Imports and exports data from Active Directory Domain Services (AD DS) using files that store data in the comma-separated value (CSV) format. You can also support batch operations based on the CSV file format standard.

Csvde is a command-line tool that is built into Windows Server 2008 in the %windir%/system32 folder. It is available if you have the AD DS or Active Directory Lightweight Directory Services (AD LDS) server role installed. To use csvde, you must run the csvde command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

For examples of how to use this command, see Examples.

Syntax

Csvde [-i] [-f <FileName>] [-s <ServerName>] [-c <String1> <String2>] [-v] [-j <Path>] [-t <PortNumber>] [-d <BaseDN>] [-r <LDAPFilter>] [-p <Scope] [-l <LDAPAttributeList>] [-o <LDAPAttributeList>] [-g] [-m] [-n] [-k] [-a <UserDistinguishedName> {<Password> | *}] [-b <UserName> <Domain> {<Password> | *}]

Parameters

Parameter Description

-i

Specifies import mode. If not specified, the default mode is export.

-f <FileName>

Identifies the import or export file name.

-s <ServerName>

Specifies the domain controller to perform the import or export operation.

-c <String1> <String2>

Replaces all occurrences of String1 with String2. You use this parameter when you import data from one domain to another and you want to replace the distinguished name of the export domain (String1) with the distinguished name of the import domain (String2).

-v

Sets verbose mode.

-j <Path>

Sets the log file location. The default is the current path.

-t <PortNumber>

Specifies an LDAP port. The default LDAP port is 389. The global catalog port is 3268.

-u

Specifies Unicode format.

-d <BaseDN>

Sets the distinguished name of the search base for data export.

-r <LDAPFilter>

Creates an LDAP search filter for data export.

-p <Scope>

Sets the search scope. Search scope options are Base, OneLevel, or SubTree.

-l <LDAPAttributeList>

Sets the list of attributes to return in the results of an export query. LDAP can return attributes in any order, and csvde does not attempt to impose any order on the columns. If you omit this parameter, AD DS returns all attributes.

-o <LDAPAttributeList>

Specifies the list of attributes to omit from the results of an export query. You use this parameter if you need to export objects from AD DS, and then import them into another LDAP-compliant directory. If the other directory does not support certain attributes, you can use this parameter to omit those attributes from the result set.

-g

Omits paged searches.

-m

Omits attributes that apply only to Active Directory objects, such as the ObjectGUID, objectSID, pwdLastSet, and samAccountType attributes.

-n

Omits the export of binary values.

-k

Ignores errors during an import operation and continues processing. The following is a complete list of ignored errors:

  • Object already exists

  • Constraint violation

  • Attribute or value already exists

-a [<UserDistinguishedName> {<Password> | *}]

Performs a simple LDAP bind with the user name and password. Sets the command to run using the supplied UserDistinguishedName and Password. By default, the command runs using the credentials of the user who is currently logged on to the network.

-b [<UserName> <Domain> {<Password> | *}]

Performs a secure LDAP bind with the NEGOTIATE authentication method. Sets the command to run using the supplied Username, Domain, and Password. By default, the command will run using the credentials of the user who is currently logged on to the network.

/?

Displays Help at the command prompt.

Remarks

  • You cannot import user passwords by using csvde because passwords must be sent over an encrypted channel. Csvde does not support Secure Sockets Layer (SSL) or encrypted LDAP communication. The previous references to passwords relate to the credentials of the user who is running csvde. They are not related to setting passwords for users.

  • Applications such as Microsoft Excel spreadsheet software are capable of reading and saving data in the CSV format. You can also create CSV files using Notepad; separate the values that you add to your file with commas. In addition, the Microsoft Exchange Server administration tools are capable of importing and exporting data using the CSV format, as are many other from software developers other than Microsoft.

    The CSV format consists of one or more lines of data with each value separated by a comma and no spaces between the comma and the next entry. The first line (sometimes referred to as the header) of the CSV file must contain the names of each attribute in the same order as the data in any line following the first line. For example:

    CN,FirstName,SurName,Description
    FirstUserLogonName,1stUserFirstName,1stUserSurname,Manager
    SecondUserLogonName,2ndUserFirstName,2ndUserSurname,President
    
  • To see a list of properties that csvde can update, see the appropriate supported interfaces in ADSI Objects of LDAP (http://go.microsoft.com/fwlink/?LinkId=91123). For example, to see the properties that can be set for Active Directory user objects, see IADsUser Interface (http://go.microsoft.com/fwlink/?LinkId=91124), and then view Properties.

  • You can use csvde -r to create an LDAP search filter for data export. For example, the following filter exports all users with a particular surname:

    csvde -r (&(objectClass=User)(sn=Surname))
    

Examples

The following sample file contents are for a domain named Cpandl.com that has organizational units (OUs) named SW Dev, Acct, and AP. The AP OU is subordinate to the Acct OU. The first line of the file defines the Active Directory object properties for user accounts to be created by the entries in the rest of the file. The remaining lines are used to create the user accounts. The first user account is created in the default Users container, and the rest of the user accounts are created in the SW Dev, Acct, and AP OUs, respectively:

objectClass,dn,sAMAccountName,userPrincipalName,userAccountControl
user,"CN=KMyer,CN=Users,DC=cpandl,DC=com",KenM,KenM@cpandl.com,514
user,"CN=WYu,OU=SW Dev,DC=cpandl,DC=com",WeiY,WeiY@cpandl.com,514
user,"CN=JMorris,OU=Acct,DC=cpandl,DC=com",JonM,JonM@cpandl.com,514
user,"CN=YXu,OU=AP,OU=Acct,DC=cpandl,DC=com",YeX,YeX@cpandl.com,514
Note

Setting userAccountControl to 514 disables the user account. This is recommended because csvde cannot set passwords.

The -d switch indicates the root (top) of a particular query. For example, if you want to export all the objects in the Marketing top-level OU of the Contoso.com domain to a file named marketingobjects.csv, you can use the following command:

csvde -d "ou=marketing,dc=contoso,dc=com" -f marketingobjects.csv

The -r switch is a filter for exporting information from the directory. This switch filters the output that an export request produces. For example, if you want to export only the user account object attributes from a domain to a file named usersonly.csv, you can use the following command:

csvde -r objectClass=user -f usersonly.csv

The following example exports Active Directory data to a file named search.txt, sets the search scope to subtree, and lists the sAMAccountName, CN, and distinguished name attributes for each object that is found in the search:

csvde -f search.txt -p subtree -l SamAccountName,CN,Distinguishname

The following example imports the data from the current domain (the domain that you are logged on to) from a file named input.csv:

csvde -i -f input.csv

The following example exports the data from the current domain (the domain that you are logged on to) to a file named output.csv:

csvde -f output.csv

For additional examples using CSVDE, see article 327620 in the Microsoft Knowledge Base (http://go.microsoft.com/fwlink/?LinkId=91125).

Additional references