Using CSVDE to create a full mailbox-enabled user...

[Tom]

Hello -

I have seen various posts regarding this all over the Internet and on
Groups but they all seem to miss giving ALL the information necessary
so I am wondering what I am missing. Please, would one of you nice
knowledgable people please inform me.

I am trying to create a group of users using a CSV file. Here is an
example of my two line test file:

cn,objectClass,sAMAccountName,DN,sn,givenName,distinguishedName,displayName,homeMDB,mailNickname,name,userAccountControl,mail,msExchHomeServerName,memberOf,homeDirectory,homeDrive,scriptPath,physicalDeliveryOfficeName,department
"Peters, Betty",user,DPeters,"CN=Peters\\,
Betty,CN=Users,DC=res,DC=ures,DC=com",Peters,Betty,"CN=Peters\\,
Betty,CN=Users,DC=res,DC=ures,DC=com","Peters, Betty","CN=Mailbox
Store (UCEXCH),CN=First Storage
Group,CN=InformationStore,CN=UCEXCH,CN=Servers,CN=uscomp,CN=Administrative
Groups,CN=US Company,CN=Microsoft
Exchange,CN=Services,CN=Configuration,DC=corp,DC=uscomp,DC=com",BPeters,"Peters,
Betty",512,[email protected],"/O=U.S. Equities Realty,
Inc./OU=Company/cn=Configuration/cn=Servers/cn=UCEXCH","CN=Resident
Assistants,CN=Users,DC=res,DC=ures,DC=com",\\\\UCFile\\BPeters,H:,logon.bat,DeGault,RA

After doing this I plan on using a batch file to do a dsmod to change
(create) the account's passwords, create the user's home directory,
xcacls to set the permissions on this, and do a rmtshare to create
their home share on the file server.

Ok, that said, I am having major issues with the CSVDE import. When I
run the import I get the following error.

C:\Software\Batch\MKUser>CSVDE -i -f test.csv
Connecting to "domain.ucres.com"
Logging in as current user using SSPI
Importing directory from file "test.csv"
Loading entries.
Add error on line 2: Unwilling To Perform
The server side error is "Access to the attribute is not permitted
because the attribute is owned by the Security Accounts Manager
(SAM)."
0 entries modified successfully.
An error has occurred in the program
No log files were written. In order to generate a log file, please
specify the log file path via the -j option.

I have chosen the above route for creating users because:
1. My company is too cheap to purchase a 3rd party product.
2. DSAdd (as far as I have read) will not create mail or
mailbox-enabled users.
3. CSVDE formatting is easier to create over LDIFDE.

The posts I have seen on the web talk about creating a user and then
mail-enabling them, I would much rather do this in one fell swoop.

Any information you can provide to point me in the correct direction
would be greatly appreciated.

Thanks

Tom

 

[Tom]

Come on, no one knows how to properly use CSVDE to create a
mailbox-enabled user? I'll give 500 points to the person who can give
me the correct answer.

Thanks much

Tom

 

[Andrew Mitchell]

(e-mail address removed) (Tom) said

Come on, no one knows how to properly use CSVDE to create a
mailbox-enabled user? I'll give 500 points to the person who can give
me the correct answer.

You need to include the following attributes (as a minimum)in your CSV file:
homeMDB
mDBUseDefaults
mailNickname
mail
msExchHomeServerName

Try creating a dummy exchange-enabled user in an OU called 'test' then run :
CSVDE -f exchange.csv -d "ou=test,DC=YourDomain,DC=YourDomainSuffix" to
generate a CSV file so you can see what values need to be applied to these
attributes.

 

[Andrew Mitchell]

You need to include the following attributes (as a minimum)in your CSV
file: homeMDB
mDBUseDefaults
mailNickname
mail
msExchHomeServerName

NOTE: These are in addition to the normal attributes required when creating a
user.

 

[Tom]

Andy -

Your help is greatly appreciated.

I added the mDBUseDefaults to my test file above with the value TRUE
as the data. I tried the test import and received the following
error, do you have any further suggestions? BTW, the mDBUseDefaults
was the only value I added to the file and I didn't subtract
anything...

Logging in as current user using SSPI
Importing directory from file "test.csv"
Loading entries.
Add error on line 2: Unwilling To Perform
The server side error is "Access to the attribute is not permitted
because the attribute is owned by the Security Accounts Manager
(SAM)."
0 entries modified successfully.
An error has occurred in the program

I am already logged in as the domain administrator so security
shouldn't be an issue. Any help you can offer would be amazing.

Thanks again.

Tom

 

[Andrew Mitchell]

(e-mail address removed) (Tom) said

Andy -

Your help is greatly appreciated.

I added the mDBUseDefaults to my test file above with the value TRUE
as the data. I tried the test import and received the following
error, do you have any further suggestions? BTW, the mDBUseDefaults
was the only value I added to the file and I didn't subtract
anything...

Logging in as current user using SSPI
Importing directory from file "test.csv"
Loading entries.
Add error on line 2: Unwilling To Perform
The server side error is "Access to the attribute is not permitted
because the attribute is owned by the Security Accounts Manager
(SAM)."
0 entries modified successfully.
An error has occurred in the program

I am already logged in as the domain administrator so security
shouldn't be an issue. Any help you can offer would be amazing.

Can you provide a list of the attributes you have included in the CSV file.
(the attribute names, not values).
Some attributes are system generated and you can't specify them in the CSV
file.

I've just done a test run here and it's worked fine. The attributes I
included were:

DN,
objectClass,
instanceType,
cn,
sn,
givenName,
displayName,
homeMTA,
proxyAddresses,
homeMDB,
mDBUseDefaults,
displayNamePrintable,
mailNickname,
homeDirectory,
homeDrive,
profilePath,
adminCount,
sAMAccountName,
userPrincipalName,
mail,
description

PS: This is the first time I've even looked at csvde so you'll have to
excuse me if it takes a while to answer some of your questions.

 

[Tom]

Andy -

The attributes I have in my file are as follows:

cn
objectClass
sAMAccountName
DN
sn
givenName
distinguishedName
displayName
homeMDB
mailNickname
name
userAccountControl
mail
msExchHomeServerName
memberOf
homeDirectory
homeDrive
scriptPath
physicalDeliveryOfficeName
department

Most of the attributes that I have included have been posted in the
documentation or on web sites as being mandatory or optional so I was
thinking maybe I need to have them in a specific order or something
like that. It doesn't exactly make sense, but then again, there are a
lot of things that don't make sense when it comes to computers.

Thanks again for your help...you are truly helping a lot of
people...not just me.

Tom

 

[Andrew Mitchell]

(e-mail address removed) (Tom) said

Andy -

The attributes I have in my file are as follows:

cn
objectClass
sAMAccountName
DN
sn
givenName
distinguishedName
displayName
homeMDB
mailNickname
name
userAccountControl
mail
msExchHomeServerName
memberOf
homeDirectory
homeDrive
scriptPath
physicalDeliveryOfficeName
department

You don't need to specify the distinguishedName as you already have dn
specified (which is the same thing). Do you have the same values in both of
these fields? Try removing the distinguishedName column and see what
happens.

One other thing (and apologies if this is a stupid question) but are you
logged into the DC when doing this?

Most of the attributes that I have included have been posted in the
documentation or on web sites as being mandatory or optional so I was
thinking maybe I need to have them in a specific order or something
like that.

The order shouldn't matter, as long as the heading correctly identifies the
attribute.

You could try using the attributes I mentioned in my last post and create a
user then delete it if succesful. Then add your attributes one at a time
and recreate the user, then delete it again until you find the attribute
causing the problems. It might take a while but it's probably quicker than
waiting for me to wake up in Australia

It doesn't exactly make sense, but then again, there are a
lot of things that don't make sense when it comes to computers.

That's one thing that never changes..........

 

[Joe Richards [MVP]]

Certainly I do. Actually if you pick up the Windows Server 2003 Cookbook when it
comes out this fall you can look at I think Chapter 18 which I wrote that walks
through the process of mailbox enabling user objects. I specifically specify
that doing it through LDIFDE/CSVDE are massive pains and actually not a
supported method.

homeMDB is messy to play to with as is legacyExchangeDN. You have to supply a
valid value. If you have a simple environment (i.e. no 5.5) you can probably do
it in a csvde or ldifde file without serious pain.

The big nasty attribute is the msExchMailboxSecurityDescriptor, that is binary
and if it isn't done correctly, will make the mailbox useless. I am not entirely
positive you can set that from csvde as I tend to script things or use ldifde
versus using csvde. It is definitely extremely painful in ldifde.


It is much easier to do it with a cdoexm script or a command line tool such as
exchmbx which you can find here

http://www.joeware.net/win/free/tools/exchmbx.htm

joe