Mark,
Moved from Downey, CA to Roanoke, VA about 18 months ago. Spent some time
in Riverside and the area. How are things out there? I bet hot as you know
what!
Anyway, to answer your questions:
Ldifde is a really great tool. You can do a lot with it. There are some
other tools out there now that might be a bit more useful but if you have a
good understanding of how to use ldifde then you are ahead of the game. I
will say that it can be a bit frustrating in the beginning as the syntax is
a bit unforgiving!
Anyway, try this:
Go to one of the DCs and enter at a command prompt "ldifde -f users.ldf" -
without the quotes - and then go to that file and look at the contents. You
will have to open it up with Notepad ( not WordPad or Word or anything
else! ). Go ahead and look at the attributes of a specific user account
object and then look at the associated values.
I do not know the setup of your AD environment so I am going to stipulate a
couple of things here:
All of your student user account objects are located in the default USERS
container.
All of the faculty user account objects are located in an Organizational
Unit called STAFF
All of the computer account objects are located in the default COMPUTERS
container.
This is probably not how you would really do things. I am doing this to
make things more clear for you in terms of ldifde....
So, let's say that you want to know the Department of each faculty member.
Provided that there has been a value entered for this attribute then we can
figure this out using ldifde in this manner:
ldifde -f department.ldf -s w2kserver01 -t 389 -d
"OU=Staff,DC=rcc,DC=org" -r
"(&(objectCategory=person)(objectClass=user))" -l "DN,department"
Now, what in the world is all of this gobbledygook?
We do not need to tell ldifde that we are doing an export and not an import
as it defaults to export.
The "-f department.ldf" is telling ldifde to create a file called
department.ldf
The "-s w2kserver01" is telling ldifde to do all of this on 'w2kserver01' -
you would replace that with the name of the DC of your choice
The "-t 389" is telling ldifde to do this on ldap port 389 ( the default )
The "-d "OU=Staff,DC=rcc,DC=org"" is telling ldifde to look at only that
Organizational Unit. We are sorta limiting or restricting where it looks to
minimize ( or concentrate ) on this 'area'
The "-r "(&(objectCategory=person)(objectClass=user))"" is telling ldifde to
only consider any account object that meets those two attributes/values. We
would only be looking at user account objects, in this case. There should
not be any computer account objects or groups or anything else.
The "-l "DN,department"" is limiting the content of the output file to only
these two attributes. So, we would see the Distinguished Name of each user
and the department. An example of a Distinguished Name would be "DN:
CN=Cary Shultz,OU=STAFF,DC=rcc,DC=org".
Let's look at another example. Say that you want only the first and last
name of each of the Students. Here is what you would enter....
ldifde -f firstlastname.ldf -s w2kserver01 -t 389 -d
"CN=Users,DC=rcc,DC=org" -r
"(&(objectCategory=person)(objectClass=user))" -l "DN,givenName,sn"
Let's look at one last example. Say that you want to know at what Service
Pack level all of your computer systems are.
Here is what you would have to enter:
ldifde -f servicepack.ldf -s w2kserver01 -t 389 -d
"CN=Computers,DC=rcc,DC=org" -r "(objectClass=computer)" -l
"DN,sAMAccountName,operatingSystem,operatingSystemVersion,operatingSystemSer
vicePack"
I hope that this is helping you. It is a lot to digest at once.
Are you able to get the information that you need using my examples as a
guide?
HTH,
Cary
