Windows 2008 Command Line
Topics Covered
Using Built-in Command Line tools
Using command line tools provided by support tools
Manage objects in active directory from command line
Creating User
dsadd user <userdn> -samid name –upn name@domain.com –pwd password
eg
dsadd user “cn=testuser,cn=users,dc=vision,dc=com” –upn testuser@vision.com –samid
testuser –pwd 123_abc
Reset user password
dsmod user <user_dn> –pwd newpassword
eg
dsmod user “cn=testuser,cn=users,dc=vision,dc=com” –pwd abc_123
If you want to require the user to change this password at the next logon process, type the
following command:
dsmod user user_dn -mustchpwd {yes|no}
Disable or Enable user account
dsmod user user_dn -disabled {yes|no}
eg
dsmod user “cn=testuser,cn=users,dc=vision,dc=com” –disable yes
Delete a user account
Dsrm <user_dn>
Eg
Dsrm “cn=testuser,cn=users,dc=vision,dc=com”
Create a new group
dsadd group <group_dn> -samid sam_name -secgrp yes | no -scope l | g | u
group_dn = distinguished name of the group you want to create
sam_name = samid (netbios name) of the gropu
yes | no = specifies whether the group you want to add is a security group (yes) or a distribution
group (no).
l | g | u specifies the scope of the group you want to add ( domain local [l], global [g], or
universal [u]).
Eg
Dsadd group “cn=testgroup,cn=users,dc=vision,dc=com” –samid testgroup -secgrp yes scope g
Add user to a group
dsmod group <group_dn> -addmbr <member_dn>
group_dn = distinguished name of the group object that you want to add.
member_dn = distinguished name of the user or group that you want to add to the group.
Eg :
Dsmod group “cn=testgroup,cn=users,dc=vision,dc=com” –addmbr
“cn=testuser,cn=users,dc=vision,dc=com”
Delete a group
Dsrm <group_dn>
Eg
Dsrm “cn=testgroup,cn=users,dc=vision,dc=com”
Find a user member group
Dsget <user_dn> -memberof
Eg
Dsget “cn=testuser,cn=users,dc=vision,dc=com” –memberof
How to query active directory
Find a user account
Dsquery user parameter
Find a group
Dsquery group parameter
Find a computer account
Dsquery computer –name name
Find a domain controller
Dsquery server parameter
Domain Controller Diagnostic Tool (dcdiag.exe)
dcdiag.exe is a command-line tool to analyzes or verify the state of domain controllers in a forest
and helps administrator in troubleshooting problems. dcdiag.exe consists of series of tests to
verify different functional areas of the system.
Following are the test performed by dcdiag.exe like replication test, services, DNS test, ADS
paritition, Schema, FSMO, etc.
Syntax
dcdiag /options
options
/s:domain controller name : name of domain controller test.
/a : Tests all the servers on this site.
/e : Tests all the servers in the entire enterprise.
Dsquery
Dsquery command is used to query Active Directory database. Dsquery command helps to find
various objective in active directory like computer, user, group, etc.
Dsquery computer : Finds computers in the directory.
Dsquery contact : Finds contacts in the directory.
Dsquery subnet : Finds subnets in the directory.
Dsquery group : Finds groups in the directory.
Dsquery ou : Finds organizational units in the directory.
Dsquery site : Finds sites in the directory.
Dsquery server : Finds servers in the directory.
Dsquery user : Finds users in the directory.
Dsquery computer
Finds computers in the directory that match specified search criteria.
Syntax
dsquery computer [{StartNode | forestroot | domainroot}] [-o {dn | rdn | samid}] [-scope
{subtree | onelevel | base}] [-name Name] [-desc Description] [-samid SAMName] [-
inactive NumberOfWeeks] [-stalepwd NumberOfDays] [-disabled] [{-s Server | -d
Domain}] [-u UserName] [-p {Password | *}] [-q] [-r] [-gc] [-limit NumberOfObjects]
Parameters
{StartNode | forestroot | domainroot} : Specifies the node where the search will start. You can
specify the forest root (forestroot), domain root (domainroot), or a node?s distinguished name
(StartNode). If forestroot is specified, the search is done using the global catalog. The default
value is domainroot.
-o {dn | rdn | samid} : Specifies the format in which the list of entries found by the search will
be displayed. A dn value displays the distinguished name of each entry. A rdn value displays the
relative distinguished name of each entry. A samid value displays the SAM account name
of each entry. By default, the dn format is used.
-scope {subtree | onelevel | base} : Specifies the scope of the search. A value of subtree
indicates that the scope is a subtree rooted at start node. A value of onelevel indicates the
immediate children of start node only. A value of base indicates the single object represented by
start node. If forestroot is specified as StartNode, subtree is the only valid scope. By default, the
subtree search scope is used.
-name Name : Searches for computers whose name attributes (value of CN attribute) matches
Name. For example, "jon*" or "*ith" or "j*th".
-desc Description : Searches for computers whose description attribute matches Description. For
example, "jon*" or "*ith" or "j*th".
-samid SAMName : Searches for computers whose SAM account name matches SAMName.
-inactive NumberOfWeeks : Searches for all computers that have been inactive (stale) for the
specified number of weeks.
-stalepwd NumberOfDays : Searches for all computers that have not changed their password for
the specified number of days.
-disabled “ Searches for all computers whose accounts are disabled.
{-s Server | -d Domain} : Connects to a specified remote server or domain. By default, the
computer is connected to the domain controller in the logon domain.
-u UserName : Specifies the user name with which user will log on to a remote server. By
default, the logged on user name is used. You can specify a user name using one of the following
formats:
• user name (such as, Linda)
• domain\user name (such as, widgets.microsoft\Linda)
• user principal name (UPN) (such as, Linda@widgets.microsoft.com)
-p {Password | *} : Specifies to use either a password or a * to log on to a remote server. If you
type *, then you are prompted for a password.
-q : Suppresses all output to standard output (quiet mode).
-r : Specifies that the search use recursion or follow referrals during search. By default, the
search will not follow referrals during search.
-gc : Specifies that the search use the Active Directory global catalog.
-limit Number OfObjects : Specifies the number of objects that match the given criteria to be
returned. If the value of NumberOfObjects is 0, all matching objects are returned. If this
parameter is not specified, by default the first 100 results are displayed.
Examples
To find all computers in the current domain whose name starts with "ms" and whose
description starts with "desktop", and display their distinguished names, type:
dsquery computer domainroot -name ms* -desc desktop*
To find all computers in the organizational unit given by
OU=Sales,dc=micrsoft,DC=Com and display their distinguished names, type:
dsquery computer OU=Sales,DC=Microsoft,DC=Com
Dsquery server
Finds domain controllers according to specified search criteria. If the predefined
search criteria in this command is insufficient, then use the more general version of the
query command, dsquery *
Syntax
dsquery server [-o {dn | rdn}] [-forest] [-domain DomainName] [-site SiteName] [-name
Name] [-desc Description] [-hasfsmo {schema | name | infr | pdc | rid}] [-isgc] [{-s Server
| -d Domain}] [-u UserName] [-p {Password | *}] [-q] [-r] [-gc] [-limit NumberOfObjects]
Parameters
-o {dn | rdn | samid} : Specifies the format in which the list of entries found by the search will
be displayed. A dn value displays the distinguished name of each entry. A rdn value displays
the relative distinguished name of each entry. A samid value displays the SAM account name
of each entry. By default, the dn format is used.
-forest : Searches for all domain controllers (server objects) that are part of the current forest.
-domain DomainName : Searches for all domain controllers (server objects) that are part of the
domain whose DNS name is given by DomainName. Note that this parameter is not necessary if
all domain controllers in the current domain are to be displayed, since that is the search criterion
when no other criterion is specified.
-site SiteName : Searches for all domain controllers (server objects) that are part of site
SiteName.
-name Name : Searches for server objects whose name attributes (value of CN attribute) matches
Name. For example, "jon*" or "*ith" or "j*th".
-desc Description : Searches for server objects whose description attribute matches Description.
For example, "jon*" or "*ith" or "j*th".
-hasfsmo {schema | name | infr | pdc | rid} : Searches for the domain controller (server object)
that holds the requested operations master role. A value of schema requests the schema
master of the forest. A value of name requests the domain naming master of the forest. A value
of infr requests the infrastructure master of the forest. A value of pdc requests the primary
domain controller (PDC) role owner of the domain given by the -domain parameter (or the
current domain is used). A value of rid requests the relative ID master (RID master) of the
domain given by the -domain parameter (or the current domain is used). For the infr, pdc and
rid FSMO roles, if no domain is specified with the -domain parameter, then the current domain
is used.
-isgc : Searches for all domain controllers (server objects) in the scope specified by any of the -
forest, -domain, or -site parameters that are global catalog servers. If none of the above scope
parameters are specified, then find all global catalogs in the current domain.
{-s Server | -d Domain} : Connects to a specified remote server or domain. By default, the
computer is connected to the domain controller in the logon domain.
-u UserName : Specifies the user name with which user will log on to a remote server. By
default, the logged on user name is used. You can specify a user name using one of the following
formats:
• user name (such as, Linda)
• domain\user name (such as, widgets.microsoft\Linda)
• user principal name (UPN) (such as, Linda@widgets.microsoft.com)
-p {Password | *} : Specifies to use either a password or a * to log on to a remote server. If you
type *, then you are prompted for a password.
-q : Suppresses all output to standard output (quiet mode).
-r : Specifies that the search use recursion or follow referrals during search. By default, the
search will not follow referrals during search.
-gc : Specifies that the search use the Active Directory global catalog.
-limit NumberOfObjects : Specifies the number of objects that match the given criteria to be
returned. If the value of NumberOfObjects is 0, all matching objects are returned. If this
parameter is not specified, by default the first 100 results are displayed.
Examples
To find all domain controller in the current domain, type:
dsquery server
To find all domain controllers in the forest and display their relative distinguished
names, type:
dsquery server -o rdn -forest
To find all domain controllers in the site whose name is America and display their
relative distinguished names, type:
dsquery server -o rdn -site America
To find the domain controller in the forest that holds the schema FSMO role, type:
dsquery server ?forest ?hasfsmo schema
To find all domain controllers in the domain widgets.microsoft.com that are global
catalog servers:
dsquery server ?domain widgets.microsoft.com –isgc
Dsquery user
Finds users in the directory that match the specified search criteria. If the predefined
search criteria in this command is insufficient, then use the more general version of the
query command, dsquery *
Syntax
dsquery user [{StartNode | forestroot | domainroot}] [-o {dn | rdn | upn | samid}] [-scope
{subtree | onelevel | base}] [-name Name] [-desc Description] [-upn UPN] [-samid
SAMName] [-inactive NumberOfWeeks] [-stalepwd NumberOfDays] [-disabled] [{-s
Server | -d Domain}] [-u UserName] [-p {Password | *}] [-q] [-r] [-gc] [-limit
NumberOfObjects]
Parameters
{StartNode | forestroot | domainroot} : Specifies the node where the search will start. You can
specify the forest root (forestroot), domain root (domainroot), or a node?s distinguished name
(StartNode). If forestroot is specified, the search is done using the global catalog. The default
value is domainroot.
-o {dn | rdn | upn | samid} : Specifies the format in which the list of entries found by the search
will be displayed. A dn value displays the distinguished name of each entry. A rdn value
Vision Infosystems (VIS)
Page No. : 108
displays the relative distinguished name of each entry. A upn value displays the user principal
name of each entry. A samid value displays the SAM account name of each entry. By
default, the dn format is used.
-scope {subtree | onelevel | base} : Specifies the scope of the search. A value of subtree
indicates that the scope is a subtree rooted at start node. A value of onelevel indicates the
immediate children of start node only. A value of base indicates the single object represented by
start node. If forestroot is specified as StartNode, subtree is the only valid scope. By default, the
subtree search scope is used.
-name Name : Searches for users whose name attributes (value of CN attribute) matches Name.
For examples of valid filters, see Remarks.
-desc Description : Searches for users whose description attribute matches Description. For
examples of valid filters, see Remarks.
-upn UPN : Searches for users whose UPN attribute matches UPN. For examples of valid filters,
see Remarks.
-samid SAMName : Searches for users whose SAM account name matches SAMName. For
examples of valid filters, see Remarks.
-inactive NumberOfWeeks : Searches for to find all users that have been inactive (stale) for at
least the specified number of weeks.
-stalepwd NumberOfDays : Searches for all users that have not changed their password for at
least the specified number of days.
-disabled : Searches for all users whose accounts are disabled.
{-s Server | -d Domain} : Connects to a specified remote server or domain. By default, the
computer is connected to the domain controller in the logon domain.
-u UserName : Specifies the user name with which user will log on to a remote server. By
default, the logged on user name is used. You can specify a user name using one of the following
formats:
• user name (such as, Linda)
• domain\user name (such as, widgets.microsoft\Linda)
• user principal name (UPN) (such as, Linda@widgets.microsoft.com)
-p {Password | *} : Specifies to use either a password or a * to log on to a remote server. If you
type *, then you are prompted for a password.
-q : Suppresses all output to standard output (quiet mode).
-r : Specifies that the search use recursion or follow referrals during search. By default, the
search will not follow referrals during search.
-gc : Specifies that the search use the Active Directory global catalog.
-limit NumberOfObjects : Specifies the number of objects that match the given criteria to be
returned. If the value of NumberOfObjects is 0, all matching objects are returned. If this
parameter is not specified, by default the first 100 results are displayed.
Examples
To display the user principal names of all users in a given organizational unit whose
name starts with "Jon" and whose account has been disabled for logon, type:
dsquery user OU=Test,DC=Microsoft,DC=Com -o upn -name jon* -disabled
To display the distinguished names of all users in only the current domain whose names
end with "Smith" and who have been inactive for 3 weeks or more, type:
dsquery user domainroot -name *smith -inactive 3
To display the user principal names of all users in the organizational unit given by
OU=Sales,DC=Microsoft,DC=Com, type:
dsquery user OU=Sales,DC=Microsoft,DC=Com -o upn
Network Connectivity Tester (netdiag.exe)
Netdiag.exe is a command-line diagnostic tool that helps administrator to troubleshoot network
and connectivity related problems by performing a series of tests. This tool does not require
parameters or switches to be specified, support personnel and network administrators can focus
on analyzing the output rather than on training users how to use the tool.
Netdiag performs test like, WINS, DNS, domain membership, trust, kerberos, ldap, etc.
Syntax
netdiag /options
Options
/l : Sends output to Netdiag.log. This log file is created in the same directory where Netdiag.exe
was run.
Vision Infosystems (VIS)
Page No. : 110
/debug : Specifies even more verbose output. With this parameter, NetDiag takes a few minutes
to complete.
/d: DomainName : Finds a domain controller in the specified domain.
/fix : Fixes minor problems.
/DcAccountEnum : Enumerates domain controller computer accounts.
/test: TestName : Runs the following test like browser, dclist, dns, ipconfig, autonet, kerberos,
ldap, trust, WINS, etc.
/skip : TestName : To skip above mentioned test
NLtest.exe
This command-line tool which helps to perform network administrative activities like
• To get a list of domain controllers.
• Force a remote shutdown.
• To check or query the status of trust.
• Test trust relationships and the state of domain controller replication in a Windows
domain.
• Force a user-account database to synchronize on Windows NT version 4.0 or earlier
domain controllers
Syntax
nltest /server:ServerName /Optional Parameters
Optional Parameters
/query : Reports on the state of the secure channel the last time it was used. This is the secure
channel established by the NetLogon service.
/repl : Forces a synchronization with the PDC. Only changes not yet replicated to the BDC are
synchronized. This command is for NT 4.0 BDCs only and is not for Active Directory
replication. Administrative rights are required to perform this command.
/sync : Forces an immediate synchronization with the PDC of the entire SAM database. This
command is for NT 4.0 BDCs only and is not for Active Directory replication. Administrative
rights are required to perform this command.
/pdc_repl : Forces the PDC to send a synchronize notification to all BDCs. This command is for
NT 4.0 PDCs only and is not for Active Directory replication. Administrative rights are required
to perform this command.
/dsgetdc: [DomainName] : Queries the DNS server for a list of domain controllers and their
corresponding IP addresses. Contacts each domain controller to check for connectivity.
/shutdown: Reason [Seconds] : Performs a remote shutdown of the ServerName for Reason, a
string, after Seconds, an integer. For a complete description, see the Platform SDK
documentation for InitiateSystemShutdown.
/shutdown_abort : Terminates a system shutdown.
/domain_trusts : Returns a list of trusted domains. /Primary /Forest /Direct_Out /Direct_In
/All_Trusts /v.
repadmin.exe
Repadmin is a command-line tool to help administrators in diagnosing and troubleshooting
problem related with replication between Domain Controllers. Administrators can use repadmin
command to view the replication topology.
RepAdmin can for following
• To manually create the replication topology
• To force replication events between domain controllers
• To montoring the relative health of an Active Directory forest.
• To troubleshooting replication problems
RepAdmin syntax:
repadmin Operation Parameters [/rpc] [/ldap][/u:Domain\User] [/pw:{Password | *}]
/rpc : This parameter forces RepAdmin to use an RPC session for network communications.
/ldap : This parameter forces RepAdmin to use an LDAP session for network communications if
posable. If the LDAP connection fails then RepAdmin attempts to connect using an RPC session.
This is the default behavior for RepAdmin.
/u : Specifies the user name that has permissions to perform operations in Active Directory.
/pw : Specifies the password for the user name entered with the /u parameter.
The DC_LIST Parameter
the syntax of the semi-global dc_list parameter
{dc_name dc_name ... | * | partial_server_name* | site:site_name | gc: | fsmo_type:[name]}
dc_name dc_name ... : Specifies the host name of a domain controller, or a list of domain
controllers separated by a space.
* Standard wildcard character. When this is used it returns all domain controllers in the
enterprise. Improper use can cause a significant increase in network traffic.
partial_server_name* : Partial wildcard character matching. For example, if given the partial
domain controller name "woodgrovebank*", the wildcard character would pick up
woodgrovebank-dc1 and woodgrovebank-dc2.
site:site_name : The site: parameter takes the name of an Active Directory site (site_name), and
returns all domain controllers in that site.
gc: Queries all Global Catalog Servers in the enterprise.
fsmo_type:[name] : Specifies a group of domain controllers to query by operations master (also
know as flexible single master operations or FSMO) type. Valid operations master types follow.
Operational Parameters
1) Repadmin /viewlist
Displays a list of domain controllers.
repadmin /viewlist [DC_LIST] [OBJ_LIST]
DC_LIST
Specifies the host name of a domain controller or a list of domain controllers separated by a
space that the object will be replicated to.
OBJ_LIST
this parameter takes a DN or a special keyword that expands into a DN. The keywords are:
• Ncobj:config:
• Ncobj:schema:
• Ncobj:domain:, This key word is the domain partition DN of the home server.
• Dsaobj:, This keyword is the NTDS settings object of the home server
2) repadmin /syncall
Synchronizes a specified domain controller with all replication partners.
repadmin /syncall DC [NamingContext] [Flags]
Parameters
DC
Specifies the host name of the domain controller to synchronize with all replication partners.
NamingContext
Specifies the distinguished name of the directory partition. Flags
Performs specific actions during the replication.
Flag Description
/a Abort if any server is unavailable.
/A Sync all naming contexts whitch are held on the home server.
/d Identify servers by distinguished name in messages.
Enterprise, cross sites.
/i Iterate indefinitely.
/I Perform showreps on each server pair in path instead of syncing.
/j Synchronize adjacent servers only.
/p Pause for possible user abort after every message.
/P Push changes outward from home server.
/s Do not synchronize.
3) repadmin /showreps
Displays the replication partners for each directory partition on the specified domain controller.
Helps the administrator build a visual representation of the replication topology and see the role
of each domain controller in the replication process.
repadmin /showrepl [DC_LIST] [SourceDCObjectGUID] [NamingContext] [/verbose]
[/nocache] [/repsto] [/conn] [/csv] [/all] [/errorsonly] [/intersite]
Parameters
DC_LIST : Specifies the host name of a domain controller or a list of domain controllers
separated by a space that the object will be replicated to. See above for detailed syntax.
SourceDCObjectGUID : Specifies the unique hexadecimal number that identifies the object
whose replication events will be listed.
NamingContext : Specifies the distinguished name of the directory partition.
/nocache : Specifies that GUIDs are left in hexadecimal form. By default, GUIDs are translated
into strings.
/repsto : Lists the domain controllers that pull replication information from the specified
directory partition. To see the outbound neighbors, specify /repsto or /all.
/conn : Displays the connection objects associated with each link.
/all : Displays all replication partners.
/errorsonly : Only shows the partnership if it has an error associated with it.
/intersite : Only shows this partnership if the source server is in a different site than our own.
4) repadmin /replicate
Starts a replication event for the specified directory partition between the source and destination
domain controllers. The source UUID can be determined when viewing the replication partners
by using the showreps operation.
Syntax 1
repadmin /replicate Destination_DC_LIST Source_DC_NAME [/force] [/async] [/full]
[/addref]
Syntax 2
repadmin /replicate Destination_DC_LIST [/force] [/async] [/full] [/addref] [/allsources]
Parameters
Destination_DC_LIST : Specifies the host name of the destination domain controller (Directory
Server Agent) with which you want to replicate. See above for detailed syntax on the DC_LIST
parameter. This parameter cannot be used with /allsource.
Source_DC_NAME : Specifies the host name of the source domain controller with which you
want to replicate. This parameter accepts a GUID, GUID-based DNS name, or the name of a
server object.
/force : This parameter is used to override the Disable Replication option on a server.
/async : Specifies that the replication will be asynchronous. This means that RepAdmin starts the
replication event, but it does not expect an immediate response from the destination domain
controller. Use this parameter when there are slow links between domain controllers.
/full : Forces a full replication of all objects from the destination domain controller.
/addref : Directs the source to check for a notification entry on the source. If the source does not
have a notification entry for this destination, one is added.
/allsources : A given destination can have multiple sources for the same naming context. Directs
the destination to sync with all sources instead of just one. This parameter cannot be used with
Destination_DC_LIST
/readonly : This parameter is ignored by the
/replicate : operation.
The other parameters are
• repadmin /showrepl
• repadmin /showtrust
• repadmin /replsummary
• repadmin /showbridgehead, etc.
Examples
1) To view all replication partners
repadmin /showrepl server1.microsoft.com
2) Forcing replication between two partners
repadmin /replicate server2.microsoft.com server1.microsoft.com dc=
rktlabdom,dc=com
3) To view unreplicated changes between two partners
repadmin /showchanges server2.microsoft.com 5c02bcaf-86d9-4bed-811e-d
17a5cebf8bb dc=microsoft,dc=com
4) Force domain partition to be replicated to partners
repadmin /syncall server1.microsoft.com dc=microsoft,dc=com
5) To view replication status
repadmin /replsummary
replmon.exe
Replmon is GUI based tool that helps administrators to view the low-level status of Active
Directory replication, force synchronization between domain controllers, view the topology in a
graphical format, and monitor the status and performance of domain controller replication.
You can use ReplMon to do the following:
• See when a replication partner fails.
• View the history of successful and failed replication changes for troubleshooting
purposes.
• View the properties of directory replication partners.
• Create your own applications or scripts written in Microsoft Visual Basic Scripting
Edition (VBScript) to extract specific data from Active Directory.
• View a snapshot of the performance counters on the computer, and the registry
configuration of the server.
• Generate status reports that include direct and transitive replication partners, and detail a
record of changes.
• Find all direct and transitive replication partners on the network.
• Display replication topology.
• Poll replication partners and generate individual histories of successful and failed
replication events.
• Force replication.
• Trigger the Knowledge Consistency Checker (KCC) to recalculate the replication
topology.
• Display changes that have not yet replicated from a given replication partner.
• Display a list of the trust relationships maintained by the domain controller being
monitored.
• Display the metadata of an Active Directory object's attributes.
• Monitor replication status of domain controllers from multiple forests
CSVDE
CSVDE stands for Comma Separated Value Data Exchange. CSVDE is program for bulk
import and export. CSVDE is used to import and export user accounts from and to a Windows
domain. CSVDE format is a universal format supported by many applications like Excel, etc.
CSVDE creates a .CSV file during export of data.
How CSVDE works
Think of CSVDE as the engine that drives data into or out of Active Directory. This CSVDE
engine has two directions, export and import. The data consists of Active Directory accounts in
CSV format. Excel, or a similar spreadsheet, is marvelous at dropping the comma-separated data
into columns. To actually export from Active Directory, all you need is CSVDE -f filename.csv.
Whenever you transfer data in the other direction, from the file into Active Directory, you must
actively switch CSVDE into import mode. This is why you need the extra the -i parameter. For
example CSVDE -i -f filename.csv
LDIFDE
LDIFDE stands for Lightweight Data Interchange Format, Data Exchange. Has lineseparated
values between each record. The data is not suitable for spreadsheets. My advice is
use Microsoft's LDIFDE when ever CSVDE is not up to the job, for example, if you need to
import users with passwords CSVDE will not work. LDIFDE has more powerful verbs, for
instance CSVDE can only add users, whereas LDIFDE can modify or even delete their accounts.
Export using LDIFDE
Command to export active directory database into ldifde format
ldifde -f export.ldf -s ServerName (Where Servername is your domain controller and
export.ldf is the filename)
In theory you can export user accounts by just giving the filename, but I find you need
the -s switch to connect to the server. (-s ServerName)
Import using LDIFDE
Command to import .ldf data into active directory database
ldifde -i -f accounts.ldf -s ServerName
Example – 1 (To add user)
1. Create newuser.ldf file in note and type the following contents to create a new user name
Ajay Raul
dn: CN=AjayRaul, CN=Users, DC=VisionInfo, DC=com
changetype: add
cn: AjayRaul
objectClass: user
samAccountName: Ajay
givenName: Ajay
sn: Raul
2. now save the file and goto command prompt
3. run the command ldifde –I –f newuser.ldf to create a new user in active directory
Example – 2 (Delete a user)
dn: CN=Sunil,CN=Users,DC=visioninfo,dc=com
changetype: delete
dn: CN=Sachin,CN=Users,DC=visioninfo,dc=com
changetype: delete
No comments:
Post a Comment