Pages

Thursday, May 28, 2009

Importing Users into Active Directory on Server 2008

I have recently been tasked with figuring out how to import a large number of users into Active Directory in our Server 2008 environment. Now, I know there are several options out there, and I'm sure someone will try and sell me something in the comments section, but I found a way to do it and it works. And best of all, it's free!

I am utilizing a few different things to accomplish this task: csvde (built into Windows Server), admod (a free utility available here), and a batch file. The data sources are two files: a CSV file with the user data, and a tab-delimited file with user passwords.

There is a site with great examples on how to do a basic import with csvde located here. From that page you will find several other links to more complicated examples, and more in-depth looks at the procedure.

First things first, we need to create a CSV file with the desired LDAP attributes. For my purposes, I decided on the following:
  • DN - Distinguished name in the directory (ex: CN=user,OU=employees,DC=domain,DC=com)
  • objectClass - Defines the type of object to create (ex: user)
  • name - The user's name -- equivalent to CN (ex: Joe Smith)
  • displayName - self explanatory (ex: Joe Smith)
  • userAccountControl - This one takes a little math, but a good explanation can be found here (ex: 514)
  • sAMAccountName - this is what shows up in the pre-Windows 2000 logon name field in ADUC (ex: jsmith)
  • mail - email address (ex: jsmith@domain.com)
  • givenName - the user's first name
  • sn - the user's last name
  • userPrincipalName - this defines the user's logon account (including domain) (ex: jsmith@domain.com)
Not all of these are necessarily required (though some are), so you may need to play around with the options to get it just right for your environment. Remember: the first line of your CSV file needs to be the attribute names.

Now, the one downside to csvde is that it does not take user passwords into account. So, if you have a domain policy that has a strict password policy, the import may fail. That's why, in my example, I chose the userAccountControl value of 514 (this defines the object as a normal user, but as a disabled account). Next, we'll need to define passwords. For this I created a separate text file (passwords.txt) that is a tab-delimited file that contains two values per row: the DN and the associated password. In a moment, you'll see why.

Since we now have our source files ready to go, we're good to import! For this I created a batch file that looks like the following:
@echo off
echo "Importing from CSV File"
csvde -i -v -k -f %1
pause

echo "Setting Passwords and enabling accounts. Passwords never expire."
REM Loop through password file and update records
FOR /F "tokens=1,2 delims= " %%G IN (%2) DO (
admod -b %%G unicodepwd::%%H -kerbenc
admod -b %%G "userAccountControl::66048")

UPDATE: Apparently this Blog removes Tabs and replaces them with spaces. In the line "FOR /F "tokens=1,2 delims= " %%G IN (%2) DO (" above, there is actually a TAB in between "delims=" and the closing quotation mark. Be sure to remove the space and replace it with a Tab, by pressing the Tab key. Thanks to Jennifer for helping discover this!

This batch file takes two parameters: the first being the path to the csv source file and the second being the path to the tab-delimited password file. Now let's take a look at what we're doing here :)
In the first section we are bulk importing users with the following command:
csvde -i -v -k -f %1
The "i" option switches to import mode. "v" is verbose, "k" means to ignore common warnings and "f" means to use the file located by the following value. "%1" is just the way to specify the first command line argument to the batch file. When this command has completed, the users will be populated into Active Directory, but will be disabled and without a password.

Enter the next chunk:
FOR /F "tokens=1,2 delims= " %%G IN (%2) DO (
admod -b %%G unicodepwd::%%H -kerbenc
admod -b %%G "userAccountControl::66048")

This loops through the tab-delimeted file specified by the "%2" (second command line argument) and does two things. First:
admod -b %%G unicodepwd::%%H -kerbenc
This command modifies the object specified by the DN in the text file to have the associated password. The passwords are saved as plain text in the file.
And second:
admod -b %%G "userAccountControl::66048
This command modifies the object specified by the DN to update the user account control value. The value specified here enables the account (now that it has a valid password) and sets it so that the password never expires -- which was something just for our environment. Take another look at the control codes to set this value to whatever you need.

And that's it! Now you have an Active Directory populated with enabled users with valid passwords. If you have any questions about this process, feel free to leave a comment below.

*DISCLAIMER* Always do stuff like this in a test environment first. I in no way guarantee this will work for you in your environment, or that it won't completely break your directory -- so again, always test first!

25 comments:

Jennifer said...

I am having some problems. I created a batch file with the exact text that you posted in your blog. The first section works great and creates a disabled user. The problem is with the second section. I useed Excel to create a tab delimitted text file with the first field containing the user'd DN and the second field containing the password. When I run the batch file I receive some errors and the password does not get enabled nor dis a password set. Any help is appreciated. Here are the errors I receive:

Press any key to continue . . .
"Setting Passwords and enabling accounts. Passwords never expire."

AdMod V01.10.00cpp Joe Richards (joe@joeware.net) February 2007

ERROR: Issue with attrib parameter - [NO9066]
ERROR: Missing operation.

ERROR: Issue with attrib parameter - [unicodepwd::]
ERROR: Unsupported Op or format - []

Type AdMod /help or AdMod /? for usage assistance.


AdMod V01.10.00cpp Joe Richards (joe@joeware.net) February 2007

ERROR: Issue with attrib parameter - [NO9066]
ERROR: Missing operation.


Type AdMod /help or AdMod /? for usage assistance.


C:\Users\administrator.CMCSS\Desktop\User Imports>

Matt Augustine said...
This comment has been removed by the author.
Jennifer said...

I have sent an email to you. Thanks for your help!

Matt Augustine said...

Hi Jennifer!

No problem! So, I think I may know what the problem is. In your import batch file, on the line:
FOR /F "tokens=1,2 delims= " %%G IN (%2) DO (

You have a space in between delims= and the closing quotation mark.

Try deleting the space and replacing it with a Tab (actually hit the Tab key) so it looks like:
FOR /F "tokens=1,2 delims= " %%G IN (%2) DO (

Let me know how it works out!

Matt Augustine said...

OH -- I think I see what the problem is. It looks like my blog strips out tabs and replaces them with spaces. So, those two lines above look identical.

If you follow my instructions though of actually pressing the tab key in your batch file, I think it should work.

Jennifer said...

That worked! I thought that part of the batch file didn't look right, but I am not much of a script writer yet. Thank you so much! You have no idea the amount of time this will save.

Matt Augustine said...

Excellent! No problem. I'm glad that I could help -- I was hoping this post would help at least one person, so I'm happy I met that quota :) Have a great day!

Robert said...

Thanks for posting these instructions. I have imported the users but I am having a problem when I try to set the password and enable the account. I have a feeling this is a "duh" moment but I can not figure it out.

When I run the batch file I get an error message that says " 'admod' is not recognized as an internal or external command, operable program or batch file."

Have you seen this before? Is this a separate install from the install disc? I tried to use Google to find the answer but no luck. I am running Windows Server 2008 Standard SP2.

Thanks,

Robert

Matt Augustine said...

Hi Robert! Thanks for visiting! It looks like the script is having a little trouble locating admod. Did you download it from: http://www.joeware.net/freetools/tools/admod/index.htm

If so, make sure that it's somewhere in your path (like C:\Windows\System32). Or, you just need to make sure that your currently in the directory that admod is located in when you run the batch file from the command line.

Let me know how it goes!

Robert said...

admod (a free utility available here), ...


I am blind. Thanks! Going to try it now. This is what happens when you are the only guy in the IT department. You lose your mind!

Matt Augustine said...

No problem Robert. I've been there!

Let me know how it goes.

Robert said...

I have installed AdMod and it finds my text file but I get an error when I run the batch for AdMod.

It shows my first DN from the text file then the server name then:

Error 0x35 (53) Unwilling to Perform

then it terminates. Do you have any ideas I what might cause this?

I am logged onto the server as an Administrator. The csvde command works correctly at the beginning of the batch works correctly. My only idea is that my text file might be wrong but the error number referenced above sounds like an LDAP error from research I did on it.

Thank you,

Robert

Robert said...

It looks to be a setting with the password requirements in the domain policy. Even though my password met the requirements it would not set until I turned it off in the policy. Thanks again for your help and for the blog.

Robert

Matt Augustine said...

Hi Robert -- okay great! I'm glad that you figured it out, and for posting the results here. I'm sure it will help someone else as well.

No problem! Glad I could help.

JM said...

Hi Matt,

Thanks for sharing your thoughts - they're insightful and appreciated indeed.

Hey, have you tried the Gold Finger yet? It's a new FREE, SUPPORTED and Microsoft endorsed tool for Active Directory, designed by Microsoft's own Program Manager for Active Directory Security.

Gold Finger can be instantly deployed on any domain-joined machine and offers over 200 security reports covering Account, Group, Computer, GPO, Container, OU, Exchange and AD ACL Management.

We've been using it for the past three weeks now and it has been immensely useful in day-to-day AD reporting. Its a refreshing change from command-line tools and its inbuilt search outdoes most search tools out there. The best part is that it's 100% supported, so if we ever have a problem, we can FREE Support for it.

DOWNLOAD LINK: I believe you can download your own free copy from http://www.paramountdefenses.com/goldfinger.php.

If you're into AD reporting, this is a very useful tool to have in your toolset.

Best wishes,
John

Matt Augustine said...

Hi John -- I have not seen that tool before. Thanks for sharing!

Michael Mc said...

Digging up an old topic but just wanted to pass on my thanks for this. DN took me a while to get sorted but once I'd figured my basic mistakes it was whizzing away! Rather than set passwords myself I used this freeware utility to set new random passwords and also enable the accounts.

"wisesoft.co.uk/software/bulkadusers"

Again my gratitude and thanks - my old utility I used for 2003 worked brilliantly but sadly not for my new 2008 servers. This has saved me a great deal of time...many thanks!

Michael

Matt Augustine said...

Hey Michael! I'm really glad that you were able to find some usefulness in this post. I'm always happy to help. Thanks for stopping by and good luck in your future endeavors!

BM007 said...

Just wanted to post my thanks for this very useful information. Imported about 200 users very easily.

Matt Augustine said...

To "BM007" -- I'm glad that you had an easy time importing those users, and I'm always happy to help. Thanks so much for stopping by!

Janaka said...

Hi Matt

Pl. tell me more detail about the bulk import. I mean step by step. I tried this but not successful.
Thanks
Janaka

Matt Augustine said...

Hi Janaka,

Where are you getting stuck and/or what errors are you getting?

Unfortunately, I don't have the time at the moment to provide more detailed instructions. Plus, since I wrote this a couple years ago, it's not as fresh in my mind :)

Rakesh said...

hi matt

your explaination is excellent. it will be a great help to me if you can explain me how to export active directory users and password information into .ldif format.

thanks in advance.
Regards
Rakesh

Matt Augustine said...

Hi Rakesh,

Off of the top of my head, I'm not sure -- however, you may want to check out the following TechNet article:
http://technet.microsoft.com/en-us/library/bb727091

Anonymous said...

For the change you make to enable the user accounts, wouldn't it (potentially) be better to set userAccountControl to 1024 instead of 66048? 66048 will enable the account and set it to never expire the password. I doubt that's the most desired effect for most people. http://support.microsoft.com/kb/305144 seems to indicate that 1024 would set them all as normal, enabled accounts without the password expiration exception.

In any case, great article. I'm finished prepping and am about to run a load myself using these instructions. Thanks!