To create users in Active Directory Lightweight Directory Services (AD LDS), you must first import the optional user classes that are supplied with AD LDS into the AD LDS schema. These user classes are provided in importable .ldf files, which you can find in the directory %windir%\adam on the computer where AD LDS is installed.

Membership in the Administrators group of the AD LDS instance is the minimum required to complete this procedure. By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition. For more information about AD LDS groups, see Understanding AD LDS Users and Groups.

To import the user classes that are supplied with AD LDS
  1. Open a command prompt.

  2. At the command prompt, type the following command, and then press ENTER:

    ldifde -i -f %windir%\adam\filename -s computername:port [-b username domain password] -k -j . -c "CN=Schema,CN=Configuration,DC=X" #schemaNamingContext

    where filename represents the name of one of the .ldf files that is supplied with AD LDS, computername:port represents the computer name and port number of an AD LDS instance, and username domain password represents the account with which to run the command.

    When you run this command, you should see results similar to the following:

    Connecting to "localhost"
    Logging in as current user using SSPI
    Importing directory from file "ms-user.ldf"
    Loading entries................................
    65 entries modified successfully.
    
    The command has completed successfully
    

Parameter Description

-i

Performs an import.

-f

Specifies the file to import or export.

-s

Specifies the host name and port of the AD LDS instance.

-b

Specifies the security credentials to use during the operation.

-k

Continues the operation in the event of errors.

-j

Creates a log file in the specified directory, in this case, the current (".") directory.

-c "CN=Schema,CN=Configuration,DC=X" #schemaNamingContext

Do not modify this string.

The -c parameter replaces a specified string in the .ldf file with a different string during import. The distinguished name that is specified in the .ldf file (for example, CN=Schema,CN=Configuration,DC=X) is replaced with the distinguished name of the schema directory partition for your particular AD LDS instance, as passed by the #schemaNamingContext constant.

Replace ... With ...

computername:port

The host name and port number of your AD LDS instance. You can use localhost for computername if you are administering the local computer.

username domain password

The account, domain, and password of an account that is being used as an AD LDS administrator account.

To view the complete syntax for this command, and for information about entering user account information, at a command prompt, type the following command, and then press ENTER:

ldifde /?

Additional considerations

  • To open a command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

  • AD LDS includes the following .ldf files containing user classes that you can import. These files are located in the %windir%\adam directory.

    .ldf file User classes Import this file if ...

    MS-ADAM-DisplaySpecifiers-0409.LDF

    • Not applicable

    You want to use an Active Directory snap-in (such as Active Directory Sites and Services) with AD LDS.

    MS-AdamSyncMetadata.LDF

    • Not applicable

    You want to use adamsync to synchronize AD LDS with Active Directory Domain Services (AD DS).

    MS-AZMan.LDF

    • Not applicable

    You want to use Windows Authorization Manager with AD LDS.

    MS-InetOrgPerson.LDF

    • Person

    • Organizational-Person

    • User

    • inetOrgPerson

    You want to create user objects in the AD LDS directory, and you want to create users of the InetOrgPerson class (as defined in RFC 2798). MS-InetOrgPerson.LDF is a sample file that you can modify to meet your particular requirements.

    MS-User.LDF

    • Person

    • Organizational-Person

    • User

    You want to create user objects in the AD LDS directory, but you do not want to create users of the InetOrgPerson class (as defined in RFC 2798). MS-User.LDF is a sample file that you can modify to meet your particular requirements.

    MS-UserProxy.LDF

    • User-Proxy

    You want to create simple proxy objects in AD LDS for use in bind redirection. MS-UserProxy.LDF is a sample file that you can modify to meet your particular requirements.

    MS-UserProxyFull.LDF

    • User-Proxy-Full

    You want to create complete proxy objects in AD LDS for use in bind redirection. To use this file, you must also import MS-InetOrgPerson.LDF or MS-User.LDF. MS-UserProxyFull.LDF is a sample file that you can modify to meet your particular requirements.

  • As an alternative to using ldifde, you can import the optional AD LDS user classes during AD LDS setup.

  • If you do not specify user credentials using the -b parameter, ldifde uses the credentials of the currently logged on user.

Additional references