Hi all, Our programmer wanted me to make our lab domain look just like our production domain. Same OUs, groups, users, and group memberships. I poked around a little and found an easy way to do it using ldifde. Basically, you just export the relevant information from LDAP into some text files. Ldifde will tweak the DN to match your target lab domain as it exports. That way you don't have to find and replace. Then copy the text files over to the test domain and import them with the same tool. If your lab domain has the same name as your production domain, then remove the '-c DC=PROD DC=LAB' part of the export commands. NOTE: LAB is the name of the test domain and PROD is the name of the production domain. Replace them with whatever is appropriate for the purpose of the export/import. ---EXPORT--- -on source domain run: ldifde -f c:\prod-ou.ldf -p subtree -r "(&objectCategory=organizationalUnit)" -l "cn,objectclass,ou" -c DC=PROD DC=LAB -d dc=prod,dc=local ldifde -f c:\prod-users.ldf -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "cn,givenName,objectclass,samAccountName" -c DC=PROD DC=LAB ldifde -f c:\prod-groups.ldf -p subtree -r "(&(objectCategory=group)(objectClass=group)(name=*))" -l "cn,name,objectclass,samAccountName,member" -c DC=PROD DC=LAB -copy your exported files to the lab domain Make sure you are on the lab domain and run each of the following at least twice. I've found that if I run them more than once that sometimes it still imports a few on the second run. Not sure why... ---IMPORT--- -on destination domain: ldifde -i -k -v -f c:\prod-ou.ldf ldifde -i -k -e -v -q 1 -f c:\prod-groups.ldf ldifde -i -k -v -f c:\prod-users.ldf If you get an error about a cross-domain member when importing groups then open the file in any text editor and do a search for 'S-'. If you find a member that is a SID then delete it from the import file and run it again. The users were disabled during the import since there are no passwords on the accounts. The following will search for users in the target OU and set the password, enable the account, and not force change at next logon. If you specify an OU with system and admin accounts then remember that their passwords will be reset also. Change 'mytargetou' (or the whole DN) and the password '$IdRatherBePwning' to whatever you need. ---SET PWD AND ENABLE--- -on destination domain: dsquery user ou=mytargetou,dc=lab,dc=local -limit 9999 | dsmod user -pwd $IdRatherBePwning -disabled no -mustchpwd no After this, I just bulk mail enabled the groups and users with the GUI. Anyway, hope this is useful to somebody. Good luck, Roger Riggins Network Administrator Lutheran Services in Iowa w: 319.859.3543 c: 319.290.5687 http://www.lsiowa.org <b>Lutheran Services in Iowa Confidentiality Notice:</b><br> <red>The information contained in this communication may be confidential, is intended only for the use of the recipient(s) named above, and may be legally privileged. If the reader of this message is not the intended recipient, you are hereby notified that any dissemination, distribution, or copying of this communication, or any of its contents, is strictly prohibited. If you have received this communication in error, please return it to the sender immediately and delete the original message and any copy of it from your computer system. If you have any questions concerning this message, please contact the sender.</red>