Home/ Questions/Q 8229841
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-07T16:56:06+00:00

I have two domains. One production. One testing. There is no trust between the

  • 0

I have two domains. One production. One testing. There is no trust between the two.

I can import all user objects and group objects successfully using ldifde commands. When I attempt to also include group members in my export/import I can’t seem to successfully import.

Here are the variations I have tried:

Attempt 1:

file format:
dn: CN=Group-name,OU=Groups,OU=Managed,DC=dev,DC=net
changetype: add
member: CN=USER1,OU=Users,OU=Managed,DC=dev,DC=net
member: CN=USER2,OU=Users,OU=Managed,DC=dev,DC=net

ldifde command used:
ldifde -i -k -f groupexp12072012-test.ldf -v

output:
Connecting to "DC"
Logging in as current user using SSPI
Importing directory from file "groupexp12072012-test.ldf"
Loading entries
1: CN=Group-name,OU=Groups,OU=Managed,DC=dev,DC=net

Add error on line 1: Object Class Violation
The server side error is "The object class attribute must be specified."
0 entries modified successfully.
An error has occurred in the program
No log files were written.  In order to generate a log file, please
specify the log file path via the -j option.

Attempt 2:
Added in the correct objectClass to my ldifde import file:

file format:
dn: CN=Group-name,OU=Groups,OU=Managed,DC=dev,DC=net
changetype: add
objectClass: top
objectClass: group
member: CN=USER1,OU=Users,OU=Managed,DC=dev,DC=net
member: CN=USER2,OU=Users,OU=Managed,DC=dev,DC=net

ldifde command used:
ldifde -i -k -f groupexp12072012-test.ldf -v

output:
Connecting to "DC"
Logging in as current user using SSPI
Importing directory from file "groupexp12072012-test.ldf"
Loading entries
1: CN=Group-name,OU=Groups,OU=Managed,DC=dev,DC=net
Entry already exists, entry skipped

0 entries modified successfully.

The command has completed successfully

Attempt 3:
Deleted the existing group object and used the same command and format as “Attempt 2”:

Connecting to "DC"
Logging in as current user using SSPI
Importing directory from file "groupexp12072012-test.ldf"
Loading entries
1: CN=Group-name,OU=Groups,OU=Managed,DC=dev,DC=net
Object does not exist, entry skipped

0 entries modified successfully.

So I’m stuck. Apparently ‘ldifde’ can be used to import group members – all my colleagues say it has never worked but I stumble upon MS articles that say otherwise;
http://social.technet.microsoft.com/Forums/nl/winserverDS/thread/089a3f3b-617f-4c66-a3fc-be543d97a612

Then I stumble on “5. LDIFDE doesn’t support changing Group Membership. You can use CSVDE or ADDUSERS.exe or DStools for Windows 2003 Editions.” here:
http://support.microsoft.com/kb/555634

Am I going crazy for no reason – will I ever succeed using ‘ldifde’?

edit: Yes, I was going crazy for no reason. One of my targeted users was actually in a different OU I was specifying for ‘ldifde’. Because of this, ‘ldifde’ would just give up and not add any members to the group.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Here is a way to add users to an existing group (ldifde -i -k -f AddGrpMember.ldf -v
    ):

    dn: CN=MonGrpSec,OU=MonOu,DC=dom,DC=fr
changeType: Modify
add: member
member: CN=jblanc,OU=MonOu,DC=dom,DC=fr
member: CN=Jean Paul Blanc,OU=MonOu,DC=dom,DC=fr
-

    Here is a way to create a new group with members (ldifde -i -k -f NewGrpWithMember.ldf -v
    ):

    dn: CN=NewGrpSec,OU=MonOu,DC=dom,DC=fr
changeType: Add
objectClass: top
objectClass: group
CN: NewGrpSec
member: CN=jblanc,OU=MonOu,DC=dom,DC=fr
member: CN=Jean Paul Blanc,OU=MonOu,DC=dom,DC=fr
    • 0