Bulk Operations Facts

Use the following tools if you have a large number of objects to create or modify:

Tool Description

The Csvde command imports and exports Active Directory objects using a
comma-separated values file.

● Csvde can read existing information from Active Directory (export) or

create new objects in Active Directory (import).
● Csvde does not modify existing objects in Active Directory.

● Use Csvde to export objects from one Active Directory system and
import them into another Active Directory database. You can modify the
file before importing the objects into the second Active directory
Csvde database.
● Csvde switches include:
o -i to import objects
o -e to export objects
o -f to identify the filename
● When using Csvde:
o Be sure to use the -i switch when importing a .csv file. Export
is the default.
o Passwords are not exported.
o The added user accounts are disabled. You will need to add
passwords and enable them.

Ldifde The Ldifde command imports, exports, modifies, and deletes objects in Active
Directory using LDAP Data Interchange Format (LDIF) files.

● Ldifde files include a changeType parameter that identifies the action

to take using the data:
o Add
o Modify
o Delete
● Common uses for Ldifde include:
o Using Ldifde to export a set of Active Directory objects,
modify various attributes, and then re-import the file to change
the attributes.
o Exporting or importing data that exists on non-Active Directory
LDAP directories.
● Ldifde switches include:
o -i to import objects
 o -e to export objects
o -f to identify the filename

When you export user accounts with Ldifde, passwords are not exported. You
can change passwords for existing user accounts using a .ldif file, but you
cannot add new user accounts with passwords set.
To export user accounts and import them with a password, use the following
process:

1. Export the user accounts. The unicodePwd field will be blank.

2. Import the user accounts to create the accounts. The user accounts will
be disabled, and the user will be forced to change the password at next
logon.
3. Modify the .ldif file to change the operation to modify existing objects.
Add a password for each user account and add entries to enable the
account.
4. Run Ldifde using the file with the passwords to modify the existing
user accounts.

The distinguished name is case sensitive in Ldifde commands.

PowerShell Windows PowerShell is a command line environment designed for automating

administration and maintenance. You can use PowerShell cmdlets to create and
manage Active Directory objects. Cmdlets can execute single commands or
large scripts that can import a CSV file and use the information to create new
Active Directory users.

For example, the Import-Csv cmdlet is used to specify a comma-separated

values file containing objects to be imported or exported. The output of this
command must be piped to another cmdlet to actually perform the desired
operation. For example, to import users, the Import-Csv command would be
used first to specify the .csv file containing the users to be added. Then the
output would be piped to the New-ADUser cmdlet to create new Active Directory
users.

The Import-Csv cmdlet can also be used in conjunction with other PowerShell
cmdlets, such as New-ADObject. This cmdlet is used to create many types of
Active Directory objects, including users, computers, groups, sites, and subnet
objects.

Be aware of the following:

● When importing a CSV file, use the same variable case in the
PowerShell command as the variable name in the CSV file.
● Right-clicking at a PowerShell prompt copies the contents of the
clipboard to the PowerShell prompt.
● Use the | symbol to pipe the output of one command to the input of the
next command.
 ● When using a csv file to add user accounts with passwords, include
the (ConvertTo-SecureString $_.Password -AsPlainText -
force) cmdlet in the import-csv cmdlet.

The Ldp utility allows you to search for and view the properties of multiple Active
Directory objects. It is a GUI-based utility similar to Windows Explorer. It has a
Ldp
scope pane on the left that is used for navigating through the Active Directory
namespace and a details pane on the right that is used for displaying results.

Domain Services (DS) command line tools are built into the Active Directory
Directory Service server role and the Active Directory Lightweight Directory
Services (AD LDS) server role. Keep the following facts in mind:

● You can run DS commands from an elevated command prompt.

● You can enter DS commands in a batch (.bat) file and execute the .bat
file.
● Use dsadd /? to display help for DS commands. Use dsadd object-
type /? to display help for adding the specified object type (OU, user,
group, or computer).

When adding an object, the Dsadd command allows you to specify if

the object is in a security group and the object's scope (global, domain,
DS Commands or local).

You can use the following DS commands to perform the indicated action in
Active Directory:

● Dsacls displays the Access Control List (ACL) of objects.

● Dsadd adds objects.

● Dsget displays specified properties of an object.

● Dsmod modifies an object.

● Dsquery queries Active Directory.

● Dsrm deletes an object.