Although the Active Directory Users And Computers MMC is a convenient way to create and modify groups individually, it is not the most efficient method for creating large numbers of security principals. A tool included with Windows Server 2003, Ldifde.exe, facilitates the importing and exporting of larger numbers of security principals, including groups.
Using LDIFDE
The Lightweight Directory Access Protocol (LDAP) Data Interchange Format (LDIF) is a draft Internet standard for a file format that may be used to perform batch operations against directories that conform to the LDAP standards. LDIF can be used to export and import data, allowing batch operations such as add, create, and modify to be per-formed against the Active Directory. A utility program called LDIFDE is included in Windows Server 2003 to support batch operations based on the LDIF file format standard.
LDIFDE is a command-line utility, available on all Windows Server 2003 editions. From a command prompt or command shell, you run the LDIFDE utility with the appropriate command switches. Below Figure lists the primary commands used with LDIFDE displayed by typing ldifde /? at the command prompt.
Details the primary LDIFDE commands.
LDIFDE Commands (Primary)
General parameters
-i : Turn on Import Mode (The default is Export)
-f filename: Input or Output filename
-s servername: The server to bind to
-c FromDN ToDN: Replace occurrences of FromDN to ToDN
-v : Turn on Verbose mode
-j path: log File Location
-t port: Port Number (default=389)
-? : Help
Export specific parameters
-d RootDN :The root of the LDAP search (Default to Naming Context)
-r Filter: LDAP search filter (Default to “(objectClass=*)”)
-p SearchScope: Search Scope (Base/OneLevel/Subtree)
-l list: List of attributes (comma-separated) to look for in an LDAP search
-o list: List of attribute (Comma-Separated) to omit from input
-g: Disable Paged Search
-m: Enable the Security Accounts Manager (SAM) Logic On export
-n: Do not export binary values
Import specific parameters
-k :The import will ignore “Constraint Violation” and “Object Already Exists” errors
Credentials parameters
-a UserDN: Sets the command to run using the supplied user distinguished name and password.
For example: “cn=administrator, dc=mcseweb, dc-com password”
-b UserName: Sets the command to run as username domain password. The default is to Domain run using the credentials of the currently logged on user.
Creating Groups with DSADD
The DSADD command, introduced in earlier topic, is used to add objects to Active Directory. To add a group, use the syntax
dsadd group GroupDN…
The GroupDN… parameter is one or more distinguished names for the new user objects. If a DN includes a space, surround the entire DN with quotation marks. The GroupDN… parameter can be entered one of the following ways:
* By piping a list of DNs from another command, such as dsquery.
* By typing each DN on the command line, separated by spaces.
* By leaving the DN parameter empty, at which point you can type the DNs, one at a time, at the keyboard console of the command prompt. Press ENTER after each DN. Press CTRL+Z and ENTER after the last DN.
The DSADD GROUP command can take the following optional parameters after the DN parameter:
* secgrp {yes | no} determines whether the group is a security group (yes) or a distribution group (no). The default value is yes.
* scope {l | g | u} determines whether the group is a domain local (l), global (g, the default), or universal (u).
* -samid SAMName
* -desc Description
* -memberof GroupDN... specifies groups to which to add the new group.
* -members MemberDN... specifies members to add to the group.
As discussed in earlier topic, you can add -s, -u, and -p parameters to specify the domain controller against which DSADD will run, and the user name and password—the credentials—that will be used to execute the command.
* {-s Server -d Domain}
* -u UserName
*-p{Password | *}
Modifying Groups with DSMOD
The DSMOD command, introduced in earlier topic, is used to modify objects in Active Directory. To modify a group, use the syntax
dsmod group GroupDN…
The command takes many of the same switches as DSADD, including -samid, -desc, -secgrp, and -scope. Typically, though, you won't be changing those attributes of an existing group. Rather, the most useful switches are those that let you modify the membership of a group, specifically
* -addmbr Member... adds members to the group specified in Group
* -rmmbr Member... removes members from the group specified in Group
where, as with all directory service commands, the DN is the full, distinguished name of another Active Directory object, surrounded by quotes if there are any spaces in the DN.
Thursday, January 7, 2010
Using Automation to Manage Group Accounts
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment