« 上一篇下一篇 »

3-2 Creating Multiple User Objects

Lesson 2 Creating Multiple User Objects 3-15 Lesson 2: Creating Multiple User Objects
Occasionally, situations emerge that require you to create multiple user objects quickly, such as a new class of incoming students at a school or a group of new hires at an organization. In these situations you must know how to facilitate or automate user object creation effectively so that you do not approach the task on an account-by-account basis. In Lesson 1, you learned how to create and manage user objects with Active Directory Users and Computers. This lesson will extend those concepts, skills, and tools to include user object creation through template objects, imported objects, and command-line scripting of objects. After this lesson, you will be able to ■ Create and utilize user object templates ■ Import user objects from comma-delimited files ■ Leverage new command-line tools to create and manage user objects Estimated lesson time: 15 minutes
Creating and Utilizing User Object Templates
It is common for objects to share similar properties. For example, all sales representatives may belong to the same security groups, are allowed to log on to the network during the same hours, and have home folders and roaming profiles on the same server. In such cases, it is helpful when creating a user object for that object to be pre-populated with common properties. This can be accomplished by creating a generic user object—often called a template—and then copying that object to create new users.
To generate a user template, create a user and populate its properties. Put the user into appropriate groups. Security Alert Be certain to disable the user, because it is just a template, to ensure that the account is not used for access to network resources. To create a user based on the template, select the template and choose Copy from the Action menu. You will be prompted for properties similar to those when you created a new user: first and last name, initials, logon names, password, and account options. When the object is created, you will find that properties are copied from the template based on the following property-page-based description:
■ General No properties copied ■ Address All properties except Street address are copied
3-16 Chapter 3 User Accounts ■ Account All properties are copied, except for logon names, which you are prompted to enter when copying the template
■ Profile All properties are copied, and the profile and home-folder paths are modified to reflect the new user’s logon name
■ Telephones No properties are copied
■ Organization All properties are copied, except for Title
■ Member Of All properties are copied
■ Dial-in, Environment, Sessions, Remote Control, Terminal Services Profile, COM+ No properties are copied Tip A user that has been generated by copying a template has, by default, the same group membership as the template. Permissions and rights that are assigned to those groups therefore apply to the new user. However, permissions or rights assigned directly to the template user object are not copied or adjusted, so the new user will not have those permissions or rights.
Importing User Objects Using CSVDE
CSVDE is a command-line utility that allows you to import or export objects in Active Directory from (or to) a comma-delimited text file (also known as a comma-separated value text file), which is, of course, a common format easily read in Notepad and Microsoft Excel. The command is a powerful way to generate objects quickly. The command’s basic syntax is
csvde [-i] [-f FileName] [-k]
-i : Specifies import mode. If not specified, the default mode is export.
-f FileName : Identifies the import file name.
-k : Ignores errors including “object already exists,” “constraint violation,” and “attribute or value already exists” during the import operation and continues processing.
The import file itself is a comma-delimited text file (*.csv or *.txt), in which the first line is a list of Lightweight Directory Access Protocol (LDAP) attribute names for the attributes imported, followed by one line for each object. Each object must contain exactly the attributes listed on the first line. A sample file follows:
DN,objectClass,sAMAccountName,sn,givenName,userPrincipalName
"CN=Scott Bishop,OU=Employees, DC=contoso,DC=com", user,sbishop,Bishop,Scott,scott.bishop@contoso.com
Lesson 2 Creating Multiple User Objects 3-17 This file, when imported, would create a user object in the Employees OU called Scott Bishop. The logon names, first, and last name are configured by the file. The object will be disabled initially. Once you have reset the password, you can enable the object. See Also For more information about the powerful CSVDE command, including details regarding its parameters and its usage to export directory objects, open the Windows Server 2003 Help and Support Center. The LDIFDE command, also covered in detail by the Help and Support Center, allows you to import and export accounts using LDAP formats. This command and its file structure is nowhere near as intuitive for administrators as the comma-delimited file supported by CSVDE.
Utilizing Active Directory Command-Line Tools
Windows Server 2003 supports a number of powerful command-line tools to facilitate the management of Active Directory. The following is a list, and brief description, of each tool:
■ DSADD Adds objects to the directory.
■ DSGET Displays (“gets”) properties of objects in the directory.
■ DSMOD Modifies select attributes of an existing object in the directory.
■ DSMOVE Moves an object from its current container to a new location.
■ DSRM Removes an object, the complete subtree under an object, or both.
■ DSQUERY Queries Active Directory for objects that match a specified search criteria. This command is often used to create a list of objects, which are then piped to the other command-line tools for management or modification.
These tools use one or more of the following components in their command-line switches:
■ Target object type One of a predefined set of values that correlate with an object class in Active Directory. Common examples are: computer, user, OU, group, and server (meaning domain controller).
■ Target object identity The distinguished name (DN) of the object against which the command is running. The DN of an object is an attribute of each object that represents the object’s name and location within an Active Directory forest. For example, in Lesson 1, Exercise 1, you created a user object with the distinguished name: CN=Dan Holme, OU=Employees, DC=Contoso, DC=com.
3-18 Chapter 3 User Accounts Note When using DNs in a command parameter, enclose the name in quotes when it includes spaces. If a subcomponent of the distinguished name includes a backslash or comma, see the online help topic listed below. ■ Server You can specify the domain controller against which you want to run the command.
■ User You can specify a user name and password with which to run the command. This is useful if you are logged in with non-administrative credentials and wish to launch the command with elevated credentials.
In addition, switches and parameters are case-insensitive, and can be prefixed with either a dash (“-”) or a slash (“/”). See Also This lesson will focus on the most commonly used commands and parameters, and on the use of these commands for user objects. For more information regarding these utilities, including the full list of parameters they accept, open the Help and Support Center and search for the phrase, “directory service command-line tools” and be sure to surround the phrase in quotes. After clicking Search, you will see the Command Line Reference on the list of Help Topics, under Search Results. DSQUERY
The DSQUERY command queries Active Directory for objects that match a specific criteria set. The command’s basic syntax is:
dsquery object_type [{StartNode | forestroot | domainroot}] [-o {dn | rdn | samid}] [-scope {subtree | onelevel | base}] [-name Name] [-desc Description] [-upn UPN] [-samid SAMName] [-inactive NumberOfWeeks] [-stalepwd NumberOfDays] [-disabled] [{-s Server | -d Domain}] [-u UserName] [-p {Password | *}] Tip Keep in mind, this command will often be used to generate a list of objects against which you will run other command-line utilities. This is accomplished by piping the output to the second command. For example, the following command line queries Active Directory for a user object with a name starting with “Dan,” pipes the result set to DSMOD, which disables each object in the result set: dsquery user -name Dan* | dsmod user -disabled yes The other utilities accept DNs as their input, which is the default output type as well.
Lesson 2 Creating Multiple User Objects 3-19 The basic parameters are summarized in Table 3-4. Table 3-4 Parameters for the DSQUERY Command
Parameter Description
Query scope
object_type Required. The object type represents the object class(es) which will be searched. The object type can include computer, contact, group, OU, server, user, or the wildcard “*” to represent any object class. This lesson will focus on the command’s use in querying for the user object type.
{StartNode Optional. Specifies the node from which the search begins. You can specforestroot | ify the forest root (forestroot), domain root (domainroot), or a node’s disdomainroot} tinguished name (StartNode). If forestroot is specified, the search is performed using the global catalog. The default value is domainroot.
-scope {subtree | Specifies the scope of the search. A value of subtree indicates that the
onelevel | base} scope is a subtree rooted at start node. A value of onelevel indicates the immediate children of start node only. A value of base indicates the single object represented by start node. If forestroot is specified as StartNode, subtree is the only valid scope. By default, the subtree search scope is used.
How to display the result set
-o {dn, rdn, samid} Specifies the format in which the list of entries found by the search will be outputted or displayed. A dn value displays the distinguished name of each entry. A rdn value displays the relative distinguished name of each entry. A samid value displays the Security Accounts Manager (SAM) account name of each entry. By default, the dn format is used.
Query criteria
-name Name Searches for users whose name attributes (value of CN attribute) matches Name. You can use wildcards. For example, “jon*” or “*ith” or “j*th”.
-desc Description Searches for users whose description attribute matches Description. You can use wildcards.
-upn UPN Searches for users whose UPN attribute matches UPN.
-samid SAMName Searches for users whose SAM account name matches SAMName. You can use wildcards.
-inactive Searches for all users that have been inactive (stale) for the specified num-NumberOfWeeks ber of weeks.
-stalepwd Searches for all users who have not changed their passwords for the speci-NumberOfDays fied number of days.
-disabled Searches for all users whose accounts are disabled.
Domain controller and credentials used for the command Connects to a specified remote server or domain.
{-s Server | -d Domain}
3-20 Chapter 3 User Accounts Table 3-4 Parameters for the DSQUERY Command (Continued) Parameter Description
-u UserName Specifies the user name with which the user logs on to a remote server. By default, -u uses the user name with which the user logged on. You can use any of the following formats to specify a user name: ■ user name (for example, Linda)
■ domain\user name (for example, widgets\Linda)
■ UPN (for example, Linda@widgets.microsoft.com)
-p {Password | *} Specifies to use either a password or a * to log on to a remote server. If you type *, you are prompted for a password. Tip Inactivity is specified in weeks, but password changes are specified in days. DSADD
The DSADD command enables you to create objects in Active Directory. When creating a user, utilize the DSADD USER command. DSADD parameters allow you to con-figure specific properties of an object. The parameters are self-explanatory, however the Windows Server 2003 Help And Support Center provides thorough descriptions of the DSADD command’s parameters if you desire more explanation.
dsadd user UserDN…
The UserDN… parameter is one or more distinguished names for the new user object(s). If a DN includes a space, surround the entire DN with quotation marks. The UserDN… parameter can be entered one of the following ways:
■ By piping a list of DNs from another command, such as DSQUERY.
■ By typing each DN on the command line, separated by spaces.
■By leaving the DN parameter empty, at which point you can type the DNs, one at a time, at the keyboard console of the command prompt. Press ENTER after each DN. Press CTRL+Z and ENTER after the last DN.
The DSADD USER command can take the following optional parameters after the DN parameter:
■ -samid SAMName ■ -upn UPN ■ -fn FirstName ■ -mi Initial
Lesson 2 Creating Multiple User Objects 3-21 ■ -ln LastName ■ -display DisplayName ■ -empid EmployeeID ■ -pwd {Password | *} where * will prompt you for a password ■ -desc Description ■ -memberof GroupDN;... ■ -office Office ■ -tel PhoneNumber ■ -email Email ■ -hometel HomePhoneNumber ■ -pager PagerNumber ■ -mobile CellPhoneNumber ■ -fax FaxNumber ■ -iptel IPPhoneNumber ■ -webpg WebPage ■ -title Title ■ -dept Department ■ -company Company ■ -mgr ManagerDN ■ -hmdir HomeDirectory ■ -hmdrv DriveLetter: ■ -profile ProfilePath ■ -loscr ScriptPath ■ -mustchpwd {yes | no} ■ -canchpwd {yes | no} ■ -reversiblepwd {yes | no} ■ -pwdneverexpires {yes | no} ■ -acctexpires NumberOfDays ■ -disabled {yes | no}
3-22 Chapter 3 User Accounts As with DSQUERY, you can add -s, -u, and -p parameters to specify the domain con-troller against which DSADD will run, and the user name and password—the credentials—that will be used to execute the command.
■ {-s Server | -d Domain} ■ -u UserName ■ -p {Password | *}
The special token $username$ (case-insensitive) may replace the SAM account name in the value of the -email, -hmdir, -profile, and -webpg parameters. For example, if a SAM account name is “Denise,” the -hmdir parameter can be written in either of the following formats:
■ -hmdir\users\Denise\home ■ -hmdir\users\$username$\home
DSMOD
The DSMOD command modifies the properties of one or more existing objects.
dsmod user UserDN ... parameters
The command handles the UserDN… parameter exactly as the DSADD command, and takes the same parameters. Of course now, instead of adding an object with properties, you are modifying an existing object. Note that the exceptions are that you cannot modify the SAMName (-samid parameter) or group membership (-memberof parameter) of a user object using the DSMOD USER command. You can use the DSMOD GROUP command, discussed in Chapter 4, “Group Accounts,” to change group membership from a command-line utility.
The DSMOD command also takes the -c parameter. This parameter puts DSMOD into continuous operation mode, in which it reports errors but continues to modify the objects. Without the -c parameter, DSMOD will stop operation at the first error.
DSGET
The DSGET command gets, and outputs, selected properties of one or more existing objects.
dsget user UserDN ... parameters
The command handles the UserDN… parameter exactly as the DSADD command does, and takes the same parameters except that DSGET takes only the parameter and not an associated value. For example, DSGET takes the -samid parameter, not the -samid SAMName parameter and value. The reason for this is clear: You are displaying, not
! Lesson 2 Creating Multiple User Objects 3-23 adding or modifying, a property. In addition, DSGET does not support the -password parameter because it cannot display passwords. DSGET adds the -dn and -sid parameters, which display the user object’s distinguished name and SID, respectively. Exam Tip Keep track of the difference between DSQUERY and DSGET. DSQUERY finds and returns a result set of objects based on property-based search criteria. DSGET returns proper-ties for one or more specified objects. DSMOVE
The DSMOVE command allows you to move or rename an object within a domain. It cannot be used to move objects between domains. Its basic syntax is:
dsmove ObjectDN [-newname NewName] [-newparent ParentDN]
DSMOVE also supports the -s, -u, and -p parameters described in the section regarding DSQUERY.
The object is specified using its distinguished name in the parameter ObjectDN. To rename the object, specify its new common name in the NewName parameter. Specifying the distinguished name of a container in the ParentDN parameter will move the object to that container.
DSRM
DSRM is used to remove an object, its subtree, or both. The basic syntax is:
dsrm ObjectDN ... [-subtree [-exclude]] [-noprompt] [-c]
It supports the -s, -u, and -p parameters described in the section about DSQUERY.
The object is specified by its distinguished name in the ObjectDN parameter. The -subtree switch directs DSRM to remove the objects contents if the object is a container object. The -exclude switch excludes the object itself, and can be used only in conjunction with -subtree. Specifying -subtree and -exclude would, for example, delete an OU and its subtree, but leave the OU intact. By default, without the -subtree or -exclude switches, only the object is deleted.
You will be prompted to confirm the deletion of each object, unless you specify the -noprompt parameter. The -c switch puts DSRM into continuous operation mode, in which errors are reported but the command keeps processing additional objects. With-out the -c switch, processing halts on the first error.

  还没注册Payoneer的朋友可免费申请一个,现在申请Payoneer可获得25美元奖励并且直接享受1.2%全包的优惠:不仅入账免费,全币种提现只收1.2%的费用,无汇损,当你累积收款100美元时将一次性获得25美元奖励。需要注意的是,如果你直接打开Payoneer官网进行注册,是没有上述优惠的,请务必打开【野猪尖的推荐链接】进行注册。Payoneer注册咨询QQ:2822129880

Payoneer

野猪尖的推荐链接https://www.payoneer.com/zh/znp (此地址要完整地复制,建议直接点击)

【Payoneer申请教程:个人账户企业账户订购Payoneer实体卡(P卡)

Payoneer注册与使用指南(包括P卡申请、Payoneer官方、手续费、收款、提现和消费):
注册-收款工具那么多,为何选择Payoneer? | 为何申请Payoneer万事达预付卡+欧美日收款银行账号
   Payoneer有卡账户和无卡账户的区别Payoneer个人账户注册申请教程P卡公司帐户注册教程
   Payoneer欧元帐户虚拟卡) | Payoneer英镑帐户Payoneer日元帐户订购实体卡(P卡
   Payoneer卡年费啥时候扣? | Payoneer卡休眠和激活P卡到期后如何更换? | 如何注销P卡

官方-Payoneer秉承公正、公开、透明服务Payoneer官方最新政策汇总官方客服联系方式
   Payoneer官方费用表如何减少Payoneer的手续费?点此免除入账费点此降低提现费
   跨境收款服务商拷问篇——PayoneerPayoneer客户答疑手册(FAQ)Payoneer手机App

收款-跨境电商/外贸收款方式对比Payoneer可以错名收款吗
   Amazon亚马逊卖家设置Payoneer卡收款教程Payoneer支持从美国电商平台Newegg收款
   Amazon亚马逊收款方式对比(Payoneer,World First,PingPong,美国/香港银行卡)
   CJ联盟设置Payoneer卡收款ClickBank联盟设置Payoneer收款Amazon联盟设置P卡收款
   Payoneer如何从东南亚电商平台Lazada收款如何在Lazada开店
   Payoneer如何从拉美电商平台Linio收款? | Payoneer绑定非洲电商平台Jumia收款
   Payoneer如何从跨境移动电商Wish收款? | Wish模式正在改变电商格局
   Payoneer支持从法国乐天Priceminister收款法国电商平台CDiscount对接Payoneer收款
   如何使用Payoneer请求付款?关于Payoneer卡充值
   从PayPal提现到Payoneer卡教程及手续费用PayPal无法绑定并转账到Payoneer卡

提现-从Payoneer卡提现到国内银行账户Payoneer无法从Dating联盟收款并限制提现方式
   用P卡在中国银行ATM机取款4000元用Payoneer卡在中国建设银行ATM机取款500元

消费-用Payoneer卡在GoDaddy买域名主机教程


人在做天在看,转载请以链接的形式注明本文地址
本文地址:http://www.zhaoniupai.com/blog/archives/250.html