Imports and exports data from Active Directory Domain Services (AD DS) using files that store data in the comma-separated value (CSV) format. You can also support batch operations based on the CSV file format standard.
Csvde is a command-line tool that is built into Windows Server 2008 in the %windir%/system32 folder. It is available if you have the AD DS or Active Directory Lightweight Directory Services (AD LDS) server role installed. To use csvde, you must run the csvde command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.
For examples of how to use this command, see Examples.
Syntax
Csvde [-i] [-f <FileName>] [-s <ServerName>] [-c <String1> <String2>] [-v] [-j <Path>] [-t <PortNumber>] [-d <BaseDN>] [-r <LDAPFilter>] [-p <Scope] [-l <LDAPAttributeList>] [-o <LDAPAttributeList>] [-g] [-m] [-n] [-k] [-a <UserDistinguishedName> {<Password> | *}] [-b <UserName> <Domain> {<Password> | *}]
Parameters
| Parameter | Description |
|---|---|
|
-i |
Specifies import mode. If not specified, the default mode is export. |
|
-f <FileName> |
Identifies the import or export file name. |
|
-s <ServerName> |
Specifies the domain controller to perform the import or export operation. |
|
-c <String1> <String2> |
Replaces all occurrences of String1 with String2. You use this parameter when you import data from one domain to another and you want to replace the distinguished name of the export domain (String1) with the distinguished name of the import domain (String2). |
|
-v |
Sets verbose mode. |
|
-j <Path> |
Sets the log file location. The default is the current path. |
|
-t <PortNumber> |
Specifies an LDAP port. The default LDAP port is 389. The global catalog port is 3268. |
|
-u |
Specifies Unicode format. |
|
-d <BaseDN> |
Sets the distinguished name of the search base for data export. |
|
-r <LDAPFilter> |
Creates an LDAP search filter for data export. |
|
-p <Scope> |
Sets the search scope. Search scope options are Base, OneLevel, or SubTree. |
|
-l <LDAPAttributeList> |
Sets the list of attributes to return in the results of an export query. LDAP can return attributes in any order, and csvde does not attempt to impose any order on the columns. If you omit this parameter, AD DS returns all attributes. |
|
-o <LDAPAttributeList> |
Specifies the list of attributes to omit from the results of an export query. You use this parameter if you need to export objects from AD DS, and then import them into another LDAP-compliant directory. If the other directory does not support certain attributes, you can use this parameter to omit those attributes from the result set. |
|
-g |
Omits paged searches. |
|
-m |
Omits attributes that apply only to Active Directory objects, such as the ObjectGUID, objectSID, pwdLastSet, and samAccountType attributes. |
|
-n |
Omits the export of binary values. |
|
-k |
Ignores errors during an import operation and continues processing. The following is a complete list of ignored errors:
|
|
-a [<UserDistinguishedName> {<Password> | *}] |
Performs a simple LDAP bind with the user name and password. Sets the command to run using the supplied UserDistinguishedName and Password. By default, the command runs using the credentials of the user who is currently logged on to the network. |
|
-b [<UserName> <Domain> {<Password> | *}] |
Performs a secure LDAP bind with the NEGOTIATE authentication method. Sets the command to run using the supplied Username, Domain, and Password. By default, the command will run using the credentials of the user who is currently logged on to the network. |
|
/? |
Displays Help at the command prompt. |
Remarks
- You cannot import user passwords by using csvde because
passwords must be sent over an encrypted channel. Csvde does
not support Secure Sockets Layer (SSL) or encrypted LDAP
communication. The previous references to passwords relate to the
credentials of the user who is running csvde. They are not
related to setting passwords for users.
- Applications such as Microsoft Excel spreadsheet software are
capable of reading and saving data in the CSV format. You can also
create CSV files using Notepad; separate the values that you add to
your file with commas. In addition, the Microsoft Exchange Server
administration tools are capable of importing and exporting data
using the CSV format, as are many other from software developers
other than Microsoft.
The CSV format consists of one or more lines of data with each value separated by a comma and no spaces between the comma and the next entry. The first line (sometimes referred to as the header) of the CSV file must contain the names of each attribute in the same order as the data in any line following the first line. For example:
CN,FirstName,SurName,Description FirstUserLogonName,1stUserFirstName,1stUserSurname,Manager SecondUserLogonName,2ndUserFirstName,2ndUserSurname,President
- To see a list of properties that csvde can update, see
the appropriate supported interfaces in ADSI Objects of LDAP
(http://go.microsoft.com/fwlink/?LinkId=91123).
For example, to see the properties that can be set for
Active Directory user objects, see IADsUser Interface
(http://go.microsoft.com/fwlink/?LinkId=91124),
and then view Properties.
- You can use csvde -r to create an LDAP search filter for
data export. For example, the following filter exports all users
with a particular surname:
csvde -r (&(objectClass=User)(sn=Surname))
Examples
The following sample file contents are for a domain named Cpandl.com that has organizational units (OUs) named SW Dev, Acct, and AP. The AP OU is subordinate to the Acct OU. The first line of the file defines the Active Directory object properties for user accounts to be created by the entries in the rest of the file. The remaining lines are used to create the user accounts. The first user account is created in the default Users container, and the rest of the user accounts are created in the SW Dev, Acct, and AP OUs, respectively:
objectClass,dn,sAMAccountName,userPrincipalName,userAccountControl user,"CN=KMyer,CN=Users,DC=cpandl,DC=com",KenM,KenM@cpandl.com,514 user,"CN=WYu,OU=SW Dev,DC=cpandl,DC=com",WeiY,WeiY@cpandl.com,514 user,"CN=JMorris,OU=Acct,DC=cpandl,DC=com",JonM,JonM@cpandl.com,514 user,"CN=YXu,OU=AP,OU=Acct,DC=cpandl,DC=com",YeX,YeX@cpandl.com,514
|
Note |
|
Setting userAccountControl to 514 disables the user account. This is recommended because csvde cannot set passwords. |
The -d switch indicates the root (top) of a particular query. For example, if you want to export all the objects in the Marketing top-level OU of the Contoso.com domain to a file named marketingobjects.csv, you can use the following command:
csvde -d "ou=marketing,dc=contoso,dc=com" -f marketingobjects.csv
The -r switch is a filter for exporting information from the directory. This switch filters the output that an export request produces. For example, if you want to export only the user account object attributes from a domain to a file named usersonly.csv, you can use the following command:
csvde -r objectClass=user -f usersonly.csv
The following example exports Active Directory data to a file named search.txt, sets the search scope to subtree, and lists the sAMAccountName, CN, and distinguished name attributes for each object that is found in the search:
csvde -f search.txt -p subtree -l SamAccountName,CN,Distinguishname
The following example imports the data from the current domain (the domain that you are logged on to) from a file named input.csv:
csvde -i -f input.csv
The following example exports the data from the current domain (the domain that you are logged on to) to a file named output.csv:
csvde -f output.csv
For additional examples using CSVDE, see article 327620 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=91125).