JSI Tip 3310. How can I modify the Active Directory schema in batch?

Microsoft has written a Knowledge Base article on how to use the Ldifde utility to modify the schema. I have made some modification and and include it here for your enlightenment.

NOTE: See tip 2645 » Schema Administrator requires new registry value name to enable a write operation to the schema?

WARNING: Use extreme caution when you make any changes to the Active Directory schema. Changes are propagated forest-wide, and objects and attributes that are added to the schema cannot be removed.

NOTE: See tip 2003 » Backup/Restore the System State on your Windows 2000 server.
              and tip 2500 » Backup the Registry and Sytem State in batch, without a backup device.

When you use the Ldifde utility, the text file that you use must be in a certain format so that Windows 2000 can correctly process the file. To modify attribute values for existing schema classes, use the following general format:

dn: distinguished_name_of_the_object_you_want_to_modify
changetype: modify
replace: attribute_whose_value_you_want_to_replace
attribute_whose_value_you_want_to_replace: newvalue1
attribute_whose_value_you_want_to_replace: newvalue2
add: attribute_to_which_you_want_to_add_a_new_value
attribute_whose_value_you_want_to_add_a_new_value_to: newvalue3
delete: attribute_from_which_you_want_to_delete_a_value
attribute_from_which_you_want_to_delete_a_value: value_to_be_deleted
The text file can contain multiple sections of each operation type (or no section at all for a type of operation, if there is no need to perform an operation of that type), and you can place the sections in any order in the text file. This example replaces the value of one attribute with two values, adds a new value to another attribute, and deletes a specific value from yet another attribute.

NOTE: The hyphen ( -) at the end of the file and the hyphens that separate the sections are required.

For example, to add the healthcarerole attribute value as an optional type of property ( mayContain) to the companyorgperson schema class, create a text file named Modify.ldf that contains the following information:
dn: CN=companyorgperson,CN=Schema,CN=Configuration,DC=company,DC=com
changetype: modify
add: mayContain
mayContain: healthcarerole
To import the information that is in the Modify.ldf file, type the following command at a command prompt:
ldifde -i -f modify.ldf
The Ldifde utility modifies the attributes as specified in the Modify.ldf file.

For additional information about LDAP Data Interchange Format (LDIF), see Request for Comments (RFC) 2849, which defines the grammar for LDIF files.

NOTE: The Ldifde utility does not support the "control:" keyword from RFC 2849.

For additional information about the Active Directory schema and LDIF, see chapter 4 of the Microsoft Windows 2000 Server Distributed Systems Guide, which is part of the Microsoft Windows 2000 Server Resource Kit.

For more information about the Ldifde utility, open a CMD prompt on a computer that is running Windows 2000 Server, and type:
ldifde /?

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.