Article ID: 276382
Article Last Modified on 9/11/2007
APPLIES TO
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Server
This article was previously published under Q276382
SYMPTOMS
When you try to perform an import function by using the LDAP Data Interchange Format Data Exchange (LDIFDE) tool, you may receive the following error message:
This problem is most likely to occur when you try to import user account data.
Information that is similar to the following may be displayed while the import is in progress:
CAUSE
This problem may occur when you try to import user data that cannot be written to Active Directory.
Data that cannot be written to Active Directory may exist when you try to import data that was originally exported by using the LDIFDE tool without a filter. An unfiltered LDIFDE export exports all data without identifying the fields that are protected and cannot be imported again.
RESOLUTION
To resolve this problem, run the export function with a filter. If no filter was specified, or the export function cannot be re-run, then manually edit user account data to include only those fields that may be imported.
This is an example filter that will export only required User Account data:
ldifde -f Exportuser.ldf -s <Server1> -d "dc=Export,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,samAccountName"
This is another example filter that will export all User Account data except for the attributes that cannot be imported:
ldifde -f Exportuser.ldf -s <Server1> -d "dc=Export,dc=com" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -o "badPasswordTime,badPwdCount,lastLogoff,lastLogon,logonCount, memberOf,objectGUID,objectSid,primaryGroupID,pwdLastSet,sAMAccountType"
MORE INFORMATION
The following are User Account field attributes and examples.
Required Fields
The following fields must be entered for each user account that is imported.
dn: objectClass: sAMAccountName:
Example user account entry with all required fields
dn: CN=user1,CN=Users,DC=domain,DC=com objectClass: user sAMAccountName: user1
Optional fields
The following fields are optional and may be entered for each user account that is imported.
- changetype:
- accountExpires:
- codePage:
- cn:
- countryCode:
- displayName:
- instanceType:
- logonHours:
- distinguishedName:
- objectCategory:
- name:
- userAccountControl:
- uSNChanged:
- uSNCreated:
- whenChanged:
- whenCreated:
Note Using the setting "userAccountControl: 66048" enables the newly created account. By default, an account is created disabled.
Example user account entry with all required and optional fields
dn: CN=user1,CN=Users,DC=domain,DC=com changetype: add accountExpires: 0 codePage: 0 cn: zach countryCode: 0 displayName: Test User instanceType: 4 logonHours:: //////////////////////////// distinguishedName: CN=user1,CN=Users,DC=domain,DC=com objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=domain,DC=com objectClass: user name: User1 sAMAccountName: user1 userAccountControl: 66048 uSNChanged: 1556 uSNCreated: 1556 whenChanged: 20001012214849.0Z whenCreated: 20001012214849.0Z
User fields that cannot be imported
The following fields are protected system fields and cannot be modified through an LDIFDE import.:
- badPasswordTime:
- badPwdCount:
- lastLogoff:
- lastLogon:
- logonCount:
- memberOf
- objectGUID:
- objectSid:
- primaryGroupID:
- pwdLastSet:
- sAMAccountType:
For additional information about the LDIFDE tool, click the following article number to view the article in the Microsoft Knowledge Base:
237677 Using LDIFDE to import and export directory objects to Active Directory
Keywords: kberrmsg kbprb KB276382