Even with the new utilities available with Windows
Server 2003, support for modifying data within Active Directory using
a command-line tool is relatively weak. The dsmod
tool can modify attributes on a limited set of object classes, but it
does not allow you to modify any object type.
One reason for the lack of command-line tools to do this is the command line is not well suited for manipulating objects, for example, that have multivalued attributes. If you want to specify more than just one or two values, a single command could get quite long. It would be easier to use a GUI editor, such as ADSI Edit, to do the task instead.
The LDAP Data Interchange Format was designed to address this issue. Defined in RFC 2849, LDIF allows you to represent directory additions, modifications, and deletions in a text-based file, which you can import into a directory using an LDIF-capable tool.
The ldifde
utility has been available since
Windows 2000 and it allows you to import and export Active Directory
content in LDIF format. LDIF files are composed of blocks of entries.
An entry can add, modify, or delete an object. The first line of an
entry is the distinguished name. The second line contains a
changetype
, which can be add
,
modify
, or delete
. If it is an
object addition, the rest of the entry contains the attributes that
should be initially set on the object (one per line). For object
deletions, you do not need to specify any other attributes. And for
object modifications, you need to specify at least three more lines.
The first should contain the type of modification you want to perform
on the object. This can be add
(to set a
previously unset attribute or to add a new value to a multivalued
attribute), replace
(to replace an existing
value), or delete
(to remove a value). The
modification type should be followed by a colon and the attribute you
want to perform the modification
on.
The next line should contain the name of the attribute followed by a
colon, and the value for the attribute. For example, to replace the
last name attribute with the value Smith, you’d use
the following LDIF:
dn: cn=jsmith,cn=users,dc=rallencorp,dc=com changetype: modify replace: sn sn: Smith -
Modification entries must be followed by a line that only contains a
hyphen (-). You can put additional modification actions following the
hyphen, each separated by another hyphen. Here is a complete LDIF
example that adds a jsmith
user object and then
modifies the givenName
and sn
attributes for that object:
dn: cn=jsmith,cn=users,dc=rallencorp,dc=com changetype: add objectClass: user samaccountname: jsmith sn: JSmith useraccountcontrol: 512 dn: cn=jsmith,cn=users,dc=rallencorp,dc=com changetype: modify add: givenName givenName: Jim - replace: sn sn: Smith -
See Recipe 4.24 and Recipe 4.25
for more details on how to use the
ldifde
utility to import and export LDIF files.
Get Active Directory Cookbook now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.