LDIFDE Assistance requested

Milt · Feb 15, 2004

Greetings: I am trying to populate a Windows 2000 AD
using either the CSVDE or LDIFDE. It doesn't matter which
I use as long as the tool performs as necessary.
The AD has been established with a domain name.
Using either tool, I have been able to create OUs,
nested OUs, security groups, and User accounts. The
security groups can be placed in the appropriate OU or
nested OU using the LDIFDE utility tool. The users are
placed in the Users container using the LDIFDE utility
tool. The problem that I'm having is using the tool to
add the users from the Users container into the security
group(s) in the OUs.
Here is the LDIFDE syntax example that is being used.
The aim is to add the user 'Frank S. Sinatra' to the
ExecOfficers security group within the ExecOffices OU.

dn: CN=Frank S. Sinatra,CN=Users,DC=mydomain,DC=edu
Changetype: add
memberof:
CN=ExecOfficers,OU=ExecOffices,DC=mydomain,DC=edu
distinguishedName:
CN=Frank S. Sinatra,CN=Users,DC=mydomain,DC=edu
objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=mydomain,dc=edu
objectClass: user
sAMAccountName: fssinatra
userPrincipalName: (e-mail address removed)

The command line systax for importing the file works fine
until I get to the part of the ldf file where I want to
modify the security group.

Any assistance or suggestions would be greatly
appreciated. regards, milt
..

Al Dunbar [MS-MVP] · Feb 15, 2004

Milt said:
Greetings: I am trying to populate a Windows 2000 AD
using either the CSVDE or LDIFDE. It doesn't matter which
I use as long as the tool performs as necessary.
The AD has been established with a domain name.
Using either tool, I have been able to create OUs,
nested OUs, security groups, and User accounts. The
security groups can be placed in the appropriate OU or
nested OU using the LDIFDE utility tool. The users are
placed in the Users container using the LDIFDE utility
tool. The problem that I'm having is using the tool to
add the users from the Users container into the security
group(s) in the OUs.
Here is the LDIFDE syntax example that is being used.
The aim is to add the user 'Frank S. Sinatra' to the
ExecOfficers security group within the ExecOffices OU.

dn: CN=Frank S. Sinatra,CN=Users,DC=mydomain,DC=edu
Changetype: add
memberof:
CN=ExecOfficers,OU=ExecOffices,DC=mydomain,DC=edu
distinguishedName:
CN=Frank S. Sinatra,CN=Users,DC=mydomain,DC=edu
objectCategory:
CN=Person,CN=Schema,CN=Configuration,DC=mydomain,dc=edu
objectClass: user
sAMAccountName: fssinatra
userPrincipalName: (e-mail address removed)

The command line systax for importing the file works fine
until I get to the part of the ldf file where I want to
modify the security group.

Any assistance or suggestions would be greatly
appreciated. regards, milt

"Memberof" is a "courtesy" attribute. Each security group contains a list of
its members, however the members do not contain a list of their memberships
(that would increase the size of each user object, would it not, as well as
result in the storage of redundant information. Further, this would open up
the possibility of discrepancies between the info the groups have and the
info their members have.

Have you ever been an OU admin and tried to modify the group memberships of
a user newly transferred from an OU where you have no admin privs? Did you
not notice that if the group in question belongs to the other OU, it is the
admin of that OU that can remove the user, even though he has not admin
privs over your user?

Another way to look at it is that, when used in a security context, it is
the group that is trusted, not its members.

Anyways, getting back to your question, all you need to do is to use ldifde
to update the security group with a new set of "members".

/Al

Guest · Feb 16, 2004

Al: Your tutuorial makes perfect sense. Thanks for your
time and efforts. milt

milt · Feb 16, 2004

Al: Your tutorial sent me in a direction where I had not
been. Can you direct me to where I can find the LDIFDE
syntax. All of the examples that I can find in TechNet
uses syntax such as:
changetype: add or modify
replace: textstring1

I have tried:
dn: CN=ExecOfficers,OU=ExecOffices,DC=mydomain,DC=edu
changetype: modify
add: (e-mail address removed);[email protected]
sAMAccountName:Execofficers

Since I'm not replacing anything in the groups because the
groups do not hold any accounts there must be other syntax
strings. That is why the question of where to find other
syntax. Thanks in advance for your time and energy. milt

Al Dunbar [MS-MVP] · Feb 17, 2004

I have only used CSVDE to add members to groups (distribution lists), and
have dabbled with ldifde upload only marginally, but here goes...

milt said:
Al: Your tutorial sent me in a direction where I had not
been. Can you direct me to where I can find the LDIFDE
syntax. All of the examples that I can find in TechNet
uses syntax such as:
changetype: add or modify
replace: textstring1

I have tried:
dn: CN=ExecOfficers,OU=ExecOffices,DC=mydomain,DC=edu
changetype: modify
add: (e-mail address removed);[email protected]
sAMAccountName:Execofficers

First step would be, I think, to add two users to one of your groups and
then do an LDIFDE export to see what that looks like. You will then find
that the changetype: modify must be followed by some indication of which
group attribute it is that you want to change, i.e. "member". I would expect
something more like the following:

DN: <as above>
changetype: modify
replace: member
member: DN of first member: DN of second member: DN of third member
-
<a blank line!>

Here is an example I found that illustrates this:
dn: CN=Vancouver Users,OU=Vancouver,OU=LTI,DC=lantrainers,DC=local
changetype: modify
replace: member
member: CN=Sales,OU=Vancouver,OU=LTI,DC=lantrainers,
DC=localmember: CN=Engineers,OU=Vancouver,OU=LTI,
DC=lantrainers,DC=localmember:CN=Marketing,OU=Vancouver,
OU=LTI,DC=lantrainers,DC=local
member: CN=Production,OU=Vancouver,OU=LTI,DC=lantrainers,DC=local
-Note that the "" symbol means that the line it precedes is actually part of
the previous line.

/Al

Al Dunbar [MS-MVP] · Feb 17, 2004

Sorry, my last response was messed up because of the inclusion of a small
symbol in .gif format in the text. I will try to clean it up to make sense
below...

Al Dunbar said:
I have only used CSVDE to add members to groups (distribution lists), and
have dabbled with ldifde upload only marginally, but here goes...

First step would be, I think, to add two users to one of your groups and
then do an LDIFDE export to see what that looks like. You will then find
that the changetype: modify must be followed by some indication of which
group attribute it is that you want to change, i.e. "member". I would expect
something more like the following:

DN: <as above>
changetype: modify
replace: member
member: DN of first member: DN of second member: DN of third member
-
<a blank line!>

Here is an example I found that illustrates this:

dn: CN=Vancouver Users,OU=Vancouver,OU=LTI,DC=lantrainers,DC=local
changetype: modify
replace: member
member: CN=Sales,OU=Vancouver,OU=LTI,DC=lantrainers,
DC=localmember: CN=Engineers,OU=Vancouver,OU=LTI,
DC=lantrainers,DC=localmember:CN=Marketing,OU=Vancouver,
OU=LTI,DC=lantrainers,DC=localmember:
CN=Production,OU=Vancouver,OU=LTI,DC=lantrainers,DC=localmember
-

Note that everything from "member:" above to the line just above the one

with the "-" is actually a single line in the .ldf file.

CSVDE and LDIFDE	1	Feb 13, 2004
Echo does not return variables	0	Nov 25, 2011
Export all OU in the forest using LDIFDE	1	Nov 17, 2008
Contact Modification w/ LDIFDE	2	Aug 2, 2004
LDIFDE export group membership with sAMAccountName	4	Jan 12, 2006
CSVDE Utility	2	Feb 10, 2004
Exporting Excel Sheet With Additional Info Added To A Text File	1	Jul 11, 2008
Getting a comma in a Distinguished Name using LDIFDE	5	Oct 17, 2004

LDIFDE Assistance requested

Milt

Al Dunbar [MS-MVP]

Guest

milt

Al Dunbar [MS-MVP]

Al Dunbar [MS-MVP]

Ask a Question

Similar Threads