How do I solve LDIFDE errors on "last token starts with 'C'" and "change-modify entry is missing the terminator '-'" when trying to pair existing users to exiting security groups (domain migration)?
I execute this:
C:\Users\Administrator\Downloads\ldif_files>ldifde -i -k -f test.ldf -v -j "C:\Users\Administrator\Downloads\ldif_files"
Connecting to "dc1.company.local"
Logging in as current user using SSPI
Importing directory from file "test.ldf"
Loading entries
There is a syntax error in the input file
Failed on line 6. The last token starts with 'C'.
The change-modify entry is missing the terminator '-'.
0 entries modified successfully.
An error has occurred in the program
C:\Users\Administrator\Downloads\ldif_files>
test.ldf is this:
dn: CN=PrinterAdmins,OU=GL,OU=Groups,OU=CMPNY,DC=company,DC=local
changetype: modify
add: member
objectClass: top
objectClass: group
member: CN=John Doe,OU=Track-It!,OU=Admins,OU=CMPNY,DC=company,DC=local
I have painstakingly troubleshooted this for a couple or few hours now without success. I have tried…
- Adding a single link '-' at the end
- Adding a line '-' followed by a blank line (two lines total) at the
end - several other things; have spent lots of time Googling for solutions
and trying everything without having success
The OUs, security group, and user exists. For the life of me, I can't figure it out. I have successfully imported an OU structure from 'oldcompany.com' domain, used Notepad++ to remove a particular space/enter character and also to replace 'dc=oldcompany,dc=com' with 'dc=company,dc=local', imported the users, imported the security groups — everything successfully.. all that is left is to import the part of memberships to every group (tying users to their groups).
Please help. 🙁
What am I doing / trying to do / have done already? I have roughly around 700 groups that I need to pair several hundred users to. Importing of OU structure, followed by users, followed by [empty] groups was successful. All that is left is pairing users to their groups. Moving from an old "company.com" domain (from 2003 DC) to "company.local" on brand new 2012 DC. Want to avoid having to go through all 700 groups manually adding users (because I do have an Excel report that tells me the member of every group / what group every user is a member of).
EDIT: SOLUTION!
This is what I had to do to get it to work:
- Remove all objectClass lines; next time I need to leave this out of
the command parameters for exporting - The first line of the file should be a blank line, followed by the
"dn:" line of the first group - The second to last line of the file should be a -, followed by a
blank line (the last line of the file)
So to import users, security groups, and group memberships from company.com to company.local, this is what I had to do:
- Exporting the OU structure from company.com; on company.com, we had an OU "CMPNY" in the root of the domain when you use Active Directory Users and Computers that contained everything (security groups, users, OUs, GPOs, etc)
- Execute ldifde -f exportOUs.ldf -s srvADdc1 -t 3268 -d "OU=CMPNY,DC=company,DC=com" -p subtree -r "(objectCategory=organizationalUnit)" -l "cn,objectclass,ou" on any machine connected to the old company.com AD domain; it will connect to srvADdc1 (a domain controller) to search and export from
- Exporting the Users from company.com
- Execute difde -f exportUsers.ldf -s srvADdc1 -t 3268 -d "OU=CMPNY,DC=company,DC=com" -p subtree -r "(&(objectCategory=Person)(objectClass=user))" -l "cn,displayName,distinguishedName,name,objectCategory,objectClass,sAMAccountName"
- Export Groups from company.com WITHOUT members (so as just empty security groups)
- Execute ldifde -f exportGroupsEmpty.ldf -s srvADdc1 -t 3268 -d "OU=CMPNY,DC=company,DC=com" -p subtree -r "(&(objectCategory=group)(objectClass=group))" -l "cn,name,sAMAccountName,grouptype,objectclass"
- Export Groups from company.com WITH members (contains bare minimum information to identify what User objects are a Member of what Group)
- Execute ldifde -f exportGroupsMembers.ldf -s srvADdc1 -t 3268 -d "OU=CMPNY,DC=company,DC=com" -p subtree -r "(&(ObjectCategory=group)(objectClass=group)(name=)(member=))" -l "member"
- Importing the OU skeleton of the old company.com into the new company.local domain; we're using a different OU skeleton structure in company.local (no "CMPNY" OU at root), so this OU skeleton we're importing is merely just for the sake of importing old data, and after we import everything, we can rename/cleanup/delete whatever, and then move and arrange the imported objects over to our new/different OU skeleton structure standard that we've decided to use on our new company.local domain
- Modify exportOUs.ldf via Notepad++ (my personal preference), find DC=com and replace all with DC=local, and save the file
- Execute ldifde -i -k -f exportOUs.ldf -v -j "C:\"; you can change the path for the value of -j parameter, or remove -j "C:\" entirely — all it does is log any errors to file
- Import Users from company.com into company.local
- Modify exportUsers.ldf via Notepad++, find DC=com and replace all with DC=local, and save the file
- Execute ldifde -i -k -f exportUsers.ldf -v -j "C:\"
- Import empty [Security] Group shells from company.com into company.local
- Modify exportGroupsEmpty.ldf via Notepad++, find DC=com and replace all with DC=local, and save the file
- Execute ldifde -i -k -f exportGroupsEmpty.ldf -v -j "C:\"
- Import the Membership pairing between Users and Groups from company.com to company.local
- Open exportGroupsMembers.ldf via Notepad++
- Examine the contents of this file very carefully; notice how a single item is split out over multiple lines (like if someone decided to hit the ENTER key 1/3 the way through a line) — they should normally be on one line instead of overflowing into multiple lines
- The first thing is to fix the multiple line overflowing issue. To do this, select all the character data in between two lines that would need to be deleted to fix it (for just that one instance), and 'replace all' it with literally nothing
- Find dc=com and replace all with dc=local
- Replace all empty lines with two lines: the first one should be a single – character, and the second should be a blank line; you can accomplish this by selecting that space and doing a replace all with \r\n-\r\n\r\n with Extended search mode in Notepad++
- Make sure that the first line of the file is a blank empty line (no spaces, just empty line) before the first "dn:" line (for the first group)
- Make sure the second to last line of the file is a – line, followed by a blank line (as the last line)
- Find "changetype: add" and replace all with changetype: modify\r\nadd: member (basically, this changes 'add' to 'modify', and creates new line below this "add: member")
- Execute ldifde -i -k -f exportGroupsMembers.ldf -v -j "C:\"
- Open exportGroupsMembers.ldf via Notepad++
Example exportGroupsMembers.ldf (first line has a space in it — it is not supposed to have a space in it, just supposed to be a blank line; last line after the – line is supposed to be a blank line too):
dn: CN=ERP_User_Test,OU=GL,OU=Groups,OU=CMPNY,DC=company,DC=local
changetype: modify
add: member
member: CN=Ralph Doe,OU=Uncategorized,OU=Users,OU=CMPNY,DC=company,DC=local
member: CN=Grace McPhillip,OU=Uncategorized,OU=Users,OU=CMPNY,DC=company,DC=local
member: CN=Logan Rowley,OU=Track-It!,OU=Admins,OU=CMPNY,DC=company,DC=local
-
dn: CN=FolderSecurity_StockReportsDatabase_C,OU=GL,OU=Groups,OU=CMPNY,DC=company,DC=local
changetype: modify
add: member
member: CN=David Collins,OU=Uncategorized,OU=Users,OU=CMPNY,DC=company,DC=local
member: CN=Kelly Paris,OU=Uncategorized,OU=Users,OU=CMPNY,DC=company,DC=local
member: CN=genericSalesUser,OU=Uncategorized,OU=Users,OU=CMPNY,DC=company,DC=local
-
dn: CN=FolderSecurity_StockReportsDatabase_R,OU=GL,OU=Groups,OU=CMPNY,DC=company,DC=local
changetype: modify
add: member
member: CN=Ron Burgandy,OU=Uncategorized,OU=Users,OU=CMPNY,DC=company,DC=local
member: CN=Jane Doe,OU=Uncategorized,OU=Users,OU=CMPNY,DC=company,DC=local
member: CN=Bill Gates,OU=Uncategorized,OU=Users,OU=CMPNY,DC=company,DC=local
-
What this primarily accomplishes is that when we migrate shared network drives over to the new network, individual folder security permissions are retained. We don't have to go and recreate all the groups, add members back into the groups, and then go weed through over 1000 folders of unique security permissions (stupid, I know).
After all this, we can..
- Go in and DELETE all the user objects that are permanently obsolete
(such as genericITAdmin and genericITModerator and genericITTech
administrator, test accounts, random one-off accounts, etc) but keep
real human person accounts that have been deactivated - Rename security groups to standardize on naming conventions, then
later begin cleaning up security groups to consolidate, find
patterns, remove unqiue security permissions, etc - Move objects over to our new OU skeleton structure and delete the
CMPNY OU from root after we're done weeding through it, manipulating,
removing, renaming old stuff
I thank the responders at the following threads:
– [H]ardForum
– ServerFault
– TechNet
Primary resource from which I followed the overall export and import workflow
Additional helpful information I utilized or influenced me in my journey
Best Answer
Here is what your file should look like. I've just tested this against LDS on Windows 8 to be certain.
If you have no special characters in the values, then an ANSI file should do just fine.
Chances are you have but in case you havent http://support.microsoft.com/kb/237677 might help.