Import the User Classes Supplied with AD LDS

Applies To: Windows Server 2008

To create users in Active Directory Lightweight Directory Services (AD LDS), you must either import the optional user classes that are provided with AD LDS into the AD LDS schema or supply your own user definition objects. These user classes are provided in importable .ldf files which you can find in the directory %windir%\adam on the computer where AD LDS is installed. The following table describes the contents of each of the optional .ldf files.

.ldf file User classes Import this file if ...

MS-ADAM-DisplaySpecifiers-0409.LDF

  • Not applicable

You want to use an Active Directory snap-in (such as Active Directory Sites and Services) with AD LDS.

MS-AdamSyncMetadata.LDF

  • Not applicable

You want to use adamsync to synchronize AD LDS with Active Directory Domain Services (AD DS).

MS-AZMan.LDF

  • Not applicable

You want to use Windows Authorization Manager with AD LDS.

MS-InetOrgPerson.LDF

  • Person

  • Organizational-Person

  • User

  • inetOrgPerson

You want to create user objects in the AD LDS directory, and you want to create users of the InetOrgPerson class (as defined in RFC 2798). MS-InetOrgPerson.LDF is a sample file that you can modify to meet your particular requirements.

MS-User.LDF

  • Person

  • Organizational-Person

  • User

You want to create user objects in the AD LDS directory, but you do not want to create users of the InetOrgPerson class (as defined in RFC 2798). MS-User.LDF is a sample file that you can modify to meet your particular requirements.

MS-UserProxy.LDF

  • User-Proxy

You want to create simple proxy objects in AD LDS for use in bind redirection. MS-UserProxy.LDF is a sample file that you can modify to meet your particular requirements.

MS-UserProxyFull.LDF

  • User-Proxy-Full

You want to create complete proxy objects in AD LDS for use in bind redirection. To use this file, you must also import MS-InetOrgPerson.LDF or MS-User.LDF. MS-UserProxyFull.LDF is a sample file that you can modify to meet your particular requirements.

Membership in the Administrators group of the AD LDS instance is the minimum required to complete this procedure. By default, the security principal that you specify as the AD LDS administrator during AD LDS setup becomes a member of the Administrators group in the configuration partition. For more information about AD LDS groups, see Introduction to Administering Authentication and Access Control.

To import the user classes that are supplied with AD LDS

  1. To open a command prompt, click Start, right-click Command Prompt, and select Run as Administrator.

  2. At the command prompt, type the following command, and then press ENTER:

    ldifde -i -f %windir%\adam\<filename> -s <computername>:<port> [-b <username> <domain> <password>] -k -j . -c "CN=Schema,CN=Configuration,DC=X" #schemaNamingContext

    where filename represents the name of one of the .ldf files that is supplied with AD LDS, computername:port represents the computer name and port number of an AD LDS instance, and username domain password represents the account with which to run the command.

    When you run this command, you should see results similar to the following:

    Connecting to "localhost"
    Logging in as current user using SSPI
    Importing directory from file "ms-user.ldf"
    Loading entries................................
    65 entries modified successfully.
    
    The command has completed successfully
    
Parameter Description

-i

Performs an import.

-f

Specifies the file to import or export.

-s

Specifies the host name and port of the AD LDS instance.

-b

Specifies the security credentials to use during the operation.

-k

Continues the operation in the event of errors.

-j

Creates a log file in the specified directory, in this case, the current (".") directory.

-c "CN=Schema,CN=Configuration,DC=X" #schemaNamingContext

Do not modify this string.

The -c parameter replaces a specified string in the .ldf file with a different string during import. The distinguished name that is specified in the .ldf file (for example, CN=Schema,CN=Configuration,DC=X) is replaced with the distinguished name of the schema directory partition for your particular AD LDS instance, as passed by the #schemaNamingContext constant.

Replace ... With ...

computername:port

The host name and port number of your AD LDS instance. You can use localhost for computername if you are administering the local computer.

username domain password

The account, domain, and password of an account that is being used as an AD LDS administrator account.

To view the complete syntax for this command, and for information about entering user account information, at a command prompt, type ldifde /? and then press ENTER:

Note

As an alternative to using ldifde, you can import the optional AD LDS user classes during AD LDS setup.
If you do not specify user credentials using the -b parameter, ldifde uses the credentials of the currently logged on user.