AUTOMATION using command line tools

Windows Server® 2012 includes several command-line tools that you can use to perform AD
DS administration. You can use command-line tools to automate the creation and management of
AD DS objects, such as user accounts and groups.

In our previous trainng session we looked at creating objects using graphical tools, but what if
you wanted to do bulk operations where you would br creating 200 - 500 objects …you need to
turn to automation. To automate AD DS administration, you need command-line tools, which
you can use in scripts or through other apps and programs.

DIRECTORY SERVICES commands

Windows Server 2012 includes command-line tools called Directory Services commands, which
are suitable for use in scripts. You can use ds* commands to create, view, modify, and remove
AD DS objects. The following table describes ds* commands.

Tool Description
dsadd Creates AD DS objects.
dsget Displays properties of AD DS objects.
dsquery Searches for AD DS objects.
dsmod Modifies AD DS objects.
dsrm Removes AD DS objects.
dsmove Moves AD DS objects.

DS Command Examples

The following are examples of ds* commands that you could type at a command prompt.

To modify the department of a user account, type:

dsmod user "cn=Phillip Bostic,ou=DepartmentC,dc=contoso,dc=com" -dept IT

To display the email of a user account, type:

dsget user "cn=Phillip Bostic,ou=DepartmentC,dc=contoso,dc=com" -email

To delete a user account, type:

dsrm "cn=Phillip Bostic,ou=DepartmentC,dc=contoso,dc=com"

To create a new user account, type:

dsadd user "cn=Jan Edwards,ou=DepartmentC,dc=contoso,dc=com"

LDIFDE Commands
You can use the ldifde command-line tool to export, create, modify, or delete AD DS objects.

Ldifde uses data that is stored in a file.

An ldifde file is text-based, with blocks of lines composing a single operation such as creating or
modifying a user object. Each line within the operation specifies something about the operation,
such as an attribute or the type of operation. A blank line separates multiple operations within the
ldifde file.

You can type the file in notepad and save it with a ldf extension. Be sure to watch the video for
this lesson on how to save the ldifde file.

The following is an example of an LDIF file that creates a single user:

dn: CN=Karl Lashley,OU=DepartmentC,OU=User Accounts,DC=contoso,DC=com

changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Karl Lashley
sn: Lashley
title: Operations
description: Operations (Antigua)
givenName: Karl
displayName: Lashley, Karl
company: Contoso, Ltd.
sAMAccountName: Klashley
userPrincipalName: karl.lashley@contoso.com
mail: karl.lashley@contoso.com

The basic syntax for using ldifde to import objects is:

ldifde -i -f filename -k

The -i parameter specifies import mode. The -f parameter identifies the file name from which to
import. The -k parameter instructs ldifde to suppress errors, including the Object Already Exists
error. The option to suppress errors is useful when importing objects to ensure that all objects
possible are created, instead of stopping when partially complete.

You cannot use ldifde to import passwords, because passwords in an LDIF file are not secure.
Therefore, user accounts created by ldifde have a blank password and are disabled
CSVDE Command Line
The csvde command-line tool exports or imports AD DS objects to or from a comma-separated
values (.csv) file.

The main limitation of csvde is that it cannot modify existing Active Directory objects. You only
can use it to create new objects. For example, you can use csvde to create a set of new user
accounts, but you cannot use it to modify the properties of the user accounts after they are
created. You also can use csvde to export object properties, such as a list of users and their email
addresses.

Create Objects by Using csvde

The basic syntax for using csvde to create objects is:

csvde -i -f filename -k

The -i parameter specifies import mode. The -f parameter identifies the file name from which to
import. The -k parameter instructs csvde to suppress error messages, including the Object
Already Exists error message. The option to suppress errors is useful when importing objects to
ensure that all of the objects possible are created, instead of stopping when partially complete.

The .csv file you are using for an import must have a header row that contains names of LDAP
attributes for the data in the .csv file. Each row must contain exactly the correct number of items
as specified in the header row.

You cannot use csvde to import passwords, because passwords in a .csv file are not protected.
Therefore, user accounts that you create with csvde have a blank password and are disabled.

Note: For more information about parameters for csvde, at a command prompt, type csvde /?,
and then press Enter.

Example of user data entered into an excel file . This file is saved with a csv file extension.
Eg. C:data.csv

If you do not have excel or another spreadsheet program installed on your Server you
can save the Data in a notepad as a csv file in the format shown below. Name the file
data.csv (please refer to your training video on how to save the csv file)

Enter the data below in a notepad file and save to the c:drive as data.csv
====================================
objectClass, sAMAccountName, dn
user, Jedwards,” CN=Janice Edwards,OU=DepartmentC,DC=yd,dc=com”
user, Ebest, “CN=Ester Best,OU= DepartmentC,DC=yd,dc=com”
=============================================

To import the names in AD

Navigate to the C:drive

Type the command line Csvde –I –f data.csv

After each import, in Active Directory right-click the OU and select Refresh from
the short cut menu. Simply pressing F5 is not good enough.

Csvde limitations
Csvde is unable to to add passwords, modify or delete
use dsmod to add passwords modify or delete