Article ID: 276382
Article Last Modified on 9/11/2007
APPLIES TO
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Server
This article was previously published under Q276382
SYMPTOMS
When you try to perform an import function by using the LDAP Data Interchange Format Data Exchange (LDIFDE) tool, you may receive the following error message:
This problem is most likely to occur when you try to import user account data.
Information that is similar to the following may be displayed while the import is in progress:
CAUSE
This problem may occur when you try to import user data that cannot be written to Active Directory.
Data that cannot be written to Active Directory may exist when you try to import data that was originally exported by using the LDIFDE tool without a filter. An unfiltered LDIFDE export exports all data without identifying the fields that are protected and cannot be imported again.
RESOLUTION
To resolve this problem, run the export function with a filter. If no filter was specified, or the export function cannot be re-run, then manually edit user account data to include only those fields that may be imported.
This is an example filter that will export only required User Account data:
ldifde -f Exportuser.ldf -s <Server1> -d "dc=Export,dc=com" -p subtree
-r "(&(objectCategory=person)(objectClass=User)(givenname=*))"
-l "cn,givenName,objectclass,samAccountName"
This is another example filter that will export all User Account data except for the attributes that cannot be imported:
ldifde -f Exportuser.ldf -s <Server1> -d "dc=Export,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -o "badPasswordTime,badPwdCount,lastLogoff,lastLogon,logonCount, memberOf,objectGUID,objectSid,primaryGroupID,pwdLastSet,sAMAccountType"
MORE INFORMATION
The following are User Account field attributes and examples.
Required Fields
The following fields must be entered for each user account that is imported.
dn: objectClass: sAMAccountName:
Example user account entry with all required fields
dn: CN=user1,CN=Users,DC=domain,DC=com
objectClass: user
sAMAccountName: user1
Optional fields
The following fields are optional and may be entered for each user account that is imported.
- changetype:
- accountExpires:
- codePage:
- cn:
- countryCode:
- displayName:
- instanceType:
- logonHours:
- distinguishedName:
- objectCategory:
- name:
- userAccountControl:
- uSNChanged:
- uSNCreated:
- whenChanged:
- whenCreated:
Note Using the setting "userAccountControl: 66048" enables the newly created account. By default, an account is created disabled.
Example user account entry with all required and optional fields
dn: CN=user1,CN=Users,DC=domain,DC=com
changetype: add
accountExpires: 0
codePage: 0
cn: zach
countryCode: 0
displayName: Test User
instanceType: 4
logonHours:: ////////////////////////////
distinguishedName: CN=user1,CN=Users,DC=domain,DC=com
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com
objectClass: user
name: User1
sAMAccountName: user1
userAccountControl: 66048
uSNChanged: 1556
uSNCreated: 1556
whenChanged: 20001012214849.0Z
whenCreated: 20001012214849.0Z
User fields that cannot be imported
The following fields are protected system fields and cannot be modified through an LDIFDE import.:
- badPasswordTime:
- badPwdCount:
- lastLogoff:
- lastLogon:
- logonCount:
- memberOf
- objectGUID:
- objectSid:
- primaryGroupID:
- pwdLastSet:
- sAMAccountType:
For additional information about the LDIFDE tool, click the following article number to view the article in the Microsoft Knowledge Base:
237677 Using LDIFDE to import and export directory objects to Active Directory
Keywords: kberrmsg kbprb KB276382
