none
如何大批量修改AD用户信息 RRS feed

  • 问题

  • AD中有超过2000的用户,要求每个用户都要正确填写地址、手机、IP电话、部门、职务等信息。

    有没有方法可以将ad中的相关信息导出到excel中。

    手动编辑完成后,在导入到AD中。

    有什么方法么?

    2014年12月16日 8:51

答案

  • 可以用"ldifde"命令先将数据导出来,修改后再倒入进去;

    详细见官方网站:http://technet.microsoft.com/zh-cn/library/cc755456

    以下是命令的常用参数:

    -----------------------------------------------------------------------------------------------------------

    LDIF Directory Exchange

    General Parameters
    ==================
    -i              Turn on Import Mode (The default is Export)
    -f filename     Input or Output filename
    -s servername   The server to bind to (Default to DC of computer's domain)
    -c FromDN ToDN  Replace occurences of FromDN to ToDN
                    If either FromDN or ToDN ends with #attributeName, the
                    attribute value will be looked up in rootDSE and used to
                    replace #attributeName.  See example for "Macro expansion
                    in DNs".
    -v              Turn on Verbose Mode
    -j path         Log File Location
    -t port         Port Number (default = 389)
    -u              Use Unicode format
    -w timeout      Terminate execution if the server takes longer than the
                    specified number of seconds to respond to an operation
                    (default = no timeout specified)
    -h              Enable SASL layer encryption
    -?              Help

    Export Specific
    ===============
    -d RootDN       The root of the LDAP search (Default to Naming Context)
    -r Filter       LDAP search filter (Default to "(objectClass=*)")
    -p SearchScope  Search Scope (Base/OneLevel/Subtree)
    -l list         List of attributes (comma separated) to look for
                    in an LDAP search
    -o list         List of attributes (comma separated) to omit from
                    input.
    -g              Disable Paged Search.
    -m              Enable the SAM logic on export.
    -n              Do not export binary values
    -x              Include deleted objects (tombstones)
    -1              Retain only the important replPropertyMetadata

    Import
    ======
    -k              The import will go on ignoring 'Constraint Violation'
                    and 'Object Already Exists' errors
    -y              The import will use lazy commit for better performance
                    (enabled by default)
    -e              The import will not use lazy commit
    -q threads      The import will use the specified number of threads
                    (default is 1)             
    -z              Continue importing irrespective of errors.
    -x              Enable tombstone reanimation support (passes deleted 
                    objects control with ldap modify requests)

    Credentials Establishment
    =========================
    Note that if no credentials is specified, LDIFDE will bind as the currently
    logged on user, using SSPI.

    -a UserDN [Password | *]            Simple authentication
    -b UserName Domain [Password | *]   SSPI bind method

    Example: Simple import of current domain
        ldifde -i -f INPUT.LDF

    Example: Simple export of current domain
        ldifde -f OUTPUT.LDF

    Example: Export of specific domain with credentials
        ldifde -m -f OUTPUT.LDF
               -b USERNAME DOMAINNAME *
               -s SERVERNAME
               -d "cn=users,DC=DOMAINNAME,DC=Microsoft,DC=Com"
               -r "(objectClass=user)"

    Example: Macro expansion in DNs
        ldifde -f export.ldf -c "#configurationNamingContext" "cn=configuration,dc=x"
        ldifde -i -f import.ldf -c "cn=configuration,dc=x" "#configurationNamingContext"

    No log files were written.  In order to generate a log file, please
    specify the log file path via the -j option.


    2014年12月16日 9:46
  • 导出可以使用 get-aduser -Filter {*} -Properties telephone,department,...   | ft samacccountname,name,....   > .\xxx.csv

    使用excel 修改csv 文件后,使用

    Import-csv .\xxx.csv |foreach{set-aduser -Identity $_.samaccountname  -Replace @{telephone=$_.telephone;department=$_.department}

    以上内容没有经过测试,理论上可行.

    ...  代表你要读取和修改的属性, 可使用ADSI进行查看.


    2014年12月17日 1:39

全部回复

  • 可以用"ldifde"命令先将数据导出来,修改后再倒入进去;

    详细见官方网站:http://technet.microsoft.com/zh-cn/library/cc755456

    以下是命令的常用参数:

    -----------------------------------------------------------------------------------------------------------

    LDIF Directory Exchange

    General Parameters
    ==================
    -i              Turn on Import Mode (The default is Export)
    -f filename     Input or Output filename
    -s servername   The server to bind to (Default to DC of computer's domain)
    -c FromDN ToDN  Replace occurences of FromDN to ToDN
                    If either FromDN or ToDN ends with #attributeName, the
                    attribute value will be looked up in rootDSE and used to
                    replace #attributeName.  See example for "Macro expansion
                    in DNs".
    -v              Turn on Verbose Mode
    -j path         Log File Location
    -t port         Port Number (default = 389)
    -u              Use Unicode format
    -w timeout      Terminate execution if the server takes longer than the
                    specified number of seconds to respond to an operation
                    (default = no timeout specified)
    -h              Enable SASL layer encryption
    -?              Help

    Export Specific
    ===============
    -d RootDN       The root of the LDAP search (Default to Naming Context)
    -r Filter       LDAP search filter (Default to "(objectClass=*)")
    -p SearchScope  Search Scope (Base/OneLevel/Subtree)
    -l list         List of attributes (comma separated) to look for
                    in an LDAP search
    -o list         List of attributes (comma separated) to omit from
                    input.
    -g              Disable Paged Search.
    -m              Enable the SAM logic on export.
    -n              Do not export binary values
    -x              Include deleted objects (tombstones)
    -1              Retain only the important replPropertyMetadata

    Import
    ======
    -k              The import will go on ignoring 'Constraint Violation'
                    and 'Object Already Exists' errors
    -y              The import will use lazy commit for better performance
                    (enabled by default)
    -e              The import will not use lazy commit
    -q threads      The import will use the specified number of threads
                    (default is 1)             
    -z              Continue importing irrespective of errors.
    -x              Enable tombstone reanimation support (passes deleted 
                    objects control with ldap modify requests)

    Credentials Establishment
    =========================
    Note that if no credentials is specified, LDIFDE will bind as the currently
    logged on user, using SSPI.

    -a UserDN [Password | *]            Simple authentication
    -b UserName Domain [Password | *]   SSPI bind method

    Example: Simple import of current domain
        ldifde -i -f INPUT.LDF

    Example: Simple export of current domain
        ldifde -f OUTPUT.LDF

    Example: Export of specific domain with credentials
        ldifde -m -f OUTPUT.LDF
               -b USERNAME DOMAINNAME *
               -s SERVERNAME
               -d "cn=users,DC=DOMAINNAME,DC=Microsoft,DC=Com"
               -r "(objectClass=user)"

    Example: Macro expansion in DNs
        ldifde -f export.ldf -c "#configurationNamingContext" "cn=configuration,dc=x"
        ldifde -i -f import.ldf -c "cn=configuration,dc=x" "#configurationNamingContext"

    No log files were written.  In order to generate a log file, please
    specify the log file path via the -j option.


    2014年12月16日 9:46
  • 导出可以使用 get-aduser -Filter {*} -Properties telephone,department,...   | ft samacccountname,name,....   > .\xxx.csv

    使用excel 修改csv 文件后,使用

    Import-csv .\xxx.csv |foreach{set-aduser -Identity $_.samaccountname  -Replace @{telephone=$_.telephone;department=$_.department}

    以上内容没有经过测试,理论上可行.

    ...  代表你要读取和修改的属性, 可使用ADSI进行查看.


    2014年12月17日 1:39