gjeff80
posted this
16 November 2018
Hi Brian –
I have not had any success today trying to get this work, I spent most of the day trying to get the powershell option to work but that didn’t export all the attributes.
Here is the command I’m running to generate the export along with what a single export entry looks like for a user.
ldifde -f apexportuser.ldf -s tamans-dc01 -d "ou=ap,dc=thcg,dc=net" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "objectclass,dn,cn,sn,c,l,st,title,description,postalCode,physicalDeliveryOfficeName,telephoneNumber,givenName,initials,displayName,co,US,department,company,proxyAddresses,streetAddress,directReports,employeeNumber,name,userAccountControl,countryCode,employeeID,sAMAccountName,division,userPrincipalName,mail,manager,mobile,extensionAttribute8,extensionAttribute9,mdtEmployeeNumber,mdtUid,mailNickname,extensionAttribute1,mdtDirectoryKeyI,targetAddress,extensionAttribute6,extensionAttribute7,officephone,buildingname"
Here is a section from the export file, I have replaced any specific information with XXX:
dn: CN=XXXC=OLDDOMAIN,DC=net
changetype: add
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: XXX, XXX
sn: XXX
c: JP
l: XXX
title: XXX
description: XXX
postalCode: XXX
physicalDeliveryOfficeName:: IA==
telephoneNumber: XXX
givenName: XXX
displayName: XXXe
co: Japan
department: XXX
company: XXX
proxyAddresses: SIP:XXX
proxyAddresses: smtp:XXX
proxyAddresses: SMTP:XXX
proxyAddresses:
x500:/o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Rec
ipients/cn=e02f42bd5f37413b9ec0f656b35c7ade-Amagai, Yos
proxyAddresses: XXX
proxyAddresses: XXX
streetAddress: XXX
employeeNumber: XXX
name: XXX
userAccountControl: 512
countryCode: 392
employeeID: XXX
sAMAccountName: XXX
division: XXX
userPrincipalName: XXX
mail: XXX
manager:
CN=XXX,DC=OLDDOMAINNAME,DC=net
mobile: XXX
extensionAttribute9: XXX
mdtEmployeeNumber: XXX
mdtUid: XXX
mailNickname: XXX
extensionAttribute1: XXX
mdtDirectoryKeyI: XXX
extensionAttribute6: XXX
extensionAttribute7: XXX
Any thoughts would be greatly appreciated!

From: ActiveDir-owner@xxxxxxxxxxxxxxxx <ActiveDir-owner@xxxxxxxxxxxxxxxx>
On Behalf Of Brian Arkills
Sent: Friday, November 16, 2018 11:05 AM
To: ActiveDir@xxxxxxxxxxxxxxxx
Subject: [EXTERNAL] RE: [ActiveDir] Exporting/Importing objects from one domain to another
That error says to me that you are trying to set the value of an attribute that no user (regardless of permission) is allowed to set, in other words attributes that AD itself maintains. These are sometimes called operational attributes.
A clear example of an operational attribute would be lastLogonTimestamp, but there are a lot when you start to think about it, e.g. whenChanged, whenCreated, etc. It’d be easy to overlook one.
If that doesn’t immediately help you spot the issue, I’d suggest you share with us an example user from your LDIF, and if you need to maintain privacy, change the values. We might be able to spot the attribute you shouldn’t be trying to
set.
It’s been awhile since I did anything with LDIF files, but you are likely to have more than just users objects in your LDIF file. So looking only at users may not cover all the possible sources.
Brian
From:
ActiveDir-owner@xxxxxxxxxxxxxxxx <ActiveDir-owner@xxxxxxxxxxxxxxxx>
On Behalf Of Jefferson, Glenn
Sent: Friday, November 16, 2018 6:23 AM
To: ActiveDir@xxxxxxxxxxxxxxxx
Subject: [ActiveDir] Exporting/Importing objects from one domain to another
Happy Friday everyone! I was wondering if anyone had some ideas here for me. I have what I thought should have been a simple task which has turned into a challenge. Basically, I want to take a production domain we have and clone all
user/group objects from that to a staging instance. I was expecting to be able to do this easily with csvde or ldifde but I keep getting the following error even after stripping all the non importable attributes. (The server side error is: 0x209a Access
to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM).
I have gone through the steps to export/compare/analyze/import the schema and all attributes match between the two forests.
My goal is basically to bring over all populated user attributes that are not domain specific, as well as bringing over all group objects and their non domain specific attributes. I’ve walked through many documents online that cover this
and can’t get it to work. I export from the source excluding the necessary domain specific attributes, massage the data (update domain DN references etc ) and then attempt and import and I get errors. I’m excluding all the documented non importable attributes
as well and it still fails.
Any ideas would be greatly appreciated, there is no trust in place so migration tools are not an option and this is just a one time load I am trying to do at this point. Any thoughts/recommendations people would have would be great.
This message has been marked as Public
[CONFIDENTIALITY AND PRIVACY NOTICE] Information transmitted by this email is proprietary to Medtronic and is intended for use only by the individual or entity to which it is addressed, and may contain information that is private, privileged,
confidential or exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner
is strictly prohibited. In such cases, please delete this mail from your records. To view this notice in other languages you can either select the following link or manually copy and paste the link into the address bar of a web browser:
http://emaildisclaimer.medtronic.com