- Knowledge base
- Active Directory management
- Active Directory reports
- Active Directoy integrations
- Active Directory automation
- Active Directory delegation
- Governance, risk, and compliance
- Microsoft 365 management and reporting
- AD migration
- Access certification
- Identity risk assessment
- Risk exposure management
- FAQs
- Pricing
- Online demo
- Request support
- Get quote
Comma Separated Value Data Exchange (Csvde ) is a command-line utility built into Windows Server that lets you import and export AD objects using CSV files. You can run it from an elevated Command Prompt on any machine with the Remote Server Administration Tools (RSAT) installed, or directly on a domain controller.
Csvde reads and writes to Active Directory's LDAP interface. When you export, it queries the directory and takes each object's attributes as a row in a CSV file, with one column per attribute. When you import, it reads that same format and creates new objects in AD. Csvde supports read/write for new object creation, but read-only for existing objects. This means it cannot modify or delete objects already present in the directory.
Note: For life cycle management actions (creating, modifying, or deleting objects), you can use the companion tool LDAP Data Interchange Format Data Exchange (LDIFDE) which uses the LDIF file format instead.
What Csvde is used for
Admins use Csvde in one of the three situations.
Bulk user creation: If you're onboarding a large batch of users, Csvde lets you prepare a CSV with all the required attributes and create hundreds of accounts in a single command.
Directory migration: When moving objects between AD environments or domains, Csvde gives you a portable, human-readable export you can inspect and edit before reimporting. This makes it a handy migration tool for quick, small-scale migrations to validate attributes, identify stale accounts, or build a rollback reference.
Auditing: Exporting a domain or OU to CSV gives you a point-in-time snapshot of the directory that's easy to search, sort, and share with people who don't have direct AD access.
How Csvde works
Export mode
In export mode, Csvde queries AD and writes the results to a CSV file. Each row is one object; the first row is a header listing attribute names. The query scope, base DN, and LDAP filter are all controllable via switches.
Import mode
In import mode, Csvde reads a CSV and attempts to create each row as a new AD object. The CSV must include a DN column (the distinguished name) and an objectClass column at minimum. Any additional column is treated as an LDAP attribute to set on the object.
Note: Csvde cannot set passwords during import because the unicodePwd attribute requires an encrypted LDAPS or Kerberos channel. User accounts created by Csvde are disabled by default. A secondary step to enable these accounts and set passwords by PowerShell, ADUC, or LDIFDE is needed.
Common commands in Csvde
Here are some common commands you'll use with Csvde.
Basic export — all objects in a domain:
This exports every object in the current domain to a file called export.csv.
Export a specific OU:
The -d flag sets the base distinguished name (DN) for the search. Only objects in that OU and its children are exported.
Filter by object class:
The -r flag accepts an LDAP filter. This example exports only user objects.
Select specific attributes:
The -l flag limits output to the listed attributes. Without it, Csvde exports all attributes, which produces cluttered reports with too many attributes for specific use cases.
Import from a CSV:
The -i flag switches to import mode. Without it, Csvde defaults to export.
Import against a specific domain controller:
The -s flag points the command at a specific DC.
Quiet mode:
The -q flag is useful when running Csvde from scripts where you don't need interactive output.
Supported parameters for Csvde
You can use the following parameters with Csvde to fine-tune your AD import and export operations.
| Switch | Mode | Description |
|---|---|---|
| -f <file> | Both | Specifies the CSV file path (required). |
| -i | Import | Runs in import mode. Without this flag, Csvde defaults to export. |
| -d <DN> | Export | Sets the LDAP search base (e.g., OU=Sales,DC=contoso,DC=com). |
| -r <filter> | Export | LDAP search filter (e.g., (objectClass=user) or (department=Finance)). |
| -l <attrs> | Export | Comma-separated list of attributes to include in the output. Omitting this switch exports all attributes. |
| -s <server> | Both | Targets a specific domain controller instead of the default DC. |
| -t <port> | Both | Specifies a non-default LDAP port (default: 389; use 636 for LDAPS). |
| -j <logpath> | Both | Writes a log file to the specified path for auditing and troubleshooting. |
| -n | Export | Omits binary attribute values from export output. |
| -k | Import | Ignores constraint violations and object-already-exists errors, continuing with remaining rows. |
CSVDE file format
A CSVDE file is a plain-text CSV where the first row defines attribute names and each subsequent row is one AD object. Here's a minimal user creation example:
A few things to know about the CSVDE file format:
- Row 1 is always the header row and must include DN and objectClass as the minimum columns.
- Attribute names in the header must be valid LDAP attribute names (e.g., sAMAccountName, givenName, mail, department).
- Multi-valued attributes are not natively supported in a single cell. Each value requires a separate row with the same DN, which CSVDE handles internally on export but which can cause confusion on import.
- Binary attributes (objectGUID, objectSid) are base64-encoded in export output.
- Special characters in attribute values (commas, quotes, line breaks) must be properly escaped per CSV conventions. A value containing a comma must be wrapped in double quotes. A value containing a double quote must use "" to escape it.
How to use Csvde to create users in Active Directory
The steps below cover a complete Csvde bulk user creation workflow.
Step 1: Prepare your CSV file
Open a text editor or Excel and create a file with at least these columns:
Add one row per user. Make sure the DN value points to an OU that already exists in your directory. Save the file as .csv with UTF-8 encoding. If your editor adds a BOM (byte-order mark), remove it. Csvde can fail when a BOM is present.
Step 2: Run a test export first
Before any import, export a sample of existing users from the target OU. This shows you the exact attribute format and DN structure Csvde expects in your environment:
Open the output and compare it against your import file. The formatting should match.
Step 3: Test with a single row
Create a test CSV with one user and run it against a nonproduction OU or lab domain first:
csvde -i -f testuser.csv
Confirm the object appears in Active Directory Users and Computers (ADUC) before scaling up.
Step 4: Run the full import
Once you're satisfied the format is correct:
Csvde outputs the number of entries added and the number of errors. For any failed rows, check the output for the specific DN that caused the problem.
Step 5: Enable accounts and set passwords
Every user created by Csvde is disabled. Use PowerShell to enable accounts and set initial passwords:
If you want users to change their password at first logon, set the ChangePasswordAtLogon attribute to true in the same script.
Common Csvde errors and how to fix them
"The server is unwilling to process the request"
Usually a schema constraint violation—an attribute value that doesn't match the expected type or length. Check the objectClass value and any multi-value attributes in the failing row.
"There is no such object on the server"
The DN in your CSV points to a container or OU that doesn't exist in AD. Create the OU first, then rerun the import.
"The object already exists"
Csvde can't update existing objects. If the CN and OU in your DN match an existing object, the import fails for that row. Remove the conflicting rows or switch to L DIFDE 's modify operation.
"Csvde failed with error code 87 (The parameter is incorrect)"
Common when the CSV file has a BOM prefix, unexpected line endings (Windows versus Unix), or incorrect encoding. Open the file in an editor that shows encoding and resave as UTF-8 without BOM.
Limitations of Csvde
Csvde works well for specific narrow tasks like bulk user creations, but it has constraints that affect most production scenarios.
It cannot modify existing objects. If you run an import and an object with the same DN already exists in AD, the operation fails for that row. You can't use Csvde to update an attribute on an existing user.
It cannot set passwords. User accounts created by Csvde are always created disabled, with no password. You need a separate process to enable the account and set the password, which means Csvde alone is never enough for a complete provisioning workflow.
There is no rollback. If your CSV contains an error—a malformed DN, a missing required attribute, or a value that violates a schema constraint—Csvde imports as many rows as it can and skips the rest. There's no built-in undo, and you have to track down and clean up partial imports manually.
There's no preimport validation. Csvde doesn't check your file against the AD schema before running. Errors appear row by row during the import, which makes debugging large files slow.
How ManageEngine ADManager Plus handles bulk AD imports
ADManager Plus, an AD management and reporting solution, provides a web-based CSV import workflow that covers everything Csvde does, plus the things it can't.
- Manage the complete AD life cycle to create, modify, and delete users, groups, contacts, computers, and OUs in bulk via CSV, with initial passwords set and accounts enabled in the same run.
- Use user creation and modification templates to prefill standard attributes and standardize bulk updates across any number of accounts.
- Generate 200+ prebuilt AD reports on users, groups, GPOs, computers, and logon activity, and export them in CSV, PDF, HTML, XLSX, and CSVDE formats on a schedule.
- Delegate AD tasks to help desk technicians with roles scoped to specific OUs—no domain admin rights or RSAT installation required.
- Automate user provisioning when a new record appears in an HR system or a life cycle event fires, with no CSV file required.
- Run Identity risk assessments that score your AD environment (0-100) and surfaces severity-rated risk indicators—including privilege misconfigurations that bulk-imported accounts can introduce—and act on findings without switching tools.
FAQ
1. What is Csvde?
Csvde stands for Comma Separated Value Directory Exchange. It is a Windows Server command-line utility for importing and exporting AD objects using CSV-formatted files.
2. Can Csvde modify existing AD objects?
No. Csvde can only create new objects or export existing ones. If you try to import a CSV row for an object that already exists in AD, the operation returns an "Already Exists" error. Modifying attributes on existing objects requires LDIFDE or PowerShell.
3. Can Csvde import Active Directory passwords?
No. Csvde cannot import or export passwords. User accounts created via CSVDE import are disabled and have no password set. Administrators must enable accounts and assign passwords separately after the import completes.
4. What is the difference between Csvde and LDIFDE?
Csvde and LDIFDE are built-in Windows Server tools for bulk AD operations. Csvde can only create new objects. LDIFDE uses the LDIF format and can create, modify, and delete objects, with full support for multi-valued attributes. If you need to update or remove existing AD objects, you need LDIFDE.
