RE: [ActiveDir] User export

[Rich Milburn]

The import doesn’t fail - ours is set to not allow blank passwords and the import succeeds because the account is disabled – you can do this in ADUC manually too.  However, if you try to enable the manually-created account-with-blank-password in ADUC it tells you it doesn’t meet the complexity requirements, but for accounts created with csvde with blank passwords, you can actually enable them without setting a password.  There might be a “password not set” flag?  In any event, using Joe’s auth tool works –   auth /d:domain /u:autouser /p:”” Authenticating domain\autouser Logon Successful.   Perhaps this is a bug with Windows Server 2003 AD? BTW the sAMAccountName I got when I didn’t specify one was $1N6000-N58EQ9P0PL7S   Rich     From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Sent: Friday, December 12, 2003 10:11 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] User export   If the Policy does not allow for blank passwords, then I assume the import fails.   If I were doing this, I'd use the ADModify tool to export the accounts. The output will be an ldf file. I'd use an encoder like this (http://www.opinionatedgeek.com/DotNet/Tools/Base64Encode/Default.aspx) to encode a base64 password. I'd open up the file ldf in notepad and add the following lines to EACH entry (bearing in mind that there are 2 blank lines between EACH entries in the ldf file, and that I need to maintain those 2 blank lines, even at the end of the file!!): replace: unicodePwd unicodePwd::<whatever the base64 equivalent of the password is>   Example (assword encoded):   dn: CN=Akomolafe Postmaster,OU=AD Import OU,DC=mydomainname,DC=com changetype: add objectClass: user cn: Akomolafe Postmaster givenName: Akomolafe sn: Postmaster sAMAccountName: postmaster codePage: 0 countryCode: 0 DisplayName: Akomolafe Postmaster name: Akomolafe Postmaster userPrincipalName: [EMAIL PROTECTED] replace: unicodePwd unicodePwd::YXNzd29yZA== dn: CN=DHCP Registrar,OU=AD Import OU,DC=mydomainname,DC=com changetype: add objectClass: user cn: DHCP Registrar givenName: DHCP sn: Registrar sAMAccountName: dhcpregistrar codePage: 0 countryCode: 0 DisplayName: DHCP Registrar name: DHCP Registrar userPrincipalName: [EMAIL PROTECTED] replace: unicodePwd unicodePwd::YXNzd29yZA== dn: CN=dummy,OU=AD Import OU,DC=mydomainname,DC=com changetype: add objectClass: user cn: dummy givenName: dummy sAMAccountName: dummy codePage: 0 countryCode: 0 DisplayName: dummy name: dummy userPrincipalName: [EMAIL PROTECTED] replace: unicodePwd unicodePwd::YXNzd29yZA== dn: CN=IIS USERACCT,OU=AD Import OU,DC=mydomainname,DC=com changetype: add objectClass: user cn: IIS USERACCT givenName: IIS sn: USERACCT sAMAccountName: dom_webman codePage: 0 countryCode: 0 DisplayName: IIS USERACCT name: IIS USERACCT userPrincipalName: [EMAIL PROTECTED] replace: unicodePwd unicodePwd::YXNzd29yZA==   Then I'd import this file, using ADmodify, into my destination Domain.   HTH   Sincerely, Dèjì Akómöláfé, MCSE MCSA MCP+I www.akomolafe.com www.iyaburo.com Do you now realize that Today is the Tomorrow you were worried about Yesterday?  -anon   From: Creamer, Mark Sent: Fri 12/12/2003 6:55 AM To: [EMAIL PROTECTED] Subject: RE: [ActiveDir] User export Thanks Tony. Does the account get created with a blank password if I don't create one myself? If so, what would happen if the domain policy is set to not allow blank passwords?   <mc> -----Original Message----- From: Tony Murray [mailto:[EMAIL PROTECTED] Sent: Friday, December 12, 2003 9:43 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] User export   There is one mandatory attribute that you need (sAMAccountName), but it is generally useful to also have the following:   givenName sn displayName userPrincipalName userAccountControl   If might also want to set the password, which can be quite tricky with LDIF.  There's a KB article on this:   http://support.microsoft.com/default.aspx?scid=http://support.microsoft.com:80/support/kb/articles/Q26 3/9/91.ASP&NoWebContent=1   If you're going to script part of it anyway, you may as well do the whole thing (i.e. export and import) without LDIFDE.  Just a thought.   The main advantage of LDIFDE over CSVDE is the ability to modify existing objects.  CSVDE only allows you to create.   Tony   ---------- Original Message ---------------------------------- Wrom: AUTFJMVRESKPNKMBIPBARHDMNNSKVFVWRKJVZ Reply-To: [EMAIL PROTECTED] Date:  Fri, 12 Dec 2003 09:25:19 -0500   I have a request to export the user objects from our production environment and import them into our test environment.     If I use LDIF for this, are there required attributes I must include in the export in order to make the import into the empty test domain successful? I'd like to create a procedure with a script so next time one of the admins can do it. Finally, are there any advantages to using ldifde vs csvde? Thanks!     Mark Creamer   Systems Engineer   Cintas Corporation   Honesty and Integrity in Everything We Do         List info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info   : http://www.activedir.org/mail_list.htm List FAQ    : http://www.activedir.org/list_faq.htm List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ -------APPLEBEE'S INTERNATIONAL, INC. CONFIDENTIALITY NOTICE------- PRIVILEGED / CONFIDENTIAL INFORMATION may be contained in this message or any attachments. This information is strictly confidential and may be subject to attorney-client privilege. This message is intended only for the use of the named addressee. If you are not the intended recipient of this message, unauthorized forwarding, printing, copying, distribution, or using such information is strictly prohibited and may be unlawful. If you have received this in error, you should kindly notify the sender by reply e-mail and immediately destroy this message. Unauthorized interception of this e-mail is a violation of federal criminal law. Applebee's International, Inc. reserves the right to monitor and review the content of all messages sent to and from this e-mail address. Messages sent to or from this e-mail address may be stored on the Applebee's International, Inc. e-mail system.