Creates, modifies, and deletes directory objects. You can also use ldifde to extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory Domain Services (AD DS) with data from other directory services.

Ldifde is a command-line tool that is built into Windows Server 2008. It is available if you have the AD DS or Active Directory Lightweight Directory Services (AD LDS) server role installed. To use ldifde, you must run the ldifde command from an elevated command prompt. To open an elevated command prompt, click Start, right-click Command Prompt, and then click Run as administrator.

For examples of how to use this command, see Examples.

Syntax

Ldifde [-i] [-f <FileName>] [-s <ServerName>] [-c <String1> <String2>] [-v] [-j <Path>] [-t <PortNumber>] [-d <BaseDN>] [-r <LDAPFilter>] [-p <Scope>] [-l <LDAPAttributeList>] [-o <LDAPAttributeList>] [-g] [-m] [-n] [-k] [-a <UserDistinguishedName> <Password>] [-b <UserName> <Domain> <Password>] [-?]

Parameters

Parameter Description

-i

Specifies to use the import mode. The default mode is export.

-f <FileName>

Identifies the import or export file name.

-s <ServerName>

Specifies the domain controller to perform the import or export operation. By default, ldifde runs on the domain controller on which ldifde is installed.

-c <String1> <String2>

Replaces all occurrences of <String1> with <String2>. Generally, you use this parameter when you import data from one domain to another and you must replace the distinguished name of the export domain (<String1>) with the distinguished name of the import domain (<String2>).

-v

Sets verbose mode.

-j <Path>

Sets the log file location. The default location is the current path.

-t <PortNumber>

Specifies a Lightweight Directory Access Protocol (LDAP) port number. The default LDAP port number is 389. The global catalog port number is 3268.

-d <BaseDN>

Sets the distinguished name of the search base for data export.

-r <LDAPFilter>

Creates an LDAP search filter for data export. For example, to export all users with a surname that you specify, you can use the following filter:

-r (and(objectClass=User)(sn=Surname))

-p <Scope>

Sets the search scope. The search scope options are Base, OneLevel, or SubTree.

-l <LDAPAttributeList>

Sets the list of attributes to return in the results of an export query. If you do not specify this parameter, the search returns all attributes.

-o <LDAPAttributeList>

Sets the list of attributes to omit from the results of an export query. This is typically used when exporting objects from AD DS and then importing them into another LDAP-compliant directory. If attributes are not supported by another directory, you can omit the attributes from the result set using this option.

-g

Omits paged searches.

-m

Omits attributes that apply only to Active Directory objects, such as the ObjectGUID, objectSID, pwdLastSet and samAccountType attributes.

-n

Omits the export of binary values.

-k

Ignores errors during an import operation and continues processing. This parameter ignores all of the following errors:

  • The object is already a member of the group

  • The operation has an object class violation

    This violation means that the specified object class does not exist, if the object being imported has no other attributes.

  • The object already exists

  • The operation has a constraint violation

  • The attribute or value already exists

  • The operation found no such object

-a <UserDistinguishedName> <Password>

Sets the command to run using the distinguished name (<UserDistinguishedName>) and password (<Password>) that you supply. By default, the command uses the credentials of the user who is currently logged on to the network.

-b <UserName> <Domain> <Password>

Sets the command to run using the supplied <UserName> <Domain> <Password>. By default, the command will run using the credentials of the user currently logged on to the network.

/?

Displays help at the command menu.

Remarks

  • When you create the import file to use with the ldifde command, use a changeType value to define the type of changes that the import file will contain. The following table shows the changeType values that you can use.

    Value Description

    add

    Specifies that new content is contained in the import file.

    modify

    Specifies that existing content has been modified in the import file.

    delete

    Specifies that content has been deleted in the import file.

    The following example shows an LDAP Data Interchange Format (LDIF) import file format that uses the add value.

    DN: CN=SampleUser,DC=DomainName
    changetype: add
    CN: SampleUser
    description: DescriptionOfFile
    objectClass: User
    sAMAccountName: SampleUser
    

Examples

To retrieve only the distinguished name, common name, first name, surname, and telephone number of the returned objects, type:

-l <DistinguishedName>, CN, <GivenName>, SN, <Telephone>

To omit the object globally unique identifier (GUID), type:

-o <whenCreated>, <whenChanged>, <objectGUID>

Additional references