You can use one of three approaches to Active Directory (AD) data manipulation. First and most common is using the limited set of Microsoft Management Console (MMC) tools that Windows 2000 provides. No Web-based tools ship with Win2K to manipulate AD, but you can download a Web-based tool called Active Directory Web Administrator, which I wrote and presented at Microsoft TechEd 2000, from my company's Web site. Go to the InterKnowlogy Web site, and scroll down to "TechEd (6-411) Windows DNA with Middle Tier Active Directory COM+ Objects." This tool lets you modify user data in AD in a spreadsheet-like view.

Second, you can write code to manipulate data in AD. Active Directory Service Interfaces (ADSI) is the most common programming interface, but it's not for the beginner or faint of heart. Because of the lack of a sufficient AD toolset in Win2K, many administrators with large AD installations are using ADSI to write their own tools or are commissioning companies to do it for them.

Third, you can use a Win2K utility program called ldifde.exe (LDIF Data Exchange) to perform batch updates to AD. To help facilitate exchanging data, ldifde.exe uses LDAP Data Interchange Format (LDIF), a file format standard used for exchanging data with Directory Services (DSs) such as the Win2K AD. You can use ldifde.exe to

  • Export and import data to and from AD (e.g., exporting all the users of one domain to another domain)
  • Add, create, and modify data in AD (e.g., adding new users in batch format without having to depend on an administrative console)
  • Create schema additions in AD (e.g., adding a new attribute such as favoriteColor to AD schema)

A command-line utility such as ldifde.exe gives you the power to make potentially massive data updates to AD without having to depend on a cumbersome tool such as the MMC Active Directory Users and Computers snap-in, which lets you affect one attribute on one user at a time in a form-based GUI. Of course, ldefde.exe is much easier to deploy than a custom solution because you don't have to write code.

Ldifde.exe has a companion called csvde.exe, which uses a Comma Separated Values (CSV) format instead of an LDIF data format. The power here is that you can use Microsoft Excel or some other program that reads .csv files to prepare your data before using the tool to import it. Both tools use the same command-line parameter formats. Unfortunately, you can use csvde.exe only for additions to AD, not for modifications.

Both ldifde.exe and csvde.exe reside in the \winnt\system32 directory; because that directory is "pathed" (i.e., in the DOS search path), you can run the tools from any folder on your Win2K server. (See Win2K Online Help for a summary of the command-line parameters.)

As you might guess, the command-line Help isn't enough to get you started using the ldifde.exe tool. The best reference I've found for ldifde.exe is the Microsoft article "Using LDIFDE to Import/Export Directory Objects to the Active Directory."