LDIFDE Import: userPassword returns blank

S

Steve Ireland

Users import successfully but password is blank rather than
'041401'...

(Windows 2000 Server SP4, Active Directory)

I am creating a batch of new user accounts for a college (students).
I am setting the Domain Policy to allow 0 length passwords, disable
encryption and password complexity (they were 'disabled' but are now
set to 'not configured'). Remember 0 passwords.

I have successfully created a batch of accounts in another domain/tree
using the same format of LDF file.

This format now succesfully imports but the user passsword is blank.
That is, when I go to test the password, the password doesn't work,
but if I blank out the password, the login is successful. So the
import is creating the accounts with blank passwords.

As this worked before, I am not sure why it is n't working here in
this newly installed domain/tree.

Any idea why the password would be blanked out?
(I would have thought, if there were a problem, the import would just
fail.)

Below is an LDF entry in my file (without the *'s):
********************************************************
dn: CN=Martin Ivor Smith,OU=BD,OU=Students,DC=Dublin,DC=College
changetype: Add
accountExpires: 127700028000000000
streetAddress: City Avenue
codePage: 0
cn: Martin Ivor Smith
countryCode: 372
c: IE
department: Grad. Dip. Business Management 2004
description: Students City 2004 GDBM
displayName: Martin Ivor Smith
givenName: Martin Ivor
homeDirectory: \\ServerSTORAGE\Students$\MSmith
homeDrive: H:
instanceType: 4
l: Dun Laoghaire
distinguishedName: CN=Martin Ivor
Smith,OU=BD,OU=Students,DC=Dublin,DC=College
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=Dublin,DC=College
objectClass: user
physicalDeliveryOfficeName: City
postalCode: Co. Dublin
name: Martin Ivor Smith
sAMAccountName: MSmith
scriptPath: student-City.bat
st: Dublin
sn: Smith
telephoneNumber: 1800UNIVERSITY
co: IRELAND
userAccountControl: 640
userPassword: 041401
userPrincipalName: (e-mail address removed)
wWWHomePage: http://Students.dublin.ie/2004/MSmith

***********************************************************
 
S

Simon Geary

This sounds like the expected behaviour, you cannot export a user, complete
with password, and then add the user to another domain by importing it. The
password attribute is write-only so can only be changed for existing users
with ldifde, adding a new user complete with password wont work.
You probably require a 2 step process where you import all your users and
then use a second ldifde command to set the password. Have a read of this kb
http://support.microsoft.com/?id=263991
 
C

Cary Shultz [A.D. MVP]

Steve,

Not sure that you can do this....as Simon suggested. When you use ldifde to
create user account objects ( a nice way to do sometimes ) you can not
really include the password for the user account object. Well, you can but
it is really rather complicated. Looking at the .ldf file that you included
I can tell you right now that it will not work!

If you need to include the password with the creation of the user account
object then you might want to look at addusers.exe. This is a simple text
file that has eight fields that can be included, one of which it the
password.

Pardon the most probably placement of things but to create a user account
object for Cary Shultz with the password of 'mysecret' as well as a user
account object for Steve Ireland with the password of 'yoursecret' the file
would look something like this:

[users]
cshultz,Cary Shultz,mysecret,,,,,,
sireland,Steve Ireland,yoursecret,,,,,,

Doing a simple google search gave me a bunch of hits. Here is an article
that briefly describes how it works followed by a Microsoft Knowledgebase
Article:

http://www.windowsitpro.com/Windows/Article/ArticleID/3073/3073.html
http://support.microsoft.com/default.aspx?scid=kb;en-us;199878

You could use this to create your user account objects. Well, you are
thinking, this does a little bit of the whole process. Now what do I do for
the rest?

Well, you could use ldifde to do the rest ( using modify ) but that can get
a bit tedious. I used to use ldifde to do this sort of thing but it can
take a little bit of time to get that .ldf file ready - even with all of the
tricks - . So, take a look at ADModify. This is a super duper tool!

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com
 
C

Cary Shultz [A.D. MVP]

Can't really type anymore....

At the end of the second paragraph it should read "...included, one of which
IS the password", not 'it the password'.

In the beginning of the third paragraph it should read "...probable
incorrect placement...", not 'most probably placement'.

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



Cary Shultz said:
Steve,

Not sure that you can do this....as Simon suggested. When you use ldifde
to create user account objects ( a nice way to do sometimes ) you can not
really include the password for the user account object. Well, you can
but it is really rather complicated. Looking at the .ldf file that you
included I can tell you right now that it will not work!

If you need to include the password with the creation of the user account
object then you might want to look at addusers.exe. This is a simple text
file that has eight fields that can be included, one of which it the
password.

Pardon the most probably placement of things but to create a user account
object for Cary Shultz with the password of 'mysecret' as well as a user
account object for Steve Ireland with the password of 'yoursecret' the
file would look something like this:

[users]
cshultz,Cary Shultz,mysecret,,,,,,
sireland,Steve Ireland,yoursecret,,,,,,

Doing a simple google search gave me a bunch of hits. Here is an article
that briefly describes how it works followed by a Microsoft Knowledgebase
Article:

http://www.windowsitpro.com/Windows/Article/ArticleID/3073/3073.html
http://support.microsoft.com/default.aspx?scid=kb;en-us;199878

You could use this to create your user account objects. Well, you are
thinking, this does a little bit of the whole process. Now what do I do
for the rest?

Well, you could use ldifde to do the rest ( using modify ) but that can
get a bit tedious. I used to use ldifde to do this sort of thing but it
can take a little bit of time to get that .ldf file ready - even with all
of the tricks - . So, take a look at ADModify. This is a super duper
tool!

--
Cary W. Shultz
Roanoke, VA 24014
Microsoft Active Directory MVP

http://www.activedirectory-win2000.com
http://www.grouppolicy-win2000.com



Steve Ireland said:
Users import successfully but password is blank rather than
'041401'...

(Windows 2000 Server SP4, Active Directory)

I am creating a batch of new user accounts for a college (students).
I am setting the Domain Policy to allow 0 length passwords, disable
encryption and password complexity (they were 'disabled' but are now
set to 'not configured'). Remember 0 passwords.

I have successfully created a batch of accounts in another domain/tree
using the same format of LDF file.

This format now succesfully imports but the user passsword is blank.
That is, when I go to test the password, the password doesn't work,
but if I blank out the password, the login is successful. So the
import is creating the accounts with blank passwords.

As this worked before, I am not sure why it is n't working here in
this newly installed domain/tree.

Any idea why the password would be blanked out?
(I would have thought, if there were a problem, the import would just
fail.)

Below is an LDF entry in my file (without the *'s):
********************************************************
dn: CN=Martin Ivor Smith,OU=BD,OU=Students,DC=Dublin,DC=College
changetype: Add
accountExpires: 127700028000000000
streetAddress: City Avenue
codePage: 0
cn: Martin Ivor Smith
countryCode: 372
c: IE
department: Grad. Dip. Business Management 2004
description: Students City 2004 GDBM
displayName: Martin Ivor Smith
givenName: Martin Ivor
homeDirectory: \\ServerSTORAGE\Students$\MSmith
homeDrive: H:
instanceType: 4
l: Dun Laoghaire
distinguishedName: CN=Martin Ivor
Smith,OU=BD,OU=Students,DC=Dublin,DC=College
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=Dublin,DC=College
objectClass: user
physicalDeliveryOfficeName: City
postalCode: Co. Dublin
name: Martin Ivor Smith
sAMAccountName: MSmith
scriptPath: student-City.bat
st: Dublin
sn: Smith
telephoneNumber: 1800UNIVERSITY
co: IRELAND
userAccountControl: 640
userPassword: 041401
userPrincipalName: (e-mail address removed)
wWWHomePage: http://Students.dublin.ie/2004/MSmith

***********************************************************
Click to expand...
Click to expand...
 
S

Steve Ireland

Thank you for the replies.

I was sure that I got this to work before, but every time
I do an import it's like re-inventing the wheel. I always
have to start from scratch. It is very possible that I
ended up using Addusers the last time.

I've gone ahead with blank passwords. It's the only
practical solution.

Still I'll keep an eye out for a possible in the future. I
still feel in the back of my mind that the userPassword
option worked for me before. You know, it's one of those
niggling feelings....
 
J

Joe Richards [MVP]

Err nope, it was never to export clear text passwords like that, they aren't
normally stored in AD in clear text.

joe
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

LDIFDE import error 1
ldifde import contact 1
FWT Newsletter - Weekly - October 18, 2004 0

Top