will probably do the job. There isn't a lot of help from Microsoft on this, but I searched Google and found several sites offering eBooks (online books) for a small fee. The most impressive one was Jumbo Scripts by Guy Thomas at http://www.e-library.net/visit.asp?n=2013, which covers LDIFDE, CSVDE, and logon scripts. That site has a plethora of free "How To" pages as well as books containing samples of using LDIFDE, CSVDE, and WSH for exporting and importing objects into AD.

A Practical Example: Creating OUs and User Accounts from CSVDE Output

HP Services hosted a project recently in which we had to create a replica of an active AD environment for a customer. This included the domain structure, OUs, and user accounts. One way to do this would have been to take a DC from the domain and put it into the test environment. However, due to security concerns, this was not an option.

The second possibility was to take an LDIFDE or CSVDE output of the current AD and re-create the customer's domain/OU. One problem was that the customer attempted to provide CSVDE output using various filters (described earlier in this section), but we never got the data we needed. Therefore, we decided to get a complete dump of the entire AD and then filter what we needed from that.

Another problem we faced was re-creating the user accounts from the customer's AD (we'll call it "MyCompany.com"), because that process takes several steps. This is detailed in Microsoft KB articles 275636, "Creating Exchange Mailbox-Enabled and Mail-Enabled Objects in Active Directory," 327620, "How to use CSVDE to import contacts and user objects into Active Directory," and 276382, "Access to the Attribute is not Permitted Because the Attribute is Owned by the Security Accounts Manager (SAM)." These articles define the required attributes of an account and those that cannot be imported. Because the CSVDE dumps from MyCompany.com contain all possible attributes for each of the objects, it is required that only the necessary attributes be imported into AD. To accomplish this, the CSV files should be imported into an Access database and then queries done to build each user with the required attributes.

Process

The process we used to accomplish the re-creation of the customer's OU structure is as follows:

1. Dump MyCompany.com AD as follows:

 csvde -f ou.csv -r ObjectClass=OrganizationalUnit -v >OU.log csvde -f user.csv -r ObjectClass=user -v >user.log 

The OU.CSV file is required to create the OU structure within AD as the DN of each user contains the X500 address within AD for the user object. Without the OU structure in place, the user import will error out. The USER.CSV file contains all attributes within AD for the user object. However, many of these attributes cannot be imported ” specifically , the sAMAccountType attribute.

2. Import CSV files into an access database. If you import this into an Access database, some of the data fields are greater than 255 characters . Because of this, you should import all of the data with the type of Memo. Secondly, the CSV file was created with the proper hierarchy. When importing the file, you can add an index to help you better track the objects. Import the users and OU CSV files into separate databases.

3. Create the OU structure. After importing, you can use the access database query to build specific queries to create the CSV files necessary to populate a new AD forest.

The required attributes to create an OU are

• objectClass : Must be organizational unit .
  
  
• Dn : The DN of the new and old forests must be the same for this to work. If you are changing domain names , then the text must be modified to fit the new naming scheme. This will require some macros within Access to change the name from this:
  
  

   OU=Nads,DC=alfmslab,DC=local 

  
  

to this:

 OU=Nads,DC=alfmslab,DC=com 

4. Export the contents from the query as a CSV file.

5. Import the contents into AD. (The examples shown previously in this section demonstrate the syntax of this operation).

Repeat the same steps for the user database after the OU structure has been created. When creating the OU account, you must select several attributes. The basic attributes required to build an account in AD are

• dn

• objectClass (Must be User )

• sAMAccountName

The following are optional account attributes to make a mailbox-enabled user:

• userAccountControl (must be 66048 for an enabled user)

• mailNickName

• displayName

• homeMTA

• homeMDB

• msExchHomeServerName

• displayName

• proxyaddress

• mail

• textEncodedOrAddress

• legacyExchangeDn

You can see that LDIFDE and CSVDE are powerful tools that allow you to extract, modify, and import data not only within a single AD forest, but also between forests and even between LDAP-compliant DS.

In addition to management tools for AD, HP includes a number of tools with the ProLiant line of servers that allow management and configuration on a hardware and driver level. These tools are detailed in the next section.