原始链接:
LDIFDE - Export / Import data from Active Directory - LDIFDE commands
| Article ID | : | 555636 |
| Last Review | : | January 1, 1900 |
| Revision | : | 1.0 |
SUMMARY
LDIFDE is a robust utility. This utility enables you to import/export information from/to Active Directory. LDIFDE queries any available domain controller to retrieve/update AD information.
MORE INFORMATION
LDIFDE COMMANDS:
1. Command to export the user with a given name of SAM Account
ldifde -f exportuser.ldf -s computer_name -r (samaccountname=SAMLNAME)
2. Command to export Organizational Units:
Running this command exports all OUs except domain controllers into a file named ExportOU.ldf.
ldifde -f exportOu.ldf -s Server1 -d "dc=Export,dc=com" -p subtree -r "(objectClass=organizationalUnit)" -l "cn,objectclass,ou"
3. Export the User Accounts from the Source Domain
ldifde -f Exportuser.ldf -s Server1 -d "dc=Export,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,samAccountName"
Running this command exports all users in the Export domain into a file named Exportuser.ldf. If you do not have all the required attributes, the import operation does not work. The attributes objectclass and samAccountName are required, but more can be added as needed.
4. Command to Import users from a LDF file:
ldifde -i -f Exportuser.ldf -s Server2
5. Exporting User Account attributes except attributes those can’t be imported: (Using –o switch)
This is another example filter that will export all User Account data except for the attributes that cannot be imported:
ldifde -f Exportuser.ldf -s <Server1> -d "dc=Export,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -o "badPasswordTime,badPwdCount,lastLogoff,lastLogon,logonCount, memberOf,objectGUID,objectSid,primaryGroupID,pwdLastSet,sAMAccountType"
Another Example: To export for any given SamAccountName:
ldifde -f Exportuser.ldf -s <Server1> -d "dc=Export,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -o "badPasswordTime,badPwdCount,lastLogoff,lastLogon,logonCount, memberOf,objectGUID,objectSid,primaryGroupID,pwdLastSet,sAMAccountType"
6. Exporting Objects from an Entire Forest (any given attribute will be exported with –i switch)
If you need to import everything from a forest you need to run LDIFDE command against Global Catalog server:
For example, to perform the export operation outlined against a GC, the LDIFDE command would be:
ldifde -f Exportuser.ldf -s Server1 -t 3268 -d "dc=Export,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,sAMAccountName"
7. Simple Import of current domain: It will import only domain data NOT the Forest-Specific.
ldifde -i -f INPUT.LDF
8. Simple Export of current domain: It will export only domain related data NOT the Forest-Specific.
ldifde -f OUTPUT.LDF
9. Export of a domain with supplied credentials:
ldifde -m -f OUTPUT.LDF -b USERNAME DOMAINNAME -s SERVERNAME
-d "cn=users,DC=DOMAINNAME,DC=Microsoft,DC=Com"
-r "(objectClass=user)"
10. Exporting User or Person or Organizational Unit:
ldifde -v -s w2ks -d "dc=slowe,dc=com" -p subtree -r "(objectClass=clss_name)" -f users.txt
You'll notice a number of additional parameters here:
-v turns on verbose mode so that I could see the results
-d specifies the root of the search. While it was not required for this search, I included it to show you the format.
-p narrows the search to the subtree in question. The other options for the –p parameter are base and one level.
-r is used in the example with a parameter of “(objectClass=person)”. This parameter specifies the LDAP filter to use for LDIFDE. In my case, I wanted only people, so I chose an objectClass of "person."
11. A Simple VBScript to change a user’s password: You can also modify strUser and strOU value:
strUser = InputBox("Enter full name of user")
strOU = InputBox("Enter OU where user's account resides")
Set objUser = GetObject("LDAP://CN=" & strUser & ",OU=" & strOU & ",DC=testdomain,DC=local")
objUser.SetPassword "password"
MsgBox "Done!"
12. To change a user’s password using LDIFDE tool:
The following sample Ldif file (chPwd.ldif) changes a password to newPassword:
dn: CN=TestUser,DC=testdomain,DC=com
changetype: modify
replace: unicodePwd
unicodePwd::IgBuAGUAdwBQAGEAcwBzAHcAbwByAGQAIgA=
-
ldifde -i -f chPwd.ldif -t 636 -s dcname -b username domain password
13. Import Example user account entry with all required and optional fields:
dn: CN=user1,CN=Users,DC=domain,DC=com
changetype: add
accountExpires: 0
codePage: 0
cn: zach
countryCode: 0
displayName: Test User
instanceType: 4
logonHours::
distinguishedName: CN=user1,CN=Users,DC=domain,DC=com objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com
objectClass: user ------------ Required Attribute
name: User1
sAMAccountName: user1 ------------ Required Attribute
userAccountControl: 66048 ------------ This sets this account to be enabled
uSNChanged: 1556
uSNCreated: 1556
whenChanged: 20001012214849.0Z
whenCreated: 20001012214849.0Z
14. Sample Format for adding more than one user:
dn: CN=user1,CN=Users,DC=domain,DC=com
changetype: add
cn: user
objectClass: user ------------ Required Attribute
sAMAccountName: user1 ------------ Required Attribute
userAccountControl: 66048 ------------ This sets this account to be enabled
dn: CN=user2,CN=Users,DC=domain,DC=com
changetype: add
cn: user2
objectClass: user ------------ Required Attribute
sAMAccountName: user2 ------------ Required Attribute
userAccountControl: 66048 ------------ This sets this account to be enabled
15. Sample Import/Modify File Format:
dn: CN=Jane Doe,OU=Staff,DC=microsoft,DC=com
changetype: modify
replace: extensionAttribute1
extensionAttribute1: Staff
-
dn: CN=John Doe,OU=Staff,DC=microsoft,DC=com
changetype: modify
replace: extensionAttribute1
extensionAttribute1: Staff
-
And so on…..
1. Command to export the user with a given name of SAM Account
ldifde -f exportuser.ldf -s computer_name -r (samaccountname=SAMLNAME)
2. Command to export Organizational Units:
Running this command exports all OUs except domain controllers into a file named ExportOU.ldf.
ldifde -f exportOu.ldf -s Server1 -d "dc=Export,dc=com" -p subtree -r "(objectClass=organizationalUnit)" -l "cn,objectclass,ou"
3. Export the User Accounts from the Source Domain
ldifde -f Exportuser.ldf -s Server1 -d "dc=Export,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,samAccountName"
Running this command exports all users in the Export domain into a file named Exportuser.ldf. If you do not have all the required attributes, the import operation does not work. The attributes objectclass and samAccountName are required, but more can be added as needed.
4. Command to Import users from a LDF file:
ldifde -i -f Exportuser.ldf -s Server2
5. Exporting User Account attributes except attributes those can’t be imported: (Using –o switch)
This is another example filter that will export all User Account data except for the attributes that cannot be imported:
ldifde -f Exportuser.ldf -s <Server1> -d "dc=Export,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -o "badPasswordTime,badPwdCount,lastLogoff,lastLogon,logonCount, memberOf,objectGUID,objectSid,primaryGroupID,pwdLastSet,sAMAccountType"
Another Example: To export for any given SamAccountName:
ldifde -f Exportuser.ldf -s <Server1> -d "dc=Export,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -o "badPasswordTime,badPwdCount,lastLogoff,lastLogon,logonCount, memberOf,objectGUID,objectSid,primaryGroupID,pwdLastSet,sAMAccountType"
6. Exporting Objects from an Entire Forest (any given attribute will be exported with –i switch)
If you need to import everything from a forest you need to run LDIFDE command against Global Catalog server:
For example, to perform the export operation outlined against a GC, the LDIFDE command would be:
ldifde -f Exportuser.ldf -s Server1 -t 3268 -d "dc=Export,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,sAMAccountName"
7. Simple Import of current domain: It will import only domain data NOT the Forest-Specific.
ldifde -i -f INPUT.LDF
8. Simple Export of current domain: It will export only domain related data NOT the Forest-Specific.
ldifde -f OUTPUT.LDF
9. Export of a domain with supplied credentials:
ldifde -m -f OUTPUT.LDF -b USERNAME DOMAINNAME -s SERVERNAME
-d "cn=users,DC=DOMAINNAME,DC=Microsoft,DC=Com"
-r "(objectClass=user)"
10. Exporting User or Person or Organizational Unit:
ldifde -v -s w2ks -d "dc=slowe,dc=com" -p subtree -r "(objectClass=clss_name)" -f users.txt
You'll notice a number of additional parameters here:
-v turns on verbose mode so that I could see the results
-d specifies the root of the search. While it was not required for this search, I included it to show you the format.
-p narrows the search to the subtree in question. The other options for the –p parameter are base and one level.
-r is used in the example with a parameter of “(objectClass=person)”. This parameter specifies the LDAP filter to use for LDIFDE. In my case, I wanted only people, so I chose an objectClass of "person."
11. A Simple VBScript to change a user’s password: You can also modify strUser and strOU value:
strUser = InputBox("Enter full name of user")
strOU = InputBox("Enter OU where user's account resides")
Set objUser = GetObject("LDAP://CN=" & strUser & ",OU=" & strOU & ",DC=testdomain,DC=local")
objUser.SetPassword "password"
MsgBox "Done!"
12. To change a user’s password using LDIFDE tool:
The following sample Ldif file (chPwd.ldif) changes a password to newPassword:
dn: CN=TestUser,DC=testdomain,DC=com
changetype: modify
replace: unicodePwd
unicodePwd::IgBuAGUAdwBQAGEAcwBzAHcAbwByAGQAIgA=
-
ldifde -i -f chPwd.ldif -t 636 -s dcname -b username domain password
13. Import Example user account entry with all required and optional fields:
dn: CN=user1,CN=Users,DC=domain,DC=com
changetype: add
accountExpires: 0
codePage: 0
cn: zach
countryCode: 0
displayName: Test User
instanceType: 4
logonHours::
distinguishedName: CN=user1,CN=Users,DC=domain,DC=com objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com
objectClass: user ------------ Required Attribute
name: User1
sAMAccountName: user1 ------------ Required Attribute
userAccountControl: 66048 ------------ This sets this account to be enabled
uSNChanged: 1556
uSNCreated: 1556
whenChanged: 20001012214849.0Z
whenCreated: 20001012214849.0Z
14. Sample Format for adding more than one user:
dn: CN=user1,CN=Users,DC=domain,DC=com
changetype: add
cn: user
objectClass: user ------------ Required Attribute
sAMAccountName: user1 ------------ Required Attribute
userAccountControl: 66048 ------------ This sets this account to be enabled
dn: CN=user2,CN=Users,DC=domain,DC=com
changetype: add
cn: user2
objectClass: user ------------ Required Attribute
sAMAccountName: user2 ------------ Required Attribute
userAccountControl: 66048 ------------ This sets this account to be enabled
15. Sample Import/Modify File Format:
dn: CN=Jane Doe,OU=Staff,DC=microsoft,DC=com
changetype: modify
replace: extensionAttribute1
extensionAttribute1: Staff
-
dn: CN=John Doe,OU=Staff,DC=microsoft,DC=com
changetype: modify
replace: extensionAttribute1
extensionAttribute1: Staff
-
And so on…..
APPLIES TO
| • | Microsoft Windows Server 2003, Datacenter Edition (32-bit x86) |
| • | Microsoft Windows 2000 Service Pack 1 |
| • | Microsoft Windows 2000 Service Pack 2 |
| • | Microsoft Windows 2000 Service Pack 3 |
| • | Microsoft Windows 2000 Service Pack 4 |
| • | Microsoft Windows 2000 Standard Edition |
| • | Microsoft Windows Server 2003, Standard Edition (32-bit x86) |
| • | Microsoft Windows Server 2003, Enterprise Edition (32-bit x86) |
Back to the top Keywords: | KB555636 |
577
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
