Using LDIFDE to Import and Export Groups

[Guest]

I have been able to export the groups in my domain using this command:

ldifde -f groupexport.ldf -s crpdc01 -t 3268 -d "dc=chomes,dc=com" -p
subtree -r "(&(objectCategory=group)(objectClass=group))" -l "cn,objectclass"

I then edit the file to rename the domain name to the name of the domain I
want to import these groups to (A test domain in a test lab) and rename the
file to importgroups.ldf. When I try to import the file it fails. I get a
message that tells me on line 1 of my file there is a "Constraint Violationâ€
and then a "Server Side error message an attribute is missing"
I have been able to export and import my OU's and Users, but I am stuck
trying to figure out what attribute I need to add to my command to make my
import successful. Also, once this works, does anyone know how to export and
import the users into their groups?

 

[Richard Mueller [MVP]]

I have been able to export the groups in my domain using this command:

ldifde -f groupexport.ldf -s crpdc01 -t 3268 -d "dc=chomes,dc=com" -p
subtree -r "(&(objectCategory=group)(objectClass=group))" -l "cn,objectclass"

I then edit the file to rename the domain name to the name of the domain I
want to import these groups to (A test domain in a test lab) and rename the
file to importgroups.ldf. When I try to import the file it fails. I get a
message that tells me on line 1 of my file there is a "Constraint Violation”
and then a "Server Side error message an attribute is missing"
I have been able to export and import my OU's and Users, but I am stuck
trying to figure out what attribute I need to add to my command to make my
import successful.

The attributes groupType and sAMAccountName are mandatory for group objects.
You only export cn and objectClass. When you create groups, you must specify
objectClass, cn, sAMAccountName, and groupType. I assume this is the
problem. Also, the sAMAccountName must be unique in the domain, and the cn
must be unique in the container/OU.

Also, once this works, does anyone know how to export and

import the users into their groups?

You can add the "member" attribute to the list. This is a collection of the
Distinguished Names of all direct members of the group. I have not imported
such a list, but I assume you can. I would use:

-l "cn,sAMAccountName,groupType,objectClass,member"

 

[Guest]

The attributes groupType and sAMAccountName are mandatory for group objects.
You only export cn and objectClass. When you create groups, you must specify
objectClass, cn, sAMAccountName, and groupType. I assume this is the
problem. Also, the sAMAccountName must be unique in the domain, and the cn
must be unique in the container/OU.

Also, once this works, does anyone know how to export and

You can add the "member" attribute to the list. This is a collection of the
Distinguished Names of all direct members of the group. I have not imported
such a list, but I assume you can. I would use:

-l "cn,sAMAccountName,groupType,objectClass,member"

dn: CN=TechnicalServices,OU=CorporateIS,DC=tchomes,DC=com
changetype: add
member: CN=John Smith,OU=TechSvcs,OU=CorporateIS,DC=tchomes,DC=com
member: CN=Walter Jones,OU=TechSvcs,OU=CorporateIS,DC=tchomes,DC=com
member: CN=Mark Johnson,OU=TechSvcs,OU=CorporateIS,DC=tchomes,DC=com
member: CN=Bill Johnson,OU=TechSvcs,OU=CorporateIS,DC=tchomes,DC=com
cn: TechnicalServices
groupType: -2147483646
objectClass: group
sAMAccountName: TechnicalServicesIt fails on the first line. This time it says "Add Error on line 1 no such
object" Then goes on to say "Server side error the specified user does not
exist"

I'm a little confused Technical Services is the name of the group I'm trying
to create. The rest of the DN is correct, the OU of corporateIS is there and
the domain is correct. Do I need to do two seperate files, one where I just
create the groups, and the next one where I add the users to the group?

 

[Glenn L]

add "-j c:\" to the end of the ldifde import command.
The log file sometimes gives a better clue on where the script is failing.

 

[Guest]

I been beating my head against the wall on a bunch of things, and hopefully
yall in this thread can help me save at least a little of the plaster.

I was recently tasked with creating a test env on VPC that mirrored our
current production env.

I need to export and import the groups and users.

I have 5000+ users and 200+ groups with lots of nesting going on. All global
Groups.

I tried a quick LDFDE and ran into issues.

I am wondering, with all the nesting, which items may be causing the import
issues. Members and Member of are the first item I can think. IE a group is
failing to import because it says it is a member or has a member that has not
been imported yet.

This was an inherited env, and its not exactly as I would have created it. I
have even found (and fixed)circular group memebrships. There may be otthers I
haven't found.

ADMT is right out for many reasons regarding connectivity and security and
rights.

So in a nut shell, does any one have a good way to copy all these objects
out and merge them into the the new AD and preserve the group memberships? I
don't care about keeping in sync with the production env.