This script can be used to update Active Directory User attributes from a CSV file. One column in the CSV file is used to match rows in the CSV file to user accounts in Active Directory and the other columns are used to update attributes. Normally the Pre-Windows 2000 username (sAMAccountName) attribute is used to match rows in the CSV file to user accounts in Active Directory, but you can easily modify the script to use a different attribute if required. For example, you might want to identify the user account you want to update in the CSV file by email address (mail attribute) rather than username.
As an alternative to this script, you might also to consider using the Bulk AD Users
application (freeware) available on this website. Bulk AD Users supports updating users via CSV file and it includes some other tools for updating users accounts such as the Edit In Excel and Bulk Modify features. The Bulk AD Users application can make it easier for you to apply the update and it also produces an XML log file of the update which can be used to rollback changes. That's not to say that Bulk AD Users is a complete replacement for this script as the script allows you to customize the code for your own requirements, and it can also be automated via task manager if required.
Bulk Update Considerations
There is always an element of risk involved in performing bulk updates to Active Directory. Please be sure to test updates in a QA environment before applying them to your live domain. Also, it's a good idea to have a plan of action prepared should something go wrong with the update. Taking a backup of your Active Directory database is a sensible precaution, and it also pays to be familiar with backup and restore techniques. If you have a large domain or a domain that is connected over slow WAN links, you might also need to consider the impact of replication traffic when performing bulk updates. Bulk updates can save an enormous amount of time and they normally run very smoothly if planned correctly.
The first step in updating user accounts from a CSV file is to produce a valid CSV input file for the script. A CSV file is simply a text file containing rows and columns of data like a spreadsheet and they can be read and written to by spreadsheet applications like Microsoft Excel. There is normally a way to extract data from databases into CSV text files. It's also possible to produce a text file manually by using an application such as notepad. See here
for more information on producing CSV files.
As well as taking care to ensure that the CSV file you have produced is valid, you also need to ensure that the CSV file includes a header row. The header row is used by the script to identity the column names and the column names should correspond to the attribute names used by Active Directory. The attribute names are not always obvious, so please take care to ensure that you are using the correct names. For example, the surname attribute is "sn" and the first name attribute is "givenName". As mentioned previously, the username (pre windows 2000) is used by default to match rows in the CSV file to the user accounts in Active Directory. This attribute name is "sAMAccountName" and must be included in your CSV file (unless you plan to use a different search attribute). You might find the Active Directory Schema Guide
on this website useful for identifying the correct attribute names to use.
If you don't want to edit the script, the CSV file should be called "usermod.csv" and it should be located on the root of the "C:\" drive. If you want to use a different filename or location, edit the strCSVFolder and strCSVFile attributes in the setup section of the script. Change the strSearchAttribute if you want to use a different attribute for matching rows in the CSV file to users in Active Directory (e.g. userPrincipalName or mail attribute). The attribute you choose for the strSearchAttribute should be unique as the script expects a maximum of 1 user to be returned for any attribute value. If multiple users are found with the same attribute value, no user accounts will be updated.
The configuration of the script and the CSV file is now complete. The script is designed to run in cscript mode (described in this article
). If you double click the script, the script will run in wscript mode - the script will work ok, but you will get a lot of annoying prompts. To run in cscript mode, open a command prompt and change the current directory to the one that contains the script. Use the following command to run the script:
The results of the script will be output to the console window. If you prefer to have the results stored in a text file, use the following command instead:
cscript csv_user_update.vbs >> results.txt
Extracting CSV Data From Active Directory
If you would like to extract data as a CSV file from Active Directory as a base for your update, please refer to the scripts below:
Custom Attribute Handling
The script should support most single-valued attributes by default. In addition, special handling has been added for the following attributes:
This attribute is the "Name" column that is shown in Active Directory Users & Computers and it's a standard attribute in AD. The cn (common name) forms part of an objects distinguished name. This attribute must be unique within it's parent container (organizational unit). This attribute can be read the same as any other attribute, but to change the value you need to use the "MoveHere" method.
Terminal Services attributes are stored in the "userparameters" attribute in Active Directory. Modifying this attribute directly isn't recommended, but it is possible to modify these attributes via the IADsTSUserEx interface. The TsUserEx.dll is required to modify these values, otherwise you will get a "Object doesn't support this property or method" error. To fix this you will need to install the Windows 2000/2003 Administration Tools Pack
Microsoft doesn't provide any access to user passwords stored in Active Directory via ADSI, either in encrypted or unencrypted format. It is possible to change a password by calling the "SetPassword" method though. The script won't output the previous value as it does with other attributes. Note: Please take care to ensure passwords meet length and complexity requirements.
The manager attribute in active directory requires a distinguished name. e.g.
To make this attribute easier to modify, you can specify "Manager_sAMAccountName" as the attribute name in the CSV header instead of "manager". This allows you to use the username (Pre Windows 2000) instead of the manager's distinguished name. e.g.
Note: Bulk AD Users
provides better support for multi-valued attributes if required.
Provider cannot be found error
The script uses the Microsoft.Jet.OLEDB.4.0 provider. If you are using x64, you will need to use the 32bit script host for this provider to be available. To do this, open a command prompt and navigate to the "SysWow64" folder in your Windows directory. e.g.
You can now run cscript from this location, passing the full location of your script file. e.g.
Data Not Imported as Expected
This script uses the Microsoft.Jet.OLEDB.4.0 provider for parsing the CSV file. Sometimes the data type gets mis-interpreted and the data is not imported as expected. An example of this is where you are updating the telephoneNumber attribute and your telephone numbers start with a leading zero. The provider is likely to interpret this as a number rather than a string which results in the leading zeros getting truncated. To get around this issue, you can create a schema.ini file. If you have a CSV file consisting only of sAMAccountName and telephoneNumber columns, your schema.ini file might look something like this:
For more information on schema.ini files, please refer to this article
||Changed script to use CSV header|
Added support for terminal services attributes
Added support for changing passwords