1. You can use LDIFDE to find any object. It may be a printer, a server, a computer, a user, a person. All these objects are identified with *ObjectClass=object_class_name (either printer or user or OU).
2. By default account is disabled when imported and also password is set to NULL.
3. To modify AD attribute you must put “-“ on a single line followed by a completely blank line on the next line. Please see the format below.
4. When a user is exported to LDF file, by default “changetype” is Add.
5. LDIFDE doesn’t support changing Group Membership. You can use CSVDE or ADDUSERS.exe or DStools for Windows 2003 Editions.
6. LDIFDE doesn’t support exporting Passwords.
7. By default “User must change password at next logon” attribute is selected.
8. LDIFDE doesn’t support importing Passwords. To change user’s password you need to convert from Plain Text to Base64 character. We can use a utility to convert from Plain Text to Base64.
9. Note that if no credentials are specified LDIFDE will use the currently logged on user’s credentials.
10. If you do an LDIFDE or CSVDE export, many of the attributes for user and group objects are owned by the system and cannot be re imported. Here's a trick. Run the export with the –m switch. This enables SAM Logic, which is another way of saying that the export skips the attributes that are owned by the system. This gives you a template to use when building your import files or spreadsheets.
11. You can also export all user accounts from a forest (including data from all domains). This requires that you run the LDIFDE command against a Global Catalog Server with –t switch to specify the port No.
12. You must place a “-“ and then a blank line very next followed by the “-“ for modify and change operation to work properly. Otherwise LDIFDE will fail!
13. Using the setting "userAccountControl: 66048" enables the newly created account. By default, an account is created disabled. Note that user account can’t be enabled with blank password if you have a complex password policy defined on the domain. So you’re first step is to change the password and then enable the account.
userAccountControl: 514 for disable account
14. There are more export-specific options but not Import. Note that while exporting user accounts/OU/person you can use –o with –I but you can’t use both the switches while importing the file to AD. This is because both the switches are export-specific.
15. The default mode is Export Mode. You need to specify –I to turn Import Mode on.
16. If you want to carry the line to next line then the first must be a space and then start new line.
17. If you do not specify a server when you use LDIFDE to export objects that are in the domain-naming context, LDIFDE searches for a global catalog server. When LDIFDE searches for a global catalog server, it may not use the domain of the object name or the user account that you specify to determine what global catalog server to connect to. LDIFDE may connect to a global catalog server that is in the same site as the client, but that is a member of a different domain in the forest. This global catalog server may not have all the required Active Directory attributes for the objects that you want to export. To work around this issue, use the -s server_name command-line option to specify a server when you use LDIFDE.
18. Ldifde sets password to blank unless you don’t have a complex password policy defined in your domain. Hence you can’t enable accounts with Blank Password.
19. Note that –o switch overrides –I switch if you plan to use both. Suppose you want to omit badPwdCount attribute from export and in the same command you specify –I switch to export this field. In this case attribute won’t be exported.
20. The contents of an object are on consecutive lines, starting with DN property. There must be an Empty Line if you want to perform an operation on another object.
21. Each property and its value must be on a separate line such as: givenname: dinesh. There should be a colon and a space.
22. DN property and its value must be placed at first line and any other property/value can be at any line.
23. Multiple values of a property should be on a separate line such as:
Otherhomephoneno: 512 513
Otherhomephoneno: 514 859
24. An empty value can be written by including only the property name with colon such as: sn:
25. A line that starts with pound (#) sign is a comment line.
26. Base64 Encoding works as follow:
a. The value to be encoded is divided into three-byte sections
b. Each 24-bit Section is divided into four 6-bit value
c. Each 6-bit value is mapped to one of the following 64 characters: uppercase alphabets A through Z, lowercase alphabets a through z, numbers 0 through 9, plus
sign (+), or slash (/).This results in a string of basic alphabets, numbers, and possibly some plus signs and slashes. If the number of bytes in the original value is not a
multiple of three, the encoded value will have one or two equals signs (=) at the end, so the number of characters is always a multiple of four.
27. LDIFDE exports only attributes those have their values in AD. It doesn’t export attributes those don’t have values. For example: if description is not defined for a user then it won’t export description attribute.
28. When exporting ONLY ONE USER, make sure you don’t have dash (-) after the end of file.
29. When a new user account is created, it is made member of Domain Users group by default.
30. LDIFDE doesn’t accept blank values. Do not include blank values in LDF files. You will see errors.
31. LDIFDE doesn’t accept space in value while exporting. For example if samaccountname is Jacson Sam then you should enclose it within the quotas.
- Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
- Microsoft Windows 2000 Service Pack 1
- Microsoft Windows 2000 Service Pack 2
- Microsoft Windows 2000 Service Pack 3
- Microsoft Windows 2000 Service Pack 4
- Microsoft Windows 2000 Standard Edition
- Microsoft Windows Server 2003, Standard Edition (32-bit x86)
- Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
|kbpubmvp kbpubtypecca kbhowto KB555634|