Leveraging Command Line Utilities (CLU) to work with Active Directory -- Part Two

Leveraging Command Line Utilities (CLU) to work with Active Directory — Part Two – LDIFDE

This is the second of a two-part series on managing and manipulating LDAP data structures. The easiest example of this is Microsoft’s Active Directory. This will be the directory structure I’ll use in this article.

The intent of this article is to provide the readers with a solid, base foundation on what the tool LDIFDE is and how to use it.

To understand the meaning of LDIFDE, break it into three parts: L- DIF – DE. The L stands for LDAP, this component embraces attributes like objectclass which you will be modifying. DIF means data interchange format which explains what happens when the attributes are imported or exported from active directory. DE is the data exchange, think of the DE as the engine which feeds on .ldf files and transfers objects into active directory.

Another way of looking at LDIFDE is that it is an executable in the systemrootsystem32 folder that feeds on text files and thus makes bulk changes to active directory. Yet another view of LDIFDE is that it is a tool for modifying user accounts or exchange objects in your domain.

How does LDIFDE compare with CSVDE?

LDIFDE’s strength is that it can modify or delete objects in active directory where as CSVDE can only add objects. Whilst the syntax is almost identical in both programs, CSVDE’s data files are much easier to manipulate because, as its name suggests, CSV files are understood by spreadsheets.

One other major difference between the two utilities, are the file structures the tools format the data to. With CSVDE, the AD records – or objects – are formatted in a comma separated value structure, where an objects fields and values are contained on one line, but separated by commas. The very top line is reserved for the LDAP filed name titles.

With LDIFDE formatted files, each AD object or record has fields and their data on each line – NOT separated by commas. Each line starts with the LDAP field name, then the data or value of that field. This results in a file much larger than a CSVDE file even though the quantity of records are the same. Also note that a blank, empty line or row is present between each objects "paragraph" of information.

LDIFDE Basics

Introduction to Export – or How to get information out of Active Directory

Starting with an Export operation is often the easiest way to get acclimated with how the LDIFDE tool works. There are lots of syntax-related issues and multiple switches involved, so learning the syntax is critical. Exporting is easier than importing, so we’ll start with Exporting information.

A note about security – by default, most users accessing Active Directory will have the necessary permissions to Read from AD. So Exporting will likely not be a problem due to lack of permissions. However, Importing to AD – or writing to AD – this will require, of course, proper AD permissions to the domain and/or OU the objects will be written or modified to. You will need to assign yourself proper permissions, or have someone assign for you the proper permissions. You can also log on to the domain as an account having these permissions.

One last note on syntax – just like with the CSVDE tool, the LDIFDE tool will echo syntax-related help by typing the command with a /? help switch.

LDIFDE Export Example 1

To export the active directory objects in your domain into a file called AD_Export.ldf:

1. Connect to a Active Directory domain by simply logging on to the domain.

2. Open a command prompt by typing CMD from the Start > Run menu.

3. Type: ldifde -f AD_Export.ldf (of course, you may provide a file name of any first name and last name. If you use .txt as the extension, then most text editing tools will recognize the file immediately).

In this simple example, the -f switch references a file. The syntax for the CSVDE tool is virtually 100% identical to the LDIFDE tool. LDIFDE has a few more switches however, that we’ll see.

In this example, you are creating a file called AD_Export.ldf with the contents of the AD domain you are connected to.

You can use Notepad to view the contents of the file, but using Microsoft’s Excel is much better. Simply open Excel, choose File > Open, and change the file types from XL* or XL? to text files. Make sure you select only the Tab delimiter.

LDIFDE Export Example 2

The first example created a file with likely more information that you cared for. We want to filter the results to a more manageable data set. We’ll refine our output using the -n and -m switches.

1. Connect to a Active Directory domain by simply logging on to the domain.

2. Open a command prompt by typing CMD from the Start > Run menu.

3. Type the command: LDIFDE -f AD_Export_MN.ldf -m -n

Revolutionize Your Business With Generative AI

From product design and software development to virtual agents, content creation, and reporting, GenAI is transforming business. Our AI experts help you unlock GenAI’s full potential and drive growth.

Let’s Get Started

4. Open this file in either Notepad or Excel to view the contents.

Now, much less data will be presented for each record. The -m and -n switches exclude some extra AD-specific data, but you will still likely see more information than you want. Specifically, the -m switch enables "SAM logic" which simply means that you will receive less information, or less system-generated information, leaving information related to what an admin may provide rather than what the AD system would provide. The -n switch will prohibit exporting the binary values for the objects – again, not information the admin would have provided anyway.

LDIFDE Export Filters – -l and -o

When you run the LDIFDE -f AD_Export.ldf, you get overrun with data. The answer is to add switches which extract only the fields you need. The best method is to include only the attributes you want to export into your .ldp file. The alternative is to try and filter out those fields that you do not want and that is easier said than done. Which ever method you choose, you must understand the LDAP attributes to select the correct data.

LDIFDE Export Example 3

The purpose of LDIFDE -l is to select solely the LDAP attributes you need and so reduce the number of fields in the .ldf file.

Once you’ve connected to the domain and opened the command prompt, type:

LDIFDE -f AD_Export_l.ldf -l "DN, objectClass" (note: the DN and objectClass verbiage is not case-sensitive – just make sure to use the quotes)

The -l switch indicates you want a list of attributes, comma separated, to look for in an LDAP search. In this case, we’re interested in exporting the Distinguished Names and objectClass – or types of objects – from AD. ObjectClass examples are organizationalUnit, container, top, person, user, etc.

Of course, the key to using the -l switch is to know the proper LDAP field names. In our example, DN means Distinguished Name.

LDIFDE Export Example 4

In this example, we’ll use an exclude method of filtering. The purpose of LDIFDE -o is to remove unwanted fields in the LDIFDE export. This is the opposite philosophy of the first example, here you output all the fields, except those in the LDAP statement.

Open a command prompt and type:

LDIFDE -f AD_Export_o.ldf -o "instancetype, whenCreated, whenChanged, USNCreated, USNChanged, maxPwdAge, minPwdAge, subrefs, objectCategory"

Remember, the -o list switch tells the LDIFDE tool which fields to omit – not the fields to include. Contrast this with the -l switch which tells the tool which fields to include.

Often with more complicated commands creating a log will capture information you can later use. By incorporating the -j switch you can capture in a log file the echo generated from the command. So, to return to our earlier example, note by adding the -j switch with the drive and folder, a log file will be created called "ldifde.log". See my example below:

LDIFDE -f AD_Export_o.ldf -o "instancetype, whenCreated, whenChanged, USNCreated, USNChanged, maxPwdAge, minPwdAge, subrefs, objectCategory" -j c:

Export Filter -r

If you run a basic export command like: LDIFDE -f AD_Export.ldf, you get swamped with data. One solution is to add the -r switch, which reduces the number of accounts exported. The -r switch controls the type of object you get in the data file; for example: "(objectclass=computer)" means you solely get computers an no users, groups or other unwanted objects.

The purpose of the -r switch is to remove all the objects that you DO NOT want.

LDIFDE Export Example 5

LDIFDE -f AD_Export_r.ldf -r "(objectClass=user)"

It is interesting to note that Microsoft considers computers part of the class "users", so when you specify users as the objectClass, you will also get computer objects as well.

LDIFDE Export Example 6

Using the "&" symbol to combine statements can be very valuable. You can also filter on the "cn" specification and use wildcard characters. Let’s use an example.

LDIFDE -f AD_Export_r.ldf -r "(&(objectClass=user)(cn=a*))"

This command creates a file only to include User objects which has a common name that starts with the letter "a". Note the & symbol near the beginning of the string not in the middle. For example, this in incorrect and will not work:

"((objectClass=user)&(cn=a*))" EXAMPLE OF BAD SYNTAX

The logic operators go at the beginning of the string.

LDIFDE Export Example 7

Combining two switches with the -l and -r switches

LDIFDE -f AD_Export_l_r.ldf -l "DN, objectClass, objectCategory, name, sn, cn, givenName, sAMAccountName, description" -r "(&(objectClass=user)(cn=a*))"

LDIFDE Import Basics

Why LDIFDE -i is powerful yet so complicated

Filenames

LDIFDE -i needs the -f filename switch to acquire the import data. The situation is that not only must the file have the correct syntax, but also the LDAP attributes must be in the .ldf format. Choose Notepad because it will prepare the data perfectly. Avoid more sophisticated programs like Excel because they insert extra tabs, commas or speech marks into the data, These alien formats prevent LDIFDE interpreting the data and as a result, the import fails.

Changetype

One of the benefits of LDIFDE over CSVDE is that you can manipulate data in active directory. To make these changes use the ‘changetype:’ command. There are three changetype commands, ADD, Delete, or Modify. The way it works is by placing the changetype: verb in the .ldf file. I recommend starting with the simpler changetype: verb Add – then learn how Delete and Modify works.

Passwords

LDIFDE can change or set passwords. For security reasons the passwords have to be encrypted in Unicode. This adds another layer of complexity. My work around – just for when you are learning – is to weaken your domain security policy to allow: blank passwords, disable complex passwords, and disable password history. Later you can reset the policy to a more secure setting.

The goal on this page is to import users from a text file into active directory. Importing with the -i switch is the hardest command in LDIFDE; so my focus is on getting you started, and to keeping the commands as simple as possible.

Import Example 1

You have a bunch of users to import into active directory and all the usernames are in a text file, which you can easily convert to a .LDF file.

Important best practice –
Backup your ‘System State’

Backup your server’s active directory before you attempt an import. I do this by backing up the ‘System State’.

Recommendation

Start with Export operations first. Even if you never use LDIFDE export again, I urge you to begin with LDIFDE -f filename so that you can practice in relative safety.

Another advantage trying an Export first is that you will have a copy of the LDAP attributes to use in the import data files.

Once again, my basic LDIFDE files do not include passwords. If your domain password policy can be changed to allow blank passwords, it will be much easier to practice and use. You can then switch to requiring passwords after the import. A user that logs on with an account created by the import process with a blank password will then be asked and required to provide a password.

Creating the Import File –

This is the most critical part of getting my import example to work. To create an import data file, copy and paste the following data into Notepad. Make sure you save with .ldf extension, for example: AD_Import.ldf. NOTE: the designation after "DC" represents your domain name. For example, DC=Acme,DC=com would refer to an domain called Acme.com. Obviously, substitute your own domain name.

dn: CN=Jamie Bourne,DC=Acme,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Jamie Bourne
name: Jamie Bourne
sAMAccountName: Janieb
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=Acme,DC=com

dn: CN=Peter Graham,DC=Acme,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Peter Graham
name: Peter Graham
sAMAccountName: Peterg
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=Acme,DC=com

dn: CN=Edgar Dunn,DC=Acme,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Edgar Dunn
name: Edgar Dunn
sAMAccountName: Edgard
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=Acme,DC=com

dn: CN=Belinda Hart,DC=Acme,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Belinda Hart
name: Belinda Hart
sAMAccountName: Belindah
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=Acme,DC=com

dn: CN=May Jamieson,DC=Acme,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: May Jamieson
name: May Jamieson
sAMAccountName: Mayj
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=Acme,DC=com

dn: CN=Leroy Ota,DC=Acme,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Leroy Ota
name: Leroy Ota
sAMAccountName: Leroyo
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=Acme,DC=com

Once your import file has been created and saved in a folder of your choice, you’re ready for the command.

Open a command prompt, and type:

LDIFDE -i -f AD_Import.ldf -k

The LDIFDE tool will import the objects you’ve listed in the file indicated in the syntax. Make sure the import file is in your current working directory, or in a folder within your machines’ path system variable.

The -i switch of course means, import. The -k switch tells the LDIFDE tool to continue with the import operation even if an error occurs. Without the -k switch, any minor or major error encountered will abort the import operation cold. If an import operation is about to create 1000 objects, an error or two can be easily fixed after the importing is complete, so using the -k switch will likely result in the one or two objects containing a syntax error to not get created, but the 998 other objects correctly getting created.

LDIFDE Import Example 2

This import example creates users in the domain Acme.com and it an OU called Accounting. Note that if the OU Accounting does not yet exist, this will not create it and will generate an error and abort.

dn: CN=Stephanie Bourne,OU=Accounting,DC=Acme,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Stephanie Bourne
name: Stephanie Bourne
sAMAccountName: stephanieb
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=Acme,DC=com

dn: CN=Matthew Dunn,OU=Accounting,DC=Acme,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Matthew Dunn
name: Matthew Dunn
sAMAccountName: matthewd
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=Acme,DC=com

dn: CN=Sherri Hart,OU=Accounting,DC=Acme,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Sherri Hart
name: Sherri Hart
sAMAccountName: sherrih
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=Acme,DC=com

dn: CN=Jay Jamieson,OU=Accounting,DC=Acme,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Jay Jamieson
name: Jay Jamieson
sAMAccountName: jayj
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=Acme,DC=com

dn: CN=Lani Ota,OU=Accounting,DC=Acme,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Lani Ota
name: Lani Ota
sAMAccountName: lanio
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=Acme,DC=com

dn: CN=Carolyn Seeley,OU=Accounting,DC=Acme,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Carolyn Seeley
name: Carolyn Seeley
sAMAccountName: carolyns
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=Acme,DC=com

dn: CN=Robert Lyon,OU=Accounting,DC=Acme,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Robert Lyon
name: Robert Lyon
sAMAccountName: robertl
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=Acme,DC=com

dn: CN=Fidelma McGinn,OU=Accounting,DC=Acme,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Fidelma McGinn
name: Fidelma McGinn
sAMAccountName: fidelmam
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=Acme,DC=com

dn: CN=Michelle Votava,OU=Accounting,DC=Acme,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Michelle Votava
name: Michelle Votava
sAMAccountName: michellev
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=Acme,DC=com

dn: CN=Ray Sambroski,OU=Accounting,DC=Acme,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Ray Sambroski
name: Ray Sambroski
sAMAccountName: rays
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=Acme,DC=com

dn: CN=Anne Paper,OU=Accounting,DC=Acme,DC=com
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Anne Paper
name: Anne Paper
sAMAccountName: annepa
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=Acme,DC=com

Notice in these import examples the "changetype: add" line. This of course adds – or creates – the objects.

LDIFDE Changetype Examples

LDIFDE Import Example 3

LDIFDE has the ‘changetype:’ command, this extends the Add import command with Delete an Modify.

As with the earlier examples, preparing the files is the key to import success. If you do understand LDAP attributes it will be so much easier to make change and troubleshoot.

Changetype is a command inside the .ldf file, not a switch or external parameter. Each .ldf file has changetype: near the top, here are the three possible values:

Changetype: Add
Changetype: Modify
Changetype: Delete

Deleting Users Created by Import Example 1

Below, I’ve provided an example of syntax used from Example 1 above. Here, we’re deleting the users specified in this file. Note the blank like between each user to be deleted.

dn: CN=Jamie Bourne,DC=Acme,DC=com
changetype: delete

dn: CN=Peter Graham,DC=Acme,DC=com
changetype: delete

dn: CN=Edgar Dunn,DC=Acme,DC=com
changetype: delete

dn: CN=Belinda Hart,DC=Acme,DC=com
changetype: delete

dn: CN=May Jamieson,DC=Acme,DC=com
changetype: delete

dn: CN=Leroy Ota,DC=Acme,DC=com
changetype: delete

LDIFDE Import Example 3

Using changetype: Modify

You can modify objects’ properties in AD by using LDIFDE. CSVDE cannot delete objects, nor can it modify or change objects’ properties and values.

When using changetype:Modify, you will have to note carefully the syntax in the body of text used to initiate the modification.

For example, suppose you have a user called Adam Smith in the Accounting OU. You wish to change or modify the description field for Adam. Below is the syntax. Note carefully the dash symbol on the last line of the series of lines making up the file used during the import.

dn: CN=Adam Smith, OU=Accounting, DC=Acme, DC=com
changetype: modify
replace: description
description: Finance
–

In line 2 above, the changetype: modify appears. In line 3, the field "description" is being specified as to the field we’re about to change. In line 4, we’re telling LIDIFDE in what way we want the field changed.

Note the last line contains a hyphen symbol, then a blank line or row. This is critical and if missing, the command produces an error.

Now assuming the above example makes up the file called AD_Import.ldf, we would execute the following command:

LDIFDE -i -f AD_Import.ldf -k

Upon successful execution, Adam Smiths description property would be modified to whatever is was to now contain the string Finance.

Below are the switches used with LDIFDE listed for your reference.

The LDIFDE switches are case insensitive. So you can use either -F or -f

Switch	Purpose	Example
Import
-f	This switch will import or export objects from active directory into a .ldf file. (Note export is the default behavior)	LDIFDE -f Acme.ldf
-i	Means import	LDIFDE -i -f Acmei.ldf
-k	Means skip errors and carry on	LDIFDE -f Acmek.ldf -k
Export	(Note there is not a -e switch for export. Plain LDIFDE -f filename will export by default)
-l	Positively select "LDAP, Attributes" The ‘l’ means here is a list of fields that I want in my export.	LDIFDE -f AcmeLa.ldf -l "DN,objectclass, objectcategory, name, distinguishedName, cn,desription,ou"
-o	Tailor the "LDAP, Attributes" The ‘o’ means omits a list of fields that I do not want in my export.	LDIFDE -f Acmeo.ldf -o "objectGUID,objectCategory,whenCreated, whenChanged"
-p	Sets the Scope of the search Base, Onlevel or Subtree (Default)	LDIFDE -f Acmeonel.ldf -p onelevel
-r	Filters LDAP attributes so that you can get select ROWS of users.	LDIFDE -f Acmer.ldf -r "(&(objectclass=user)(cn=a*))"
-m	Omits values like: ObjectGUID, objectSID, pwdLastSet	LDIFDE -f Acmeomn.ldf -m -n -o "whenCreated, whenChanged, subrefs, objectCategory"
-n	Omits binary values. Useful	LDIFDE -f Acmen.ldf –n
General
-s	Server name. Specify the Active Directory server that you want to run the command on.	LDIFDE -f Acmes.ldf -s servername
-v	Verbose mode. You can see what LDIFDE is doing	LDIFDE -f Acmev.ldf -v
-t	PorT the default LDAP port is 389. A secure tunnel (SSL) uses 636	LDIFDE -i -f Acmepw.ldf -k -t 636
-j	Creates a log file which is useful in troubleshooting	LDIFDE -f Acmej.ldf -j C:
-a	To run LDIFDE using a DN and password	LDIFDE -f Acmes.ldf -a CN=Administrator,CN=Users,DC=Acme,DC=com brenDa17
-b	To run LDIFDE using another username domain and password

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Leveraging Command Line Utilities (CLU) to work with Active Directory — Part Two – LDIFDE

by Dave Scheele on June 25th, 2006 | ~ minute read