Using LDIFDE to Import and Export Groups

G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

I have been able to export the groups in my domain using this command:

ldifde -f groupexport.ldf -s crpdc01 -t 3268 -d "dc=chomes,dc=com" -p
subtree -r "(&(objectCategory=group)(objectClass=group))" -l "cn,objectclass"

I then edit the file to rename the domain name to the name of the domain I
want to import these groups to (A test domain in a test lab) and rename the
file to importgroups.ldf. When I try to import the file it fails. I get a
message that tells me on line 1 of my file there is a "Constraint Violation�
and then a "Server Side error message an attribute is missing"
I have been able to export and import my OU's and Users, but I am stuck
trying to figure out what attribute I need to add to my command to make my
import successful. Also, once this works, does anyone know how to export and
import the users into their groups?
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

Howard Goldstein wrote:

> I have been able to export the groups in my domain using this command:
>
> ldifde -f groupexport.ldf -s crpdc01 -t 3268 -d "dc=chomes,dc=com" -p
> subtree -r "(&(objectCategory=group)(objectClass=group))" -l
"cn,objectclass"
>
> I then edit the file to rename the domain name to the name of the domain I
> want to import these groups to (A test domain in a test lab) and rename
the
> file to importgroups.ldf. When I try to import the file it fails. I get
a
> message that tells me on line 1 of my file there is a "Constraint
Violation”
> and then a "Server Side error message an attribute is missing"
> I have been able to export and import my OU's and Users, but I am stuck
> trying to figure out what attribute I need to add to my command to make my
> import successful.

The attributes groupType and sAMAccountName are mandatory for group objects.
You only export cn and objectClass. When you create groups, you must specify
objectClass, cn, sAMAccountName, and groupType. I assume this is the
problem. Also, the sAMAccountName must be unique in the domain, and the cn
must be unique in the container/OU.

Also, once this works, does anyone know how to export and
> import the users into their groups?
>

You can add the "member" attribute to the list. This is a collection of the
Distinguished Names of all direct members of the group. I have not imported
such a list, but I assume you can. I would use:

-l "cn,sAMAccountName,groupType,objectClass,member"

--
Richard
Microsoft MVP Scripting and ADSI
Hilltop Lab web site - http://www.rlmueller.net
--
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

"Richard Mueller [MVP]" wrote:

> Howard Goldstein wrote:
>
> > I have been able to export the groups in my domain using this command:
> >
> > ldifde -f groupexport.ldf -s crpdc01 -t 3268 -d "dc=chomes,dc=com" -p
> > subtree -r "(&(objectCategory=group)(objectClass=group))" -l
> "cn,objectclass"
> >
> > I then edit the file to rename the domain name to the name of the domain I
> > want to import these groups to (A test domain in a test lab) and rename
> the
> > file to importgroups.ldf. When I try to import the file it fails. I get
> a
> > message that tells me on line 1 of my file there is a "Constraint
> Violation�
> > and then a "Server Side error message an attribute is missing"
> > I have been able to export and import my OU's and Users, but I am stuck
> > trying to figure out what attribute I need to add to my command to make my
> > import successful.
>
> The attributes groupType and sAMAccountName are mandatory for group objects.
> You only export cn and objectClass. When you create groups, you must specify
> objectClass, cn, sAMAccountName, and groupType. I assume this is the
> problem. Also, the sAMAccountName must be unique in the domain, and the cn
> must be unique in the container/OU.
>
> Also, once this works, does anyone know how to export and
> > import the users into their groups?
> >
>
> You can add the "member" attribute to the list. This is a collection of the
> Distinguished Names of all direct members of the group. I have not imported
> such a list, but I assume you can. I would use:
>
> -l "cn,sAMAccountName,groupType,objectClass,member"
>
> --
> Richard
> Microsoft MVP Scripting and ADSI
> Hilltop Lab web site - http://www.rlmueller.net
> --
> I was able to export the group information This is what the first entry looks like:
dn: CN=TechnicalServices,OU=CorporateIS,DC=tchomes,DC=com
changetype: add
member: CN=John Smith,OU=TechSvcs,OU=CorporateIS,DC=tchomes,DC=com
member: CN=Walter Jones,OU=TechSvcs,OU=CorporateIS,DC=tchomes,DC=com
member: CN=Mark Johnson,OU=TechSvcs,OU=CorporateIS,DC=tchomes,DC=com
member: CN=Bill Johnson,OU=TechSvcs,OU=CorporateIS,DC=tchomes,DC=com
cn: TechnicalServices
groupType: -2147483646
objectClass: group
sAMAccountName: TechnicalServices
>
It fails on the first line. This time it says "Add Error on line 1 no such
object" Then goes on to say "Server side error the specified user does not
exist"

I'm a little confused Technical Services is the name of the group I'm trying
to create. The rest of the DN is correct, the OU of corporateIS is there and
the domain is correct. Do I need to do two seperate files, one where I just
create the groups, and the next one where I add the users to the group?
>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

add "-j c:\" to the end of the ldifde import command.
The log file sometimes gives a better clue on where the script is failing.


--
Glenn L

CCNA, MCSE (2000,2003) + Security
"Howard Goldstein" <HowardGoldstein@discussions.microsoft.com> wrote in
message news:9D1ECBD4-16DB-480D-A443-633C82EA8DFF@microsoft.com...
>
>
> "Richard Mueller [MVP]" wrote:
>
>> Howard Goldstein wrote:
>>
>> > I have been able to export the groups in my domain using this command:
>> >
>> > ldifde -f groupexport.ldf -s crpdc01 -t 3268 -d "dc=chomes,dc=com" -p
>> > subtree -r "(&(objectCategory=group)(objectClass=group))" -l
>> "cn,objectclass"
>> >
>> > I then edit the file to rename the domain name to the name of the
>> > domain I
>> > want to import these groups to (A test domain in a test lab) and rename
>> the
>> > file to importgroups.ldf. When I try to import the file it fails. I
>> > get
>> a
>> > message that tells me on line 1 of my file there is a "Constraint
>> Violation"
>> > and then a "Server Side error message an attribute is missing"
>> > I have been able to export and import my OU's and Users, but I am stuck
>> > trying to figure out what attribute I need to add to my command to make
>> > my
>> > import successful.
>>
>> The attributes groupType and sAMAccountName are mandatory for group
>> objects.
>> You only export cn and objectClass. When you create groups, you must
>> specify
>> objectClass, cn, sAMAccountName, and groupType. I assume this is the
>> problem. Also, the sAMAccountName must be unique in the domain, and the
>> cn
>> must be unique in the container/OU.
>>
>> Also, once this works, does anyone know how to export and
>> > import the users into their groups?
>> >
>>
>> You can add the "member" attribute to the list. This is a collection of
>> the
>> Distinguished Names of all direct members of the group. I have not
>> imported
>> such a list, but I assume you can. I would use:
>>
>> -l "cn,sAMAccountName,groupType,objectClass,member"
>>
>> --
>> Richard
>> Microsoft MVP Scripting and ADSI
>> Hilltop Lab web site - http://www.rlmueller.net
>> --
>> I was able to export the group information This is what the first entry
>> looks like:
> dn: CN=TechnicalServices,OU=CorporateIS,DC=tchomes,DC=com
> changetype: add
> member: CN=John Smith,OU=TechSvcs,OU=CorporateIS,DC=tchomes,DC=com
> member: CN=Walter Jones,OU=TechSvcs,OU=CorporateIS,DC=tchomes,DC=com
> member: CN=Mark Johnson,OU=TechSvcs,OU=CorporateIS,DC=tchomes,DC=com
> member: CN=Bill Johnson,OU=TechSvcs,OU=CorporateIS,DC=tchomes,DC=com
> cn: TechnicalServices
> groupType: -2147483646
> objectClass: group
> sAMAccountName: TechnicalServices
>>
> It fails on the first line. This time it says "Add Error on line 1 no
> such
> object" Then goes on to say "Server side error the specified user does
> not
> exist"
>
> I'm a little confused Technical Services is the name of the group I'm
> trying
> to create. The rest of the DN is correct, the OU of corporateIS is there
> and
> the domain is correct. Do I need to do two seperate files, one where I
> just
> create the groups, and the next one where I add the users to the group?
>>
 
G

Guest

Guest
Archived from groups: microsoft.public.win2000.active_directory (More info?)

I been beating my head against the wall on a bunch of things, and hopefully
yall in this thread can help me save at least a little of the plaster.

I was recently tasked with creating a test env on VPC that mirrored our
current production env.

I need to export and import the groups and users.

I have 5000+ users and 200+ groups with lots of nesting going on. All global
Groups.

I tried a quick LDFDE and ran into issues.

I am wondering, with all the nesting, which items may be causing the import
issues. Members and Member of are the first item I can think. IE a group is
failing to import because it says it is a member or has a member that has not
been imported yet.

This was an inherited env, and its not exactly as I would have created it. I
have even found (and fixed)circular group memebrships. There may be otthers I
haven't found.

ADMT is right out for many reasons regarding connectivity and security and
rights.

So in a nut shell, does any one have a good way to copy all these objects
out and merge them into the the new AD and preserve the group memberships? I
don't care about keeping in sync with the production env.

"Richard Mueller [MVP]" wrote:

> Howard Goldstein wrote:
>
> > I have been able to export the groups in my domain using this command:
> >
> > ldifde -f groupexport.ldf -s crpdc01 -t 3268 -d "dc=chomes,dc=com" -p
> > subtree -r "(&(objectCategory=group)(objectClass=group))" -l
> "cn,objectclass"
> >
> > I then edit the file to rename the domain name to the name of the domain I
> > want to import these groups to (A test domain in a test lab) and rename
> the
> > file to importgroups.ldf. When I try to import the file it fails. I get
> a
> > message that tells me on line 1 of my file there is a "Constraint
> Violation�
> > and then a "Server Side error message an attribute is missing"
> > I have been able to export and import my OU's and Users, but I am stuck
> > trying to figure out what attribute I need to add to my command to make my
> > import successful.
>
> The attributes groupType and sAMAccountName are mandatory for group objects.
> You only export cn and objectClass. When you create groups, you must specify
> objectClass, cn, sAMAccountName, and groupType. I assume this is the
> problem. Also, the sAMAccountName must be unique in the domain, and the cn
> must be unique in the container/OU.
>
> Also, once this works, does anyone know how to export and
> > import the users into their groups?
> >
>
> You can add the "member" attribute to the list. This is a collection of the
> Distinguished Names of all direct members of the group. I have not imported
> such a list, but I assume you can. I would use:
>
> -l "cn,sAMAccountName,groupType,objectClass,member"
>
> --
> Richard
> Microsoft MVP Scripting and ADSI
> Hilltop Lab web site - http://www.rlmueller.net
> --
>
>
>