Contents for Ezine 92 – LDIFDE
- This Week’s Secret
- Example Double Looping VBScript
- Summary of Looping
- See More on LDIFDE
- Download the Spreadsheet
Let me say at the outset that I am not a great fan of LDIFDE (Lightweight Data Interchange Format, Data Exchange); I prefer VBScript or CSVDE. However, I feel that it is time to give LDIFDE its moment in the limelight. Despite my dismissive comments, LDIFDE cannot be all bad. For example, Exchange 2003 uses LDIF files to extend the schema.
In common with CSVDE, LDIFDE is a built-in executable found in Windows Server 2003 (and 2000). If you need to experiment on an XP machine, simply copy the LDIFDE locally from the system32 folder on the server. Tip, from the XP machine run \\server\admin$ then browse to the system32 folder.
Another similarity between LDIFDE and CSVDE is that they both feed on text files. The actual LDIFDE executable is simply an engine that processes the Active Directory information you create in the .ldf file. Both LDIFDE and CSVDE can bulk import users, however LDIFDE has a killer advantage in that you can modify or even delete objects in your Active Directory.
Specifically, what I have against LDIFDE is that I cannot manipulate the data in a spreadsheet. I admit it’s possible that I have missed a trick; perhaps someone knows of a clever spreadsheet macro, but for me the LDIFDE files are unwieldy compared with VBScript, which easily feeds ofs my spreadsheet data. The key skill is LDAP. Whether you use CSVDE, VBScript or LDIFDE you simply must be an expert on LDAP properties, for example sAMAccountName, sn and givenName. My secret of becoming a minor expert on LDAP was research with ADSI Edit.
Tired of writing scripts? The User Management Resource Administrator solution by Tools4ever offers an alternative to time-consuming manual processes.
It features 100% auto provisioning, Helpdesk Delegation, Connectors to more than 130 systems/applications, Workflow Management, Self Service and many other benefits. Click on the link for more information onUMRA.
LDIFDE looks for an import or export command, followed by a text file. The text file extension is not important, but the syntax is picky. Here is an example, ldifde -i -f ron.ldf. The -i switch means import, while -f introduces the file name.
Let us assume that we need to modify the properties of a user called Ron. Previously Ron’s office was situated in Cambridge, now we want this Active Directory value to be changed to Oxford. When I researched ADSI Edit, I discovered that the LDAP for office was – PhysicalDeliveryOfficeName.
Example 1 – Modify LDAP with LDIFDE
1) Change OU,Students to the name of your experimental OU. Alternatively, create an OU called Students.
2) Either create a user called Ron, or else change cn=ron to cn =youruser.
3) Amend DC=CP,DC=mosel to the name of your domain.
Investigate whether you have an extension called DC=Local, or DC=com.
With LDAP, the key task is to prepare the text file. Our first line contains Ron’s dn: (distinguished name). Writing the DN is not an easy task, but to be fair, once you have worked out one user’s dn, it is relatively easy to adjust the CN or the OU for other users. (Even so, I still don’t like this technique, I prefer a spreadsheet.)
On the second line, we need to tell LDIFDE whether to add, delete, or as in this instance, modify Ron’s PhysicalDeliveryOfficeName.
On the third line, I choose the word replace, followed by a colon: then the LDAP property. Again, ADSI Edit is my tool of choice to research the precise LDAP name.
Immerse yourself in the LDIFDE syntax. In particular remember the dash (not underscore) which separates the records.
Copy the script below, save to a know location on a Windows Server, for example C:\scripts\ron.ldf. Next open a CMD prompt type:
1) CD C:\scripts
2) LDIFDE -i -f ron.ldf
Guy’s Learning Points
Note 1: changetype: modify. This is a precise instruction to alter the record
Note 2: replace: PhysicalDeliveryOfficeName. You could amend PhysicalDeliveryOfficeName to other LDAP properties, for example displayName.
Note 3: PhysicalDeliveryOfficeName: Oxford. Feel free to change Oxford to any location that you like.
Note 4: Investigate Active Directory Users and Computers. In particular right-click the OU and select refresh. Check Ron’s General tab, Office.
Note 5: Important. Remember that the text file needs a dash (-) to indicate the end of record.
Guy Recommends: The Free IP Address Tracker (IPAT)
Calculating IP Address ranges is a black art, which many network managers solve by creating custom Excel spreadsheets. IPAT cracks this problem of allocating IP addresses in networks in two ways:
For Mr Organized there is a nifty subnet calculator, you enter the network address and the subnet mask, then IPAT works out the usable addresses and their ranges.
For Mr Lazy IPAT discovers and then displays the IP addresses of existing computers. Download the Free IP Address Tracker
Example 2. Modify Two Users with LDF File
This script modifies not one but two user accounts.
Guy’s Learning Points
Note 1: Each record ends with a dash -.
Note 2: The blank line between the two users.
Note 3: I have not found a way of putting comments in LDIFDE text.
Summary of LDIFDE
LDIFDE is similar to CSVDE. Both are built-in commands on Windows servers. However LDIFDE has the advantage of allowing you to modify existing users. Even so, my advice is to ignore LDIFDE. Instead master CSVDE and excel spreadsheets.