Computer Performance, Windows 2003, Exchange 2003, Logon Scripts

LDAP Properties for CSVDE and VBScript

Research LDAP* Properties for the User object

This page explains the common LDAP attributes which are used in vbs scripts.  Programs like VBScript (WSH), CSVDE and LDIFDE rely on these LDAP attributes to create or modify objects in Active Directory.  For example, when you bulk import users you will include the LDAP attributes:  dn and sAMAccountName.

* LDAP is the Lightweight Directory Access Protocol.

Topics for LDAP Attributes

Hall of fame LDAP attribute - DN  distinguished name

As the word 'distinguished' suggests, this is THE LDAP attribute that uniquely defines an object.  Each DN must have a different name and location from all other objects in Active Directory.  The other side of the coin is that DN provides a way of selecting any object in Active Directory.  Once you have select the object, then you can change its attributes.

Time spent in getting to know the DN attribute will repay many fold.  Observe the different components CN=common name, OU = organizational unit.  DC often comes with two entries, DC=CP, DC=COM.  Note that DC=CP.COM would be wrong.  Incidentally in this situation, DC means domain content rather than domain controller.

Another point with the syntax is to check the speech marks; when used with VBScript commands, DN is often enclosed in "speech marks".  Even the speech marks have to be of the right type, "double quotes are correct", 'single quotes may be ignored' with unpredictable results.  Finally, pay particular attention to commas in distinguished names.

LDAP Attributes from Active Directory Users and Computers

The diagram below is taken from Active Directory Users and Computers. It shows the commonest LDAP attributes for vbs scripts.

LDAP Attributes for CSVDE

When you write your scripts, check how the LDAP attributes map to the Active Directory boxes.

One useful technique is to add values in the boxes, then export using CSVDE, finally open the file in Excel and search for the value.

LDAP Attribute


CN - Common Name CN=Guy Thomas.  Actually, this LDAP attribute is made up from givenName joined to SN.
description What you see in Active Directory Users and Computers.  Not to be confused with displayName on the Users property sheet.
displayName displayName = Guy Thomas.  If you script this property, be sure you understand which field you are configuring.  DisplayName can be confused with CN or description.
DN - also distinguishedName DN is simply the most important LDAP attribute.
CN=Jay Jamieson, OU= Newport,DC=cp,DC=com
givenName Firstname also called Christian name
homeDrive Home Folder : connect.  Tricky to configure
name name = Guy Thomas.  Exactly the same as CN.
objectCategory Defines the Active Directory Schema category. For example, objectClass = Person
objectClass objectClass = User.  Also used for Computer, organizationalUnit, even container.  Important top level container.
physicalDeliveryOfficeName Office! on the user's General property sheet
profilePath Roaming profile path: connect.  Trick to set up
sAMAccountName sAMAccountName = guyt.  Old NT 4.0 logon name, must be unique in the domain.  Can be confused with CN.
SN SN = Thomas. This would be referred to as last name or surname.
userAccountControl Used to disable an account.  A value of 514 disables the account, while 512 makes the account ready for logon.
userPrincipalName userPrincipalName =    Often abbreviated to UPN, and looks like an email address.  Very useful for logging on especially in a large Forest.   Note UPN must be unique in the forest.

Guy Recommends:  SolarWinds' Free Bulk Import ToolFree Download Solarwinds Bulk Import Tool

Import users from a spreadsheet.  Just provide a list of the users with their fields in the top row, and save as .csv file.  Then launch this FREE utility and match your fields with AD's attributes, click and import the users.

Optionally, you can provide the name of the OU where the new accounts will be born. Download your FREE bulk import tool.

If you need more comprehensive software, download a free trial of SAM (Server & Application Monitor)

LDAP Notes LDAP Properties - Active Directory Users and Computers

Display name and Description are different

Office's LDAP attribute is:


E-mail is plain: mail

Examples of Exchange Specific LDAP attributes

homeMDB  Here is where you set the MailStore

Legacy distinguished name for creating Contacts. In the following example,
Guy Thomas is a Contact in the first administrative group of GUYDOMAIN: /o=GUYDOMAIN/ou=first administrative group/cn=Recipients/cn=Guy Thomas
mail An easy, but important attribute.  A simple SMTP address is all that is required
mAPIRecipient - FALSE Indicates that a contact is not a domain user.
mailNickname Normally this is the same value as the sAMAccountName, but could be different if you wished.  Needed for mail enabled contacts.
mDBUseDefaults Another straightforward field, just the value to:True
msExchHomeServerName Exchange needs to know which server to deliver the mail.  Example:
/o=YourOrg/ou=First Administrative Group/cn=Configuration/cn=Servers/cn=MailSrv
proxyAddresses As the name 'proxy' suggests, it is possible for one recipient to have more than one email address.  Note the plural spelling of proxyAddresses.
 targetAddress SMTP:@ e-mail address.  Note that SMTP is case sensitive.  All capitals means the default address.
 showInAddressBook Displays the contact in the Global Address List.

Guy Recommends: Permissions Analyzer - Free Active Directory ToolFree Permissions Analyzer for Active Directory

I like the Permissions Monitor because it enables me to see quickly WHO has permissions to do WHAT.  When you launch this tool it analyzes a users effective NTFS permissions for a specific file or folder, takes into account network share access, then displays the results in a nifty desktop dashboard!

Think of all the frustration that this free utility saves when you are troubleshooting authorization problems for users access to a resource.  Give this permissions monitor a try - it's free!

Download Permissions Analyser - Free Active Directory Tool

Other LDAP attributes

c Country or Region
company Company or organization name
department Useful category to fill in and use for filtering
homephone Home Phone number, (Lots more phone LDAPs)
l  (Lower case L) L = Location.  City ( Maybe Office
location Important, particularly for printers.
manager Boss, manager
mobile Mobile Phone number
ObjectClass Usually, User, or Computer
OU Organizational unit.  See also DN
postalCode Zip or post code
st State, Province or County
streetAddress First line of address
telephoneNumber Office Phone

Examples of obscure LDAP attributes

uSNCreated, uSNChanged
LDAP and CSVDE Tip  To discover more LDAP attributes, go to the command prompt, type:

CSVDE -f Exportfile.csv.  Then open Exportfile.csv with Excel.exe.   Alternatively, use ADSI Edit and right-click the container objects.




Custom Search

Site Home

Guy Recommends: WMI Monitor for PowershellSolarwinds WMI Monitor

Windows Management Instrumentation (WMI) is most useful for PowerShell scripting.

SolarWinds have produced this Free WMI Monitor to take the guess work out of which WMI counters to use for applications like Microsoft Active Directory, SQL or Exchange Server.

Download your free copy of WMI Monitor

Author: Guy Thomas Copyright © 1999-2017 Computer Performance LTD All rights reserved.

Please report a broken link, or an error to:

If you like this page then please share it with your friends