« 上一篇下一篇 »

4-3 Using Automation to Manage Group Accounts

Lesson 3 Using Automation to Manage Group Accounts 4-13 Lesson 3: Using Automation to Manage Group Accounts
Although the Active Directory Users And Computers MMC is a convenient way to create and modify groups individually, it is not the most efficient method for creating large numbers of security principals. A tool included with Windows Server 2003, Ldifde.exe, facilitates the importing and exporting of larger numbers of security principals, including groups. After this lesson, you will be able to ■ Import security principals with LDIFDE ■ Export security principles with LDIFDE ■ Use the DSADD and DSMOD commands to create and modify groups Estimated lesson time: 30 minutes
The Lightweight Directory Access Protocol (LDAP) Data Interchange Format (LDIF) is a draft Internet standard for a file format that may be used to perform batch operations against directories that conform to the LDAP standards. LDIF can be used to export and import data, allowing batch operations such as add, create, and modify to be per-formed against the Active Directory. A utility program called LDIFDE is included in Windows Server 2003 to support batch operations based on the LDIF file format standard.
LDIFDE is a command-line utility, available on all Windows Server 2003 editions. From a command prompt or command shell, you run the LDIFDE utility with the appropriate command switches. Figure 4-3 lists the primary commands used with LDIFDE displayed by typing ldifde /? at the command prompt. Figure 4-3 LDIFDE command-line help file
4-14 Chapter 4 Group Accounts Table 4-4 details the primary LDIFDE commands.
Table 4-4 LDIFDE Commands (Primary)
Command Usage
General parameters
-i Turn on Import mode (The default is Export) -f filename Input or Output filename -s servername The server to bind to -c FromDN ToDN Replace occurrences of FromDN to ToDN -v Turn on Verbose mode -j path Log File Location -t port Port Number (default = 389) -? Help
Export specific parameters -d RootDN The root of the LDAP search (Default to Naming Context) -r Filter LDAP search filter (Default to “(objectClass=*)”) -p SearchScope Search Scope (Base/OneLevel/Subtree) -l list List of attributes (comma-separated) to look for in an LDAP search -o list List of attributes (comma-separated) to omit from input -g Disable Paged Search -m Enable the Security Accounts Manager (SAM) logic on export -n Do not export binary values
Import specific parameters
-k The import will ignore “Constraint Violation” and “Object Already Exists” errors
Credentials parameters
-a UserDN Sets the command to run using the supplied user distinguished name and password. For example: “cn=administrator,dc=contoso,dc-com password”
-b UserName Sets the command to run as username domain password. The default is to Domain run using the credentials of the currently logged on user. Note The LDIFDE utility is included in Windows Server 2003, and can be copied to a com- puter running Windows 2000 Professional or Windows XP. It can then be bound and used remotely to the Windows Server 2003 Active Directory.
Lesson 3 Using Automation to Manage Group Accounts 4-15 Real World Account Creation Often, you will have a collection of data that already has a great deal of the information with which you will populate your Windows Server 2003 Active Directory. The data may be in a down-level domain (Windows NT 4, Windows 2000, Novell Directory Services (NDS), or some other type of database (Human Resource departments are famous for compiling data). If you have this user data available, you can use it to populate the bulk of your Active Directory. There are many tools that are available to facilitate the extraction of data: Addusers for Windows NT 4 and LDIFDE for Windows 2000, for example. In addition, most database programs have the built-in capacity to export their data into a Comma-Separated-Value (CSV) file, which LDIFDE can import. For CSV files, however, it should be noted that some elements in object creation are mandatory, and errors will result during the import if elements are missing from the file. Group creation, however, has only the required elements of a distinguished name (CN=User) and location (DC=Domain, DC=OU), which you are unlikely to omit. With a little editing, you can add the OU and group data to the import file, and use LDIFDE to build your Active Directory much more quickly.
Creating Groups with DSADD
The DSADD command, introduced in Chapter 2, is used to add objects to Active Directory. To add a group, use the syntax
dsadd group GroupDN…
The GroupDN… parameter is one or more distinguished names for the new user objects. If a DN includes a space, surround the entire DN with quotation marks. The GroupDN… parameter can be entered one of the following ways:
■ By piping a list of DNs from another command, such as dsquery.
■ By typing each DN on the command line, separated by spaces.
■ By leaving the DN parameter empty, at which point you can type the DNs, one at a time, at the keyboard console of the command prompt. Press ENTER after each DN. Press CTRL+Z and ENTER after the last DN.
The DSADD GROUP command can take the following optional parameters after the DN parameter:
■ -secgrp {yes | no} determines whether the group is a security group (yes) or a distribution group (no). The default value is yes.
4-16 Chapter 4 Group Accounts ■ -scope {l | g | u} determines whether the group is a domain local (l), global (g, the default), or universal (u).
■ -samid SAMName
■ desc Description
■ -memberof GroupDN... specifies groups to which to add the new group.
■ -members MemberDN... specifies members to add to the group.
As discussed in Chapter 3, you can add -s, -u, and -p parameters to specify the domain controller against which DSADD will run, and the user name and password—the credentials—that will be used to execute the command.
■ {-s Server | -d Domain} ■ -u UserName ■ -p {Password | *}
Modifying Groups with DSMOD
The DSMOD command, introduced in Chapter 2, is used to modify objects in Active Directory. To modify a group, use the syntax
dsmod group GroupDN…
The command takes many of the same switches as DSADD, including -samid, -desc, -secgrp, and -scope. Typically, though, you won't be changing those attributes of an existing group. Rather, the most useful switches are those that let you modify the membership of a group, specifically
■ -addmbr Member... adds members to the group specified in Group
■ -rmmbr Member... removes members from the group specified in Group
where, as with all directory service commands, the DN is the full, distinguished name of another Active Directory object, surrounded by quotes if there are any spaces in the DN. Note On any one command line, you can use only -addmbr or -rmmbr. You cannot use both in a single DSMOD GROUP command.



野猪尖的推荐链接https://www.payoneer.com/zh/znp (此地址要完整地复制,建议直接点击)


注册-为何申请Payoneer万事达预付卡+美国/欧洲/英国银行账号? | P卡申请被拒绝的原因
   Payoneer有卡账户和无卡账户的区别Payoneer个人账户注册申请教程 | (公司帐户)


收款-跨境电商/外贸收款方式对比Payoneer可以错名收款吗? | Payoneer还是蛮人性化的
   Amazon亚马逊收款方式对比(Payoneer,World First,PingPong,美国/香港银行卡)
   Payoneer如何从拉美电商平台Linio收款? | Payoneer绑定非洲电商平台Jumia收款
   Payoneer如何从跨境移动电商Wish收款? | Wish模式正在改变电商格局