11 Basic tools for managing the Active Directory

If you are responsible for working with an EXCEL spreadsheet that lists 200 new employees who are working from next week, or because a technical support person clicks on something that should not be clicked and causes a user account to be misconfigured, or you just need a more relaxed way to manage it than to open "users and Computers" Active Directory??, there are plenty of free management tools available to help. Some tools are placed in Windows?? In the operating system, some are located in the Resource Kit or Windows support tools, and some are even free third-party tools. What do these handy tools include and where can they be obtained? Let's take a look.

Introduce the Windows Server first?? The built-in command-line tools in 2003 that allow you to create, delete, modify, and find objects in Active Directory.

Csvde

The comma-separated Value data exchange tool (CSVDE) allows you to import new objects into Active Directory using a CSV source file, and it also provides the ability to export existing objects to a CSV file. CSVDE cannot be used to modify existing objects; When you use this tool in Import mode, you can only create entirely new objects.

Using CSVDE to export a list of existing objects is fairly straightforward. Export an Active Directory object to a file named Ad.csv, as follows:

Csvde–f Ad.csv

The –f switch represents the name of the output file that follows. However, you must be aware that, depending on the environment, this basic syntax may generate an impractical large output file. To restrict this tool to exporting only objects in a specific organizational unit (OU), you can modify the statement to the following form:

Csvde–f usersou.csv–d ou=users,dc=contoso,dc=com

Further assume that you are interested only in exporting user objects to CSV files. In that case, you can add the –r switch and the –l switch, which allows you to specify a Lightweight Directory Access Protocol (LDAP) filter for searching, which limits the number of properties that are exported (note that all of the following is on one line):

Csvde–f usersonly.csv–d ou=users,dc=contoso,dc=com–r "(& (Objectcategory=person) (Objectclass=user))" –l DN, Objectclass,description

With the – I switch, you can import objects from the source CSV file into active Directory. However, there is a key limit to creating user objects using CSVDE: You cannot use CSVDE to set a user password. Therefore, you should avoid creating user objects using CSVDE.

LDIFDE

Active Directory also provides another built-in tool for performing bulk user operations, called LDIFDE, which is more powerful and flexible than csvde. In addition to creating new objects, LDIFDE can modify and delete existing objects, or even extend the Active Directory schema. LDIFDE is flexible, but in order to achieve this flexibility, it is necessary to use the LDIF file with the. ldf extension as the output file, which is more complex than a simple CSV file. (User passwords can be configured with a small amount of action, which I'll introduce later.) ）

Let's start with a simple example and export the users in an OU to the LDF file (note that all of the following is on one line):

Ldifde-f users.ldf-s dc1.contoso.com-d "ou=usersou,dc=contoso,dc=com –r" (& (Objectcategory=person) (objectclass =user)) "

As with most command-line tools, you can run LDIFDE/? command to find the full description of the LDIFDE switch. Figure 1 describes the switches I have used here. Note that the switches of the CSVDE and LDIFDE commands are actually the same. ）

The real function of LDIFDE is to create and manipulate objects. However, before you do this, you first need to create an input file. The following statement creates two user accounts named Afuller and rking; To create the input file, enter the following text in Notepad (or your favorite plain text editor) and save it as a newusers.ldf:

Dn:cn=afuller, Ou=usersou, Dc=contoso, dc=com changetype:add cn:afullerobjectClass:user samaccountname:afuller DN:CN =rking, Ou=usersou, Dc=contoso, dc=com changetype:add cn:rkingobjectClass:user samaccountname:rking

When you have finished creating the file, run the following command:

Ldifde–i–f Newusers.ldf–s DC1.contoso.com

As you might guess, the only new switch used here indicates that this is an import operation and not an export operation.

If you want to modify or delete an existing object, you do not have to change the syntax of the LDIFDE command; instead, you should modify the contents of the LDF file. To change the Description field for a user account, create a text file named Modifyusers.ldf, as shown in Figure 1.

Figure 1 Modifyusers LDF file

You can import changes by running the same LDIFDE command syntax as before, specifying a new LDF file name after the-f switch. The LDF format for deleting objects is simpler; To remove users who have been using them, create a file named Deleteusers.ldf, and then enter the following:

Dn:cn=afuller Ou=usersou, Dc=contoso, dc=com changetype:deletedn:cn=rking, Ou=usersou, DC=contoso, DC=com changetype:d Elete

Note that unlike CSVDE, LDIFDE can configure user passwords. However, before you configure the Unicodepwd property for a user account, you must configure Secure Sockets Layer/Transport Layer Security (SSL/TLS) encryption on the domain controller.

Furthermore, LDIFDE can create and modify any type of Active Directory object, and is not limited to user accounts. For example, the following LDF file can create a custom schema extension named Employeeid-example in the schema of the contoso.com forest:

Dn:cn=employeeid-example,cn=schema,cn=configuration,dc=contoso,dc=comchangetype:addadmindisplayname: Employeeid-exampleattributeid:1.2.3.4.5.6.6.6.7attributesyntax:2.5.5.6cn:employee-idinstancetype: 4issinglevalued:trueldapdisplayname:employeeid-example

Because LDIFDE files use the industrial standard LDAP file format, Third-party applications that need to modify the Active Directory schema often provide LDF files that you can use to check and approve changes before you apply them to a production environment.

In addition to the tools used to perform bulk import and export operations, Windows Server 2003 includes a built-in toolset that you can use to create, delete, and modify various Active Directory objects, and to execute queries against objects that meet specific criteria. (Note that Windows? Active Directory does not support these tools, such as dsadd, dsrm, dsget, and dsquery.) ）

dsadd

Dsadd is used to create an instance of an Active directory object class on a specific directory partition. These classes include users, computers, contacts, groups, organizational units, and quotas. Dsadd has a common syntax consisting of the following:

dsadd attributes

Note that each object type that you create has a specific set of switches that correspond to the attributes of that type. The following command creates a user object that populates a variety of properties (note that all of the following is on one line):

dsadd user Cn=afuller,ou=it,dc=contoso,dc=com–samid afuller–fn andrew–ln fuller–pwd *-memberof Cn=it,ou=groups,dc=con Toso,dc=com "Cn=help desk,ou=groups,dc=contoso,dc=com" –desc "Marketing Director"

The –memberof switch requires that you specify the full distinguished name (DN) of each group to which the user should be added, and if you want to add users to more than one group, you can add multiple DN and separate them with a space.

If any element contains spaces (such as the DN of the Help Desk group), the element should be enclosed in double quotes. If an element contains a backslash, such as an OU called It\emea, you must enter a two-time backslash: It\\emea. (These requirements apply to all ds* tools.) ）

If you use the-pwd * switch, you are prompted to enter a user password at the command line. You can specify a password in this command (-pwd p@ssword1), but this will display the password in plain text on the screen or in any text or script file that the command embeds.

Similarly, you can use the following two commands to create group objects and OUs:

dsadd computer cn=wks1,ou=workstations,dc=contoso,dc=comdsadd ou "ou=training ou,dc=contoso,dc=com"

Dsmod

Dsmod is used to modify an existing object, and it is used very much like dsadd, and you need to use a different submenu and syntax depending on the type of object you want to modify. The following dsmod statement changes the user's password and modifies the user's account, so the user is prompted to change to the new password at the next logon:

dsmod user "cn=afuller,ou=it,dc=contoso,dc=com" –pwd p@ssw0rd1–mustchpwd Yes

To understand how similar these switches are, you can view the dsadd syntax that you want to use to create this user and configure the same properties:

dsadd user "cn=afuller,ou=it,dc=contoso,dc=com" –pwd p@ssw0rd1–mustchpwd Yes

You can see clearly that if you know the switches used in dsadd to create objects, you can use those same switches to modify dsmod users.

dsrm

DSRM and dsadd are inverse; As you might expect, you can use this tool to remove objects from the command line. The basic DSRM syntax is fairly concise: just enter the DSRM and enter the distinguished name of the object you want to delete, as follows:

DSRM cn=wks1,ou=workstations,dc=contoso,dc=com

By default, Dsrm prompts "Are you sure you want to delete this object?" , type Y, and then press Enter. You can use the –noprompt switch to suppress this prompt, but it is obvious that this does not make it possible to confirm that the selected object is correct before deleting the object. If you want to delete a container object (that is, an organizational unit that might contain other objects within it), the other two switches may be useful. The following command deletes the Trainingou organizational unit and all objects contained within it:

DSRM Ou=trainingou,dc=contoso,dc=com–subtree