Microsoft

Configure IT Quick: Manage user accounts with the robust LDIFDE tool

Learn how to use it to add, modify, and remove users in your Active Directory tree using the LDIFDE tool.


Creating multiple users at the same time can be a tedious task for any administrator, but it's especially challenging when you have hundreds or even thousands of new accounts to create—such as during a corporate merger or acquisition or at the beginning of a new semester at a school or a university. Windows offers the Adduser.exe utility to ease some of this burden, but Adduser is somewhat limited in its abilities.

The LDAP Data Interchange Format Directory Exchange utility (LDIFDE.exe), on the other hand, is much more powerful. It comes bundled in the default installation of Windows 2000 Server, Advanced Server, and Datacenter Server. In this article, I will show you the power of LDIFDE and explain how to use it to add, modify, and remove users in your Active Directory tree.

Syntax
To describe the syntax of LDIFDE, I will use some examples and explain what I am doing as I go along. For this article, I am using a newly installed Windows 2000 Server named w2ks, andI'm starting with no extra user accounts—only Administrator and the other default accounts that exist in the Active Directory database.

To see the basic syntax of LDIFDE, simply enter the command ldifde at a Windows command prompt. You should see the output shown in Listing A.

What’s in my directory, anyway?
You can use LDIFDE to export objects out of Active Directory to a text file. I find it easier to work with a new utility when I can see what the format of the data is before I try to import new data. To do that, I am going to export all of the default objects out of my newly created Active Directory database into a text file named Scott.txt with the following command:
ldifde –s w2ks –f scott.txt

The –s parameter is immediately followed by the name of the source server, while –f is followed by the name of the file to write the data to.

On my pristine Windows 2000 Server, a total of 111 objects were exported, for a total of 2,687 lines. Wait a minute—this new system already has 111 objects, and 2,687 lines were written to the export file? Something must be wrong, right? Nope. There are not 111 users in my Active Directory. There are 111 objects, and the LDIFDE utility can work with all aspects of an object, so there is a great deal of information listed for each one. For example, Listing B shows the sample output for the Administrator user object on my system.

As you can see, a huge amount of information is associated with this user. Every attribute in Active Directory is represented here, including group memberships, account description, and number of logins. Obviously, not all of this information is required when creating a new user in Active Directory, which I will show you how to do in a minute.

What is actually a little more useful in our situation is to get an output file that contains only the users and not the rest of Active Directory. To narrow the scope of what LDIFDE looks for, you can use additional parameters when you issue the command to export the ADS database to a text file:
ldifde -v -s w2ks -d "dc=slowe,dc=com" -p subtree -r "(objectClass=person)" -f usersonly.txt

You'll notice a number of additional parameters here:
  • ·        -v turns on verbose mode so that I could see the results of the command as shown in Listing C.
  • ·        -d specifies the root of the search. While it was not required for this search, I included it to show you the format.
  • ·        -p narrows the search to the subtree in question. The other options for the –p parameter are base and onelevel.
  • ·        -r is used in the example with a parameter of “(objectClass=person)”. This parameter specifies the LDAP filter to use for LDIFDE. In my case, I wanted only people, so I chose an objectClass of "person."

The results in the Usersonly.txt file, shown in Listing C, were exactly what I wanted.

Modifying Active Directory information
I will now go over the process of creating new users in Active Directory using this utility. I have created an organizational unit named newusers, which I will use for all of the examples.

Example 1—importing new users
In this example, I will import two new users—NewUser and AnotherUser—into Active Directory. To do this, I will create a text file named Import.ldf with the following data:
dn: CN=New User,OU=newusers,DC=slowe,DC=com
changetype: add
cn: New User
objectClass: user
samAccountName: NewUser
 
dn: CN=Another User,OU=newusers,DC=slowe,DC=com
changetype: add
cn: Another User
objectClass: user
samAccountName: AnotherUser

This might look a little intimidating, and the format is definitely not as simple as the one used with the addusers utility, so let's take a closer look at what's going on.

A new user is being created in a specific organizational unit (newusers, in this case) and the user’s name fields are being set up.

To import this information, I will use the following command:
ldifde -v -i -s w2ks -f import.ldf

Again, the –v indicates that I want verbose output for this command, while the next parameter, -i, indicates import mode. By default, LDIFDE uses export mode unless this parameter is present. The -s and –f parameters specify the server and the name of the import file, respectively.

The output from this command is shown in Listing D.

When I browse to the newusers organizational unit in the Active Directory Users And Computers GUI tool after this process is finished, I find that there are two new users matching the descriptions above.

Example 2—Modifying information
You can also use LDIFDE to modify the information for a user, if necessary—such as when a user changes offices or gets married. For this example, I will modify the address of the two users I just created. Since they work in the same office and have the same address, this is what will be in the import file I use:
dn: CN=New User,OU=newusers,DC=slowe,DC=com
changetype: modify
replace: streetAddress
streetAddress: 1450 Bum Street
-
replace: l
l: Somewheretown
-
replace: st
st: Somestate
-
replace: postalCode
postalCode: 90210
-
 
dn: CN=Another User,OU=newusers,DC=slowe,DC=com
changetype: modify
replace: streetAddress
streetAddress: 1450 Bum Street
-
replace: l
l: Somewheretown
-
replace: st
st: Somestate
-
replace: postalCode
postalCode: 90210
-

This needs a little more explanation. The line beginning with dn indicates which Active Directory object is being worked with. In the case, it is being modified as indicated by the changetype line. Next, the import file is requesting a replacement of the object’s street address, the data for which is given on the next line followed by a dash, which indicates that this modification record is to continue. Next, l (locality or city), st (state), and postalCode (postal code) are all modified. Note the blank line between the last dash of the first record and the first line of the second record. This is critical. If you don’t include it, the modification won’t work. To execute these modifications, I issue this command:
ldifde -v -i -s w2ks -f modify.ldf

The output is similar to the previous example. When I look in the GUI utility, I see that the address records for both users were properly modified and match the information I entered into Modify.ldf.

Example 3—Deleting objects from Active Directory
Upper management has finally realized that these two new users weren’t worth the stock options they were given, so they're being let go. To delete two users, you would normally use the GUI, but for demonstration purposes, I am going to show you how to do it with LDIFDE.

First, I need to create a file that will tell LDIFDE what to do. Here is what that command file, named Delete.ldf, will contain:
dn: CN=New User,OU=newusers,DC=slowe,DC=com
changetype: delete
 
dn: CN=Another User,OU=newusers,DC=slowe,DC=com
changetype: delete

This is pretty self-explanatory. To execute the commands in this file, I type
ldifde -v -i -s w2ks -f delete.ldf

Once I finish, I can verify that the users are indeed gone from Active Directory by going to the GUI tool once again.

Summary
LDIFDE is a powerful utility that can be useful in adding, deleting, and modifying user accounts in Active Directory. As an example, I am currently working on a set of scripts to create Exchange contacts (as objects) in Active Directory for people who exist in a Microsoft SQL Server database of business contacts, with an automatic update every hour. I am using LDIFDE to do the importing into ADS. Of course, with this power comes some complexity. You will need to practice a little with this utility—preferably on a test network—before trying to make mass changes to your live Active Directory.

Editor's Picks

Free Newsletters, In your Inbox