This browser is no longer supported.

Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.

In this article

Applies To: Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2003 with SP1, Windows 8

Creates, modifies, and deletes directory objects. You can also use ldifde to extend the schema, export Active Directory user and group information to other applications or services, and populate Active Directory Domain Services (AD DS) with data from other directory services.

Ldifde is a command-line tool that is built into Windows Server 2008. It is available if you have the AD DS or Active Directory Lightweight Directory Services (AD LDS) server role installed. To use ldifde , you must run the ldifde command from an elevated command prompt. To open an elevated command prompt, click Start , right-click Command Prompt , and then click Run as administrator .

For examples of how to use this command, see Examples .

Syntax

Ldifde [-i] [-f <FileName>] [-s <ServerName>] [-c <String1> <String2>] [-v] [-j <Path>] [-t <PortNumber>] [-d <BaseDN>] [-r <LDAPFilter>] [-p <Scope>] [-l <LDAPAttributeList>] [-o <LDAPAttributeList>] [-g] [-m] [-n] [-k] [-a <UserDistinguishedName> <Password>] [-b <UserName> <Domain> <Password>] [-?]
Parameters
-s <ServerName>
Specifies the domain controller to perform the import or export operation. By default, ldifde runs on the domain controller on which ldifde is installed.
-c <String1> <String2>
Replaces all occurrences of <String1> with <String2>. Generally, you use this parameter when you import data from one domain to another and you must replace the distinguished name of the export domain (<String1>) with the distinguished name of the import domain (<String2>).
Sets verbose mode.
-j <Path>
Sets the log file location. The default location is the current path.
-t <PortNumber>
Specifies a Lightweight Directory Access Protocol (LDAP) port number. The default LDAP port number is 389. The global catalog port number is 3268.
-d <BaseDN>
Sets the distinguished name of the search base for data export.
-r <LDAPFilter>
Creates an LDAP search filter for data export. For example, to export all users with a surname that you specify, you can use the following filter:
-r (and(objectClass=User)(sn=Surname))
-p <Scope>
Sets the search scope. The search scope options are Base, OneLevel, or SubTree.
-l <LDAPAttributeList>
Sets the list of attributes to return in the results of an export query. If you do not specify this parameter, the search returns all attributes.
-o <LDAPAttributeList>
Sets the list of attributes to omit from the results of an export query. This is typically used when exporting objects from AD DS and then importing them into another LDAP-compliant directory. If attributes are not supported by another directory, you can omit the attributes from the result set using this option.
Omits paged searches.
Omits attributes that apply only to Active Directory objects, such as the ObjectGUID, objectSID, pwdLastSet and samAccountType attributes.
Omits the export of binary values.
Ignores errors during an import operation and continues processing. This parameter ignores all of the following errors:
The object is already a member of the group
The operation has an object class violation
This violation means that the specified object class does not exist, if the object being imported has no other attributes.
The object already exists
The operation has a constraint violation
The attribute or value already exists
The operation found no such object
-a <UserDistinguishedName> <Password>
Sets the command to run using the distinguished name (<UserDistinguishedName>) and password (<Password>) that you supply. By default, the command uses the credentials of the user who is currently logged on to the network.
-b <UserName> <Domain> <Password>
Sets the command to run using the supplied <UserName> <Domain> <Password>. By default, the command will run using the credentials of the user currently logged on to the network.
Displays help at the command menu.
Remarks
When you create the import file to use with the ldifde command, use a changeType value to define the type of changes that the import file will contain. The following table shows the changeType values that you can use.
The following example shows an LDAP Data Interchange Format (LDIF) import file format that uses the add value.
DN: CN=SampleUser,DC=DomainName
changetype: add
CN: SampleUser
description: DescriptionOfFile
objectClass: User
sAMAccountName: SampleUser
Examples
To retrieve only the distinguished name, common name, first name, surname, and telephone number for user objects in the fabrikam.com domain to a file named ldifde.txt in the c:\ldifde folder, run the following command:
Ldifde -d dc=fabrikam,dc=com -r (objectClass=User) -l distinguishedname,cn,givenname,sn,telephone –f ldifde.txt
To selectively omit the object creation date and time and the object globally unique identifier (GUID), run the following command:
Ldifde -d dc=fabrikam,dc=com -r (objectClass=User) -o whenCreated,objectGUID –f ldifde.txt
For more examples, see the following resources:
Article 237677 (https://go.microsoft.com/fwlink/?LinkID=87487) in the Microsoft Knowledge Base
Article 555636 (https://go.microsoft.com/fwlink/?LinkId=187670) in Microsoft Knowledge Base
Additional references
Command-Line Syntax Key
LDIFDE
Import or Export Directory Objects Using Ldifde