Active Directory (AD) is a major IT resource for many organizations. It makes sense to manage AD from the command line, especially when there is bulk data or scripting involved. PowerShell is a great tool for managing AD in this way, but what if you don’t, won’t, or can’t use PowerShell? Show
Two handy command-line utilities that don’t get the fanfare that PowerShell does, are called csvde and ldifde. These tools allow you to import, exort, or modify AD data from the command line. These two tools ease the burden of migrating data between AD domains or importing data from non-AD LDAP directory services. They do this by allowing you to use standard plain text files (CSV and LDIF) to move AD data. In this article, you will learn the power that each of these tools has!
What are CSVDE and LDIFDE?Comma Separated Value Directory Exchange (CSVDE) and LDAP Data Interchange Format Data Exchange (LDIFDE) are a pair of tools designed to manage the import and export of Active Directory (AD) data to and from text files. CSVDE imports and exports from Comma Separated Values (CSV) files. Ldifde, on the other hand, imports and exports from LDAP Data Interchange Format (LDIF) files. Common ParametersIn this article, you’ll learn many different actions you can take with these tools. Each one of these actions will be performed via one or more different parameters.I One thing you will immediately notice if you work with both csvde and ldifde is that they have similar parameters. Each tool performs similar purposes but does it in a different way. Below you will find a table that outlines each parameter and their purpose.
Distinguished Name TranslationWith ldifde, you have the ability to export data from one domain and import into another. But what about domain-specific references like an AD object’s distinguished name (DN)? Luckily, these tools provide a way to handle for such circumstances through a concept called DN translation. DN translation allows you to
“inject” a particular domain DN during import and export operations using the In the following example, the distinguished name
Macro ExpansionLDIFDE also supports the concept of macro expansion. Macro expansion is the ability to use a shortened name or macro to refer to some of the well-known naming contexts in LDAP. Ldifde supports the following macros:
Perhaps you have an employee, Fiona Cortez, that you’d like to export from the corp.local domain and import into the lab.local domain. Fiona’s user object is exported to an LDIF file named fiona.ldf using the following command:
If you open up Fiona’s AD object record in the fiona.ldf file, it would look something like this:
An attempt to import this record into the
lab.local domain using
To get Fiona’s user object to import into the lab.local domain, change each occurrence of corp.local to lab.local for each distinguished names in the LDIF file. You could do this manually, but macro expansion can do this for you using the The default naming context for an AD
domain is the part of an object’s DN. The DN is made up of domain components or DCs (not to be confused with domain controllers). For example, in the distinguished name The following command imports Fiona’s record successfully. In this case,
Using macro expansion with the LDIF ParametersEven though both tools have similar parameters, ldifde diverges a bit by including a few parameters that csvde does not have. These parameters perform actions specific only to the ldifde tool.
Working with LDIFDE and CSVDEIn the remainder of this article, you’ll learn hands-on how to use these useful tools. PrerequisitesIf you intend to follow along, be sure you have the following prerequisites met ahead of time:
Exporting AD Objects From the Current DomainPerhaps you need to export information from
AD. You can easily do this using the The command below exports everything in the current AD domain to a file specified by the
A typical CSV export file for a whole domain would look like the below CSV when viewed in Excel. Domain export CSV file viewed in ExcelImporting AD Objects Into the Current DomainIf you already have a CSV file containing AD objects, you can use the For an example, using the
Understanding How CSVDE Translates DataCsvde changes some of the information returned by AD when you export it. It does this so that it can be stored in a plain text format like CSV. This behavior might catch you by surprise if you are modifying the data in Microsoft Excel, or the system you are importing it into is not Active Directory. Let’s have a look at a CSV export file pc.csv from the lab.local domain. This file was generated by csvde for the user Paul Cox. Using the
The structure of pc.csv can be examined by opening it in Excel or another spreadsheet program. It will look something like this: pc.csvLooking at the column headed Looking at the Presenting the value in this way means that csvde has taken the value of Below you’ll find a table of AD properties that are encoded and which objects in AD have that particular property.
Exporting User AccountsMaybe you need to export only user accounts. To make things more interesting, let’s also assume you’re not currently logged into a computer with access to query AD. You need to specify alternate credentials. In the example below, the A typical CSV export file containing user objects would look like this in Excel: User export CSV file viewed in ExcelExporting all Objects in an Organizational Unit (OU)If you don’t want to export all objects in AD, you can also only export those in a specific OU. The following command exports all objects from an OU, including the OU object itself and any sub-OUs. A default LDAP filter of
When you use csvde or ldifde to export AD object to a file, the objects in the file are listed in a particular order. This is the order that will be used when when the data is imported into another domain or LDAP service. For example, the OUs are created before the user objects within the OUs. Additionally, linked attributes like manager are added after all of the users have been created. Below is an example LDIF file (snipped for brevity), showing the order of object creation and modification:
Exporting Specific Attributes of User AccountsThere will be some situations where you don’t need to export all of the information about a user using csvde or ldifde. Examples include the data for creation of physical phonebooks, or the export of user information for import into another, non-Active Directory system. – This example uses the
Modifying Active Directory ObjectsWhile csvde and ldifde are both designed for bulk data import and export, ldifde can make changes to AD objects. As an example, Microsoft uses LDIF files to extend the AD schema. The LDIF file format is designed to support these actions.
Bear in mind that some of the attributes you export from AD cannot be written back to. These attributes are system generated, or are restricted to system access only. Examples include:
Using changetypeThe changetype lin is a key piece of information in an LDIF record that allows it to be used for different kinds of actions. The changetype line in an LDIF file sets the action that is going to happen to an object in AD specified by the DN line above the changetype, as shown in the example below.
There a different kinds of changetype and these are summarized in the table below:
Using the Add changetypeThe Add changetype creates a new AD object. The values for attributes are supplied one per line for single valued attributes and on multiple lines for multi valued attributes. An add record looks like the example below (snipped for brevity). Note that the second line (
Using the Delete changetypeThe delete changetype removes an object from AD and is simple in structure. The DN is the only mandatory attribute required in the LDIF file, specifying the DN of the AD object to be deleted. This is followed by a changetype line of
Using the Modify changetypeThe modify changetype has add, delete, and replace operations that are applied to attributes of the selected AD object. Below is an example LDIF file showing how this can be used in practice. The example replaces Angelique’s telephone number, adds her office location, and deletes her fax number.
Using the ModDN/ModRDN changetypeThe moddn or modrdn changetype is used to rename or move an AD object in the directory tree. Use the newsuperior value to set where the object will be moved to. The mandatory newrdn value sets the name of the object. The deleteoldrdn value determines if the old rdn is kept or replaced by the newrdn value. Omit the newsuperior value if the object should be renamed in place. Child objects of the object being moved are also moved. An example LDIF file to move the Professional Services OU from under the Services OU is shown below.
Updating an AttributeLet’s explore how to update the value of an existing AD attribute using ldifde.- In this example the
The resulting file ac.ldf, looks like below:
To make this a modify record, the changetype is changed to modify and a replace line specifying the attribute to be modified is added. The description line is changed to the new value. Finally, a new line containing “-” on its own is added to mark the end of the change. The file looks like the example below when it is saved:
Running ldifde with the
Repeating the export step above and viewing
Let’s explore how to modify the membership of an AD group using ldifde.- In this example the membership of the group Professional Service Department is changed. For example, export the group to an LDIF file called psd.ldf using the
The file psd.ldf is shown below (snipped for brevity).
The order of entries in the psd.ldf means that the group is created first and then members are added. Note that the member attribute contains a DN, rather than a samAccountName, SID or commonname. That’s how the attribute is stored in AD. For this
example, let’s assume that the user Angelique Cortez needs to be added to the Professional Services group. Her distinguished name is
Following the example of the export file, the new LDIF
file, which has been saved as
The LDIF file is imported using the Assuming there are no errors, Angelique will have been successfully added to the group. Resetting a User PasswordResetting a password using an LDIF file requires changing the user’s In the example below, the user’s password is changed and the
Adding a Photo to a User AccountThe ldifde tool allows you set the
TroubleshootingAlthough the csvde and ldifde tools can save you tons of time, things don’t always go as expected. In this section, you’ll find many pointers to help you deal with various issues you may come across. Creating Logs for CSVDE and LDIFDEUse the For example, a failed
csvde import generates a
The .err file for the same error looks like this:
If your LDIF file doesn’t contain expected attributes when using the “There is a syntax error in the input file”This generic error identifies where in the LDIF or CSV file the import is failing:
“A device attached to the system is not functioning”This error is seen when using ldifde to change a user’s password. There are two possible causes.
Cause 1 – Password incorrectly formattedEnsure that you are replacing the unicodePwd attribute with a base64 value. The password must be a Unicode string wrapped in double quotes before base64 encoding. There are a number of approached you could use to base64 encode the password, including online services and command line tools. Here’s how you could base64 encode a password using PowerShell.
Cause 2 – Trying to set a password over an insecure connectionAnother cause could be when you try to set a user’s password, but don’t use a secure connection.- Use
the “Errors on Line 2”You will occasionally come across error message returned by csvde that start with “errors on line 2.”. This usually means that the file format is incorrect. This error could mean that incorrect attribute names have been used for column headings in a CSV file for example. Line 2 of a CSV file is the first data line after the headers. This error means that the import process has failed at the very start. To illustrate this error, have a look at the following snippet from a CSV file. The columns for the user’s first and last names are headed firstName and lastName (instead of givenName and sn). The import will fail with an error on line 2 of No Such Attribute. no such attribute error“Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM)”Several AD attributes cannot be set via script. They are managed by AD itself – trying to modify one of these triggers this error.
Use the
“The specified account already exists”CSVDE doesn’t have the ability to update or recreate existing AD objects. If you try, you’ll get the following error message.
“Illegal modify operation. Some aspect of the modification is not permitted”Constraints within AD can prevent actions from taking place, for example trying to delete an OU when its isCriticalSystemObject attribute is set to True. Unfortunately, the error message is not specific about which change is not permitted.
“Unable to update the password. The value provided for the new password does not meet the length, complexity, or history requirements of the domain”The error message tells the story here. Ensure that any password you are trying to apply meets the requirements of the AD domain. See the Password Policy documentation on Microsoft Docs for more details on how these requirements are defined.
“The parameter is incorrect”The extended error part of the message gives a clue. In this case deleteoldrdn value needs to be set to 1 in the LDIF file.
“The operation could not be performed because the object’s parent is either uninstantiated or deleted”This error means that the specified new location for a move operation does not exist. The newsuperior value in the LDIF file is likely wrong.
“A referral was returned from the server”The objects you are trying to import have DNs that don’t match the domain you are trying to import into. Use the macro capability to fix this, or manually change the distinguished names to the correct value before importing.
“Directory object not found”This error occurs when you include a DN that does not exist in your import file. Has the object in question been deleted? Check for typos in the distinguished name.
“A required attribute is missing”AD objects require certain mandatory attributes to be present before you can create them. This error reports that one of the attributes is missing. Unhelpfully, it doesn’t say which one. To find out which attributes are mandatory for a particular object class, have a look at the AD schema documentation.
“Unable to read the import file”This error usually means that the file is not present in the specified location. Check the file path and spelling.
“Error opening the output file”This error could mean that the file is in use by another process. Make sure that the export file is not open in another program.
“The connection cannot be established. The error code is 8224”Check that the server, domain, or forest name being used is correct and that network connectivity exists to the domain controller. “SSPI “bind with supplied creds” returned ‘Invalid Credentials’ or Simple bind returned ‘Invalid Credentials’”This error means that the user name or password you are using to authenticate to AD is incorrect. “Invalid Parameter: No Active Directory Domain Controller Available”This error means that computer you are running csvde or ldifde on is cannot detect an AD domain. Specify a server using Further Reading
Which of the following command is used to import or export Active Directory data to a file?You can also use ldifde to extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory Domain Services (AD DS) with data from other directory services. Ldifde is a command-line tool that is built into Windows Server 2008.
Which commandDsacls.exe is the command-line equivalent of the Security tab in the properties dialog box for an Active Directory object in tools such as Active Directory Users and Computers.
What are the commands used in Active Directory?In this article. What command could you use to get the status of the Active Directory domain Services service?The DCDiag tool is a Microsoft command-line utility that can be used to check the health of Active Directory domain controllers.
|