一、导出
导出所有AD配置:
csvde -f output.csv
-r: 按LDAP字段过滤
csvde -f users.csv -r "objectCategory=person"
输出属于user对象类型, 并且类别为person的所有项目:
csvde -f users.csv -r "(&(objectClass=user)(objectCategory=person))"
输出userAccountControl值为514 或者546 或者66050的所有项目:
csvde -f accountControl.csv -r "(|(useraccountcontrol=514)(useraccountcontrol=546)(useraccountcontrol=66050))"
-d: 按DN中的字段过滤
csvde -d "OU=TEST,DC=lesca,DC=bit" -f example.csv
csvde -d "CN=Users,DC=lesca,DC=bit" -f example.csv
-L: 指定LDAP输出字段
csvde -f example.csv -l "DN, objectClass, givenName, sn, name"
综合举例:
csvde -d "OU=Test,dc=lesca,dc=bit" -m -n -f example.csv -r objectClass=user -l "name, objectCategory, DN"
- -m 用于排除诸如ObjectGUID, objectSID, pwdLastSet, samAccountType之类的属性
- -n 禁止输出二进制值
二、导入
CSVDE -i -k -f test.csv
属性 | 功能 |
---|---|
objectClass | 对象类型,通常为user。 |
sAMAccountName | Domain\LogonName中的LogonName。此属性映射到用户界面中的 Windows 2000 以前版本的登录名,并且通常与用户登录名相同。 |
DN | Distinguished Names(了解更多) |
属性 | 功能 |
---|---|
userAccountControl | 用户账户控制(了解更多)。将此属性的值设置为 512。 |
userPrincipalName | UPN,如lesca@lesca.bit |
givenName | 名 |
SN | 姓 |
initials | 姓名缩写 |
CN | 和DN中的CN字段相同(自动设置) |
name | 和CN相同(自动设置) |
description | 描述 |
title | 职位名称 |
department | 部门 |
displayName | 显示名称。displayName 属性包含对象出现在全球通讯簿以及它所属的任何其他地址列表中时显示的名称。 |
c | 国家代码,如CN表示中国 |
co | 国家,如China(自动设置) |
st | 省 |
l | 城市 |
company | 公司名称 |
用户电子邮件 | |
streetAddress | 公司街道地址 |
postalCode | 邮政编码 |
physicalDeliveryOfficeName | 办公地点 |
telephoneNumber | 固定电话号码 |
mobile | 移动电话号码 |
facsimileTelephoneNumber | 传真号码 |
ipPhone | IP电话 |
wWWHomePage | 网站主页 |
这些必需的属性必须是 .csv 文件中的列标题,如下面的示例所示。
objectClass | DN | displayName | sAMAccountName | userAccountControl |
---|---|---|---|---|
user | distinguished name of user object | NoMail User | NoMail User | 66048 |
-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
ADSI Search---objectclass and objectcategory
Object-Class:The list of classes from which this class is derived
Object-Category:An object class name used to groups objects of this or derived classes.
从网上摘抄的,objectclass与objectcategory的一般介绍
Just to clarify, the objectClass attribute is multi-valued. Each object can inherit from one or more classes. User objects have objectClass equal to top, person, organizationalPerson, and user. Contact objects have objectClass equal to top, person, organizationalPerson, and contact. Computer objects have objectClass equal to top, person, organizationalPerson, user, and computer. Thus, a computer object has all of the attributes of a user object, plus some more inherited from the computer class. Computer objects are security principals just like user objects. They need to authenticate to the domain, have passwords (managed by the system), and can be granted permissions. The objectCategory attribute is single-valued. The value is a Distinguished Name. For user objects objectCategory is MyDomain.com is the domain. For contact objects objectCategory is the same, objects objectCategory is When searching AD for objects it is more efficient to use objectCategory because it is indexed (objectClass is not), but often a combination of objectClass and objectCategory must be used. The standard search filters are: For user objects: (&(objectCategory=person)(objectClass=user)) For contact objects: (&(objectCategory=person)(objectClass=contact)) For user and contact objects: (objectCategory=person) For computer objects: (objectCategory=computer) For group objects: (objectCategory=group) The provider translates (objectCategory=person) into the correct DN appropriate for the domain. Note that there is no such thing as (objectCategory=user), but the provider translates this into (objectCategory=person), so it includes contact objects. This may not be what you want. Another filter for user objects is: (sAMAccountType=80530636
看了上面的解释,有点明白了在查询ADSI的时候为什么不建议用objectclass,而是建议用objectcategory,因为一个user的objectclass集成了好多,并不是唯一的,像我的账户在域中的objectclass就是top,person,organizationalPerson,user,而我的objectcategory就是CN=Person,CN=Schema,CN=Configuration,DC=ads-telekom,DC=de,这样查询起来范围就少多了
三、CSVDE的不足
- 无法创建账户密码
- 无法创建OU