Exporting/Importing objects from one domain to another

  • Last Post 19 November 2018
gjeff80 posted this 16 November 2018

Happy Friday everyone!  I was wondering if anyone had some ideas here for me.  I have what I thought should have been a simple task which has turned into a challenge.  Basically, I want to take a production domain we have and clone all user/group objects from that to a staging instance.  I was expecting to be able to do this easily with csvde or ldifde but I keep getting the following error even after stripping all the non importable attributes.  (The server side error is: 0x209a Access to the attribute is not permitted because the attribute is owned by the Security Accounts Manager (SAM).   I have gone through the steps to export/compare/analyze/import the schema and all attributes match between the two forests.   My goal is basically to bring over all populated user attributes that are not domain specific, as well as bringing over all group objects and their non domain specific attributes.  I’ve walked through many documents online that cover this and can’t get it to work.  I export from the source excluding the necessary domain specific attributes, massage the data (update domain DN references etc ) and then attempt and import and I get errors.  I’m excluding all the documented non importable attributes as well and it still fails.   Any ideas would be greatly appreciated, there is no trust in place so migration tools are not an option and this is just a one time load I am trying to do at this point.  Any thoughts/recommendations people would have would be great.  

This message has been marked as Public  

[CONFIDENTIALITY AND PRIVACY NOTICE] Information transmitted by this email is proprietary to Medtronic and is intended for use only by the individual or entity to which it is addressed, and may contain information that is private, privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please delete this mail from your records. To view this notice in other languages you can either select the following link or manually copy and paste the link into the address bar of a web browser: http://emaildisclaimer.medtronic.com

Order By: Standard | Newest | Votes
pbbergs posted this 16 November 2018

Have a look at, this might help.




Thank You


Paul Bergson




barkills posted this 16 November 2018

That error says to me that you are trying to set the value of an attribute that no user (regardless of permission) is allowed to set, in other words attributes that AD itself maintains. These are sometimes called operational attributes.

A clear example of an operational attribute would be lastLogonTimestamp, but there are a lot when you start to think about it, e.g. whenChanged, whenCreated, etc. It’d be easy to overlook one.


If that doesn’t immediately help you spot the issue, I’d suggest you share with us an example user from your LDIF, and if you need to maintain privacy, change the values. We might be able to spot the attribute you shouldn’t be trying to



It’s been awhile since I did anything with LDIF files, but you are likely to have more than just users objects in your LDIF file. So looking only at users may not cover all the possible sources.





gjeff80 posted this 16 November 2018

Hi Paul –


This would have worked out great however it only exports/imports a few attributes.  I would like to get all of the attributes over.





gjeff80 posted this 16 November 2018

Hi Brian –


I have not had any success today trying to get this work, I spent most of the day trying to get the powershell option to work but that didn’t export all the attributes.


Here is the command I’m running to generate the export along with what a single export entry looks like for a user.


ldifde -f apexportuser.ldf -s tamans-dc01 -d "ou=ap,dc=thcg,dc=net" -p subtree -r "(&(objectCategory=person)(objectClass=User)(givenname=*))" -l "objectclass,dn,cn,sn,c,l,st,title,description,postalCode,physicalDeliveryOfficeName,telephoneNumber,givenName,initials,displayName,co,US,department,company,proxyAddresses,streetAddress,directReports,employeeNumber,name,userAccountControl,countryCode,employeeID,sAMAccountName,division,userPrincipalName,mail,manager,mobile,extensionAttribute8,extensionAttribute9,mdtEmployeeNumber,mdtUid,mailNickname,extensionAttribute1,mdtDirectoryKeyI,targetAddress,extensionAttribute6,extensionAttribute7,officephone,buildingname"


Here is a section from the export file, I have replaced any specific information with XXX:



changetype: add

objectClass: top

objectClass: person

objectClass: organizationalPerson

objectClass: user

cn: XXX, XXX

sn: XXX

c: JP

l: XXX

title: XXX

description: XXX

postalCode: XXX

physicalDeliveryOfficeName:: IA==

telephoneNumber: XXX

givenName: XXX

displayName: XXXe

co: Japan

department: XXX

company: XXX

proxyAddresses: SIP:XXX

proxyAddresses: smtp:XXX

proxyAddresses: SMTP:XXX


 x500:/o=ExchangeLabs/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Rec

ipients/cn=e02f42bd5f37413b9ec0f656b35c7ade-Amagai, Yos

proxyAddresses: XXX

proxyAddresses: XXX

streetAddress: XXX

employeeNumber: XXX

name: XXX

userAccountControl: 512

countryCode: 392

employeeID: XXX

sAMAccountName: XXX

division: XXX

userPrincipalName: XXX

mail: XXX



mobile: XXX

extensionAttribute9: XXX

mdtEmployeeNumber: XXX

mdtUid: XXX

mailNickname: XXX

extensionAttribute1: XXX

mdtDirectoryKeyI: XXX

extensionAttribute6: XXX

extensionAttribute7: XXX



Any thoughts would be greatly appreciated!



barkills posted this 16 November 2018

directReports is a back-link attribute, and you can’t set it. It is paired with the manager attribute. When manager is set, AD determines all the objects which have a manager attribute that points at a given user, and this is the resulting

value of directReports.


It's also worth noting that you are likely to have timing issues with setting the manager attribute value. If userB is the manager of userA, but userB hasn’t yet been imported then you can’t set userB as the manager of userA yet.





gjeff80 posted this 17 November 2018

Hi Brian –


I was thinking about that and I actually was going to drop the manager attribute.  I was thinking that really you almost have to do a run once without manager being populated and then another run with manager being populated because all

the back linked objects are populated.



Anthony.Vandenbossche posted this 19 November 2018

Hi Paul,


Would Microsoft Identity Manager be a solution for you? The synchronization service can be used freely and can keep the 2 environment in sync.