LDIFDE - Export / Import data from Active Directory - LDIFDE commands

Article translations Article translations
Article ID: 555636 - View products that this article applies to.
Author: Nirmal Sharma MVP
Expand all | Collapse all

SUMMARY

LDIFDE is a robust utility. This utility enables you to import/export information from/to Active Directory. LDIFDE queries any available domain controller to retrieve/update AD information.

MORE INFORMATION

LDIFDE COMMANDS:
 
1. Command to export the user with a given name of SAM Account
 
ldifde -f exportuser.ldf -s computer_name -r (samaccountname=SAMLNAME)
 
2. Command to export Organizational Units:
 
Running this command exports all OUs except domain controllers into a file named ExportOU.ldf. 
ldifde -f exportOu.ldf -s Server1 -d "dc=Export,dc=com" -p subtree -r "(objectClass=organizationalUnit)" -l "cn,objectclass,ou"
 
3. Export the User Accounts from the Source Domain
 
ldifde -f Exportuser.ldf -s Server1 -d "dc=Export,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,samAccountName"
Running this command exports all users in the Export domain into a file named Exportuser.ldf. If you do not have all the required attributes, the import operation does not work. The attributes objectclass and samAccountName are required, but more can be added as needed.
 
4. Command to Import users from a LDF file:
 
ldifde -i -f Exportuser.ldf -s Server2
 
5. Exporting User Account attributes except attributes those can’t be imported: (Using –o switch)
 
This is another example filter that will export all User Account data except for the attributes that cannot be imported:
 
ldifde -f Exportuser.ldf -s <Server1> -d "dc=Export,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -o "badPasswordTime,badPwdCount,lastLogoff,lastLogon,logonCount, memberOf,objectGUID,objectSid,primaryGroupID,pwdLastSet,sAMAccountType"
 
            Another Example: To export for any given SamAccountName:
 
ldifde -f Exportuser.ldf -s <Server1> -d "dc=Export,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -o "badPasswordTime,badPwdCount,lastLogoff,lastLogon,logonCount, memberOf,objectGUID,objectSid,primaryGroupID,pwdLastSet,sAMAccountType"
 
6. Exporting Objects from an Entire Forest (any given attribute will be exported with –i switch)
 
If you need to import everything from a forest you need to run LDIFDE command against Global Catalog server:

For example, to perform the export operation outlined against a GC, the LDIFDE command would be:
 
ldifde -f Exportuser.ldf -s Server1 -t 3268 -d "dc=Export,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,sAMAccountName"
 
7. Simple Import of current domain: It will import only domain data NOT the Forest-Specific.
 
ldifde -i -f INPUT.LDF
 
8. Simple Export of current domain:   It will export only domain related data NOT the Forest-Specific.
 
ldifde -f OUTPUT.LDF 
 
9. Export of a domain with supplied credentials:
 
ldifde -m -f OUTPUT.LDF -b USERNAME DOMAINNAME -s SERVERNAME
           -d "cn=users,DC=DOMAINNAME,DC=Microsoft,DC=Com"
           -r "(objectClass=user)"
 
10. Exporting User or Person or Organizational Unit:
 
ldifde -v -s w2ks -d "dc=slowe,dc=com" -p subtree -r "(objectClass=clss_name)" -f users.txt
 
You'll notice a number of additional parameters here:
 
-v turns on verbose mode so that I could see the results
 
-d specifies the root of the search. While it was not required for this search, I included it to show you the format.
 
-p narrows the search to the subtree in question. The other options for the –p parameter are base and one level.
 
-r is used in the example with a parameter of “(objectClass=person)”. This parameter specifies the LDAP filter to use for LDIFDE. In my case, I wanted  only people, so I chose an objectClass of "person."
 
11. A Simple VBScript to change a user’s password: You can also modify strUser and strOU value:
 
strUser = InputBox("Enter full name of user")
strOU = InputBox("Enter OU where user's account resides")
Set objUser = GetObject("LDAP://CN=" & strUser & ",OU=" & strOU & ",DC=testdomain,DC=local")
objUser.SetPassword "password"
MsgBox "Done!"
 
12. To change a user’s password using LDIFDE tool:
 
The following sample Ldif file (chPwd.ldif) changes a password to newPassword:
dn: CN=TestUser,DC=testdomain,DC=com
changetype: modify
replace: unicodePwd
unicodePwd::IgBuAGUAdwBQAGEAcwBzAHcAbwByAGQAIgA=
-
 
ldifde -i -f chPwd.ldif -t 636 -s dcname -b username domain password
 
13. Import Example user account entry with all required and optional fields:
 
dn: CN=user1,CN=Users,DC=domain,DC=com
changetype: add
accountExpires: 0
codePage: 0
cn: zach
countryCode: 0
displayName: Test User
instanceType: 4
logonHours:: ////////////////////////////
distinguishedName: CN=user1,CN=Users,DC=domain,DC=com objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com
objectClass: user           ------------ Required Attribute
name: User1
sAMAccountName: user1       ------------ Required Attribute
userAccountControl: 66048   ------------ This sets this account to be enabled
uSNChanged: 1556
uSNCreated: 1556
whenChanged: 20001012214849.0Z
whenCreated: 20001012214849.0Z
 
14. Sample Format for adding more than one user:
 
dn: CN=user1,CN=Users,DC=domain,DC=com
changetype: add
cn: user
objectClass: user           ------------ Required Attribute
sAMAccountName: user1       ------------ Required Attribute
userAccountControl: 66048   ------------ This sets this account to be enabled
 
dn: CN=user2,CN=Users,DC=domain,DC=com
changetype: add
cn: user2
objectClass: user           ------------ Required Attribute
sAMAccountName: user2       ------------ Required Attribute
userAccountControl: 66048   ------------ This sets this account to be enabled
 
      
15. Sample Import/Modify File Format:
 
dn: CN=Jane Doe,OU=Staff,DC=microsoft,DC=com
changetype: modify
replace: extensionAttribute1
extensionAttribute1: Staff
-
dn: CN=John Doe,OU=Staff,DC=microsoft,DC=com
changetype: modify
replace: extensionAttribute1
extensionAttribute1: Staff
-
And so on…..
 

Properties

Article ID: 555636 - Last Review: June 6, 2006 - Revision: 1.0
APPLIES TO
  • Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
  • Microsoft Windows 2000 Service Pack 1
  • Microsoft Windows 2000 Service Pack 2
  • Microsoft Windows 2000 Service Pack 3
  • Microsoft Windows 2000 Service Pack 4
  • Microsoft Windows 2000 Standard Edition
  • Microsoft Windows Server 2003, Standard Edition (32-bit x86)
  • Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
Keywords: 
kbpubmvp kbpubtypecca kbhowto KB555636
COMMUNITY SOLUTIONS CONTENT DISCLAIMER
MICROSOFT CORPORATION AND/OR ITS RESPECTIVE SUPPLIERS MAKE NO REPRESENTATIONS ABOUT THE SUITABILITY, RELIABILITY, OR ACCURACY OF THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN. ALL SUCH INFORMATION AND RELATED GRAPHICS ARE PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT AND/OR ITS RESPECTIVE SUPPLIERS HEREBY DISCLAIM ALL WARRANTIES AND CONDITIONS WITH REGARD TO THIS INFORMATION AND RELATED GRAPHICS, INCLUDING ALL IMPLIED WARRANTIES AND CONDITIONS OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE, WORKMANLIKE EFFORT, TITLE AND NON-INFRINGEMENT. YOU SPECIFICALLY AGREE THAT IN NO EVENT SHALL MICROSOFT AND/OR ITS SUPPLIERS BE LIABLE FOR ANY DIRECT, INDIRECT, PUNITIVE, INCIDENTAL, SPECIAL, CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER INCLUDING, WITHOUT LIMITATION, DAMAGES FOR LOSS OF USE, DATA OR PROFITS, ARISING OUT OF OR IN ANY WAY CONNECTED WITH THE USE OF OR INABILITY TO USE THE INFORMATION AND RELATED GRAPHICS CONTAINED HEREIN, WHETHER BASED ON CONTRACT, TORT, NEGLIGENCE, STRICT LIABILITY OR OTHERWISE, EVEN IF MICROSOFT OR ANY OF ITS SUPPLIERS HAS BEEN ADVISED OF THE POSSIBILITY OF DAMAGES.

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com