[THIN] OT: import AD info to your lab domain

  • From: "Roger Riggins" <roger.riggins@xxxxxxxxxx>
  • To: <thin@xxxxxxxxxxxxx>
  • Date: Thu, 22 Feb 2007 14:54:10 -0600

Hi all,



Our programmer wanted me to make our lab domain look just like our
production domain. Same OUs, groups, users, and group memberships. I
poked around a little and found an easy way to do it using ldifde.
Basically, you just export the relevant information from LDAP into some
text files. Ldifde will tweak the DN to match your target lab domain as
it exports. That way you don't have to find and replace. Then copy the
text files over to the test domain and import them with the same tool.



If your lab domain has the same name as your production domain, then
remove the '-c DC=PROD DC=LAB' part of the export commands.



NOTE: LAB is the name of the test domain and PROD is the name of the
production domain. Replace them with whatever is appropriate for the
purpose of the export/import.





---EXPORT---

-on source domain run:



ldifde -f c:\prod-ou.ldf -p subtree -r
"(&objectCategory=organizationalUnit)" -l "cn,objectclass,ou" -c DC=PROD
DC=LAB -d dc=prod,dc=local

ldifde -f c:\prod-users.ldf -p subtree -r
"(&(objectCategory=person)(objectClass=User)(givenname=*))" -l
"cn,givenName,objectclass,samAccountName" -c DC=PROD DC=LAB

ldifde -f c:\prod-groups.ldf -p subtree -r
"(&(objectCategory=group)(objectClass=group)(name=*))" -l
"cn,name,objectclass,samAccountName,member" -c DC=PROD DC=LAB



-copy your exported files to the lab domain





Make sure you are on the lab domain and run each of the following at
least twice. I've found that if I run them more than once that sometimes
it still imports a few on the second run. Not sure why...



---IMPORT---

-on destination domain:



ldifde -i -k -v -f c:\prod-ou.ldf

ldifde -i -k -e -v -q 1 -f c:\prod-groups.ldf

ldifde -i -k -v -f c:\prod-users.ldf



If you get an error about a cross-domain member when importing groups
then open the file in any text editor and do a search for 'S-'. If you
find a member that is a SID then delete it from the import file and run
it again.



The users were disabled during the import since there are no passwords
on the accounts. The following will search for users in the target OU
and set the password, enable the account, and not force change at next
logon. If you specify an OU with system and admin accounts then remember
that their passwords will be reset also. Change 'mytargetou' (or the
whole DN) and the password '$IdRatherBePwning' to whatever you need.



---SET PWD AND ENABLE---

-on destination domain:



dsquery user ou=mytargetou,dc=lab,dc=local -limit 9999 | dsmod user -pwd
$IdRatherBePwning -disabled no -mustchpwd no



After this, I just bulk mail enabled the groups and users with the GUI.





Anyway, hope this is useful to somebody. Good luck,



Roger Riggins
Network Administrator
Lutheran Services in Iowa
w: 319.859.3543
c: 319.290.5687
http://www.lsiowa.org








<b>Lutheran Services in Iowa Confidentiality Notice:</b><br>
<red>The information contained in this communication may be confidential,
is intended only for the use of the recipient(s) named above, and
may be legally privileged. If the reader of this message is not the
intended recipient, you are hereby notified that any dissemination,
distribution, or copying of this communication, or any of its
contents, is strictly prohibited. If you have received this
communication in error, please return it to the sender immediately
and delete the original message and any copy of it from your computer
system. If you have any questions concerning this message, please
contact the sender.</red>

Other related posts:

  • » [THIN] OT: import AD info to your lab domain