- Knowledge base
- Active Directory management
- Active Directory reports
- Active Directoy integrations
- Active Directory automation
- Active Directory delegation
- Governance, risk, and compliance
- Microsoft 365 management and reporting
- AD migration
- Access certification
- Identity risk assessment
- Risk exposure management
- FAQs
- Pricing
- Online demo
- Request support
- Get quote
Ldifde is a Windows command-line tool for importing and exporting AD objects. It ships as part of Windows Server and is available on any machine with Active Directory Domain Services (AD DS) or the Remote Server Administration Tools (RSAT) installed. It communicates directly with AD over LDAP, reading a structured text file called an LDIF file and translating its entries into directory operations (e.g., adds, modifications, and deletes).
Note: For simple bulk user creation where your data is in CSV, you can use Comma Separated Value Data Exchange (Csvde), which supports creating new AD objects without the need for an LDIF file.
What Ldifde is used for
You can use Ldifde in one of four situations.
Bulk user creation: If you're onboarding a large batch of users, Ldifde lets you prepare an LDIF file with all the required attributes and create hundreds of accounts in a single command. Unlike Csvde, Ldifde can also set most user attributes that CSV cannot represent cleanly, such as multi-valued attributes.
Bulk modification: Ldifde can update attributes on existing AD objects—something Csvde cannot do at all. With changetype: modify, you can add, replace, or delete individual attributes on any number of existing users, groups, or computers in one import run.
Custom schema extensions: Schema modifications in AD must be made in LDIF format. When applications like Exchange or SCCM extend the AD schema during installation, they do it by passing an LDIF file to Ldifde. Administrators adding custom attributes to the schema also use Ldifde to add custom schema attributes.
Directory migration: When moving objects between AD domains or forests, Ldifde gives you a portable export you can inspect, edit, and then re-import against the target domain. The -c switch handles distinguished name translation between source and target paths, which is the most complex part of any cross-domain migration.
How Ldifde works
Ldifde handles three categories of operation: export, import, and modification. Understanding which mode you are in and what LDIF file structure is required to use it is necessary to use Ldifde effectively.
Note: Ldifde strings are case sensitive on some builds. Ensure you match the casing as shown in the table.
Export: Running Ldifde -f output.ldf queries AD and writes all objects in the current domain to the specified file. You almost always want to restrict the scope with a filter (-r) and a search base (-b), otherwise the output file contains every object in the directory. The exported file is human-readable and can be edited before being re-imported.
Import (add): Running Ldifde -i -f input.ldf reads the file and creates new objects. Each entry must include a dn: line (the distinguished name), a changetype: add line, the objectClass attribute, and whatever other required attributes that object type demands. Missing required attributes cause the entry to fail silently unless you run with the -j log flag.
Sample LDIF file for user creation:
Sample Ldifde command:
Modify and delete: Modification and deletion entries use changetype: modify and changetype: delete respectively. Modify entries specify individual attribute operations (add:, replace:, delete:) and require a separator line (-) between each operation within the same entry.
Sample LDIF file for user modification:
Sample Ldifde command:
Common commands in Ldifde
Here are the commands you'll use most often with Ldifde.
Export all objects in a domain:
This exports every object in the current domain to a file called export.ldf.
Export a specific OU:
The -d flag sets the base distinguished name (DN) for the search. Only objects in that OU and its children are exported.
Filter by object class:
The -r flag accepts an LDAP filter. This example exports only user objects.
Select specific attributes:
The -l flag limits output to the listed attributes. Without it, Ldifde exports all attributes, including system-managed ones like objectGUID and objectSid that you cannot re-import directly.
Import from an LDIF file:
The -i flag switches to import mode. Without it, Ldifde defaults to export.
Import against a specific domain controller:
The -s flag points the command at a specific DC.
Migrate objects between domains:
The -c flag replaces all occurrences of the source DN string with the target DN string. The -k flag continues past errors instead of stopping at the first failed entry.
Continue past errors:
The -k flag is useful when running large imports where some rows may already exist or have constraint violations. The -j flag writes a log to the specified directory.
Supported parameters for Ldifde
You can use the following parameters with Ldifde to fine-tune your AD import and export operations.
Note: Ldifde strings are case sensitive on some builds. Ensure you match the casing as mentioned in the table.
| Flag | Description |
|---|---|
| -i | Import mode (omit for export) |
| -f <filename> | Specifies the LDIF file to read from or write to |
| -s <dcname> | Target domain controller (defaults to the DC locator) |
| -b <username> <domain> <password> | Alternate credentials for the operation |
| -r <filter> | LDAP filter to restrict export scope |
| -l <attributes> | Comma-separated list of attributes to include in the export |
| -p <scope> | Search scope: Base , OneLevel, or SubTree (default: SubTree) |
| -d <RootDN> | Root distinguished name for the search base |
| -c <from> <to> | String replacement—replaces value in from with value in to in all DNs (useful for cross-domain migrations) |
| -j <path> | Writes a log file and an error file to the specified path |
| -k | Continues import even when non-fatal errors occur (skips failing entries) |
| -g | Disables paged search (use if the directory does not support paged results) |
| -n | Omits binary attributes from the export |
| -t <port> | Specifies a non-default LDAP port |
| -u | Uses Unicode format for the output file |
| -v | Verbose output |
LDIF file format
An LDIF file is a plain-text document where each entry is a block of colon-separated attribute-value pairs. Entries are separated by a blank line. Here is a minimal user creation entry:
A few things to know about the LDIF file format:
- Each entry must begin with a dn: (distinguished name) line.
- The changetype: line must follow the DN and specifies the operation: add, modify, delete, or modrdn.
- Attribute names and values are separated by a single colon and a space. Extra spaces will cause parse errors.
- Entries must be separated by exactly one blank line. Missing or extra blank lines break the file structure.
- Binary values (such as objectGUID or objectSid) are base64-encoded in export output. These attributes are system-managed and cannot be re-imported. They must be stripped from any export file before using it as an import source.
- Multi-valued attributes are supported by repeating the attribute name on separate lines with different values.
- Long values can be wrapped using a continuation line that begins with a single space character.
How to use Ldifde to create users in Active Directory
The steps below cover a complete Ldifde bulk user creation workflow.
Step 1: Prepare your LDIF file
Create a text file with one entry per user like the one below:
Save the file with the .ldf extension using UTF-8 encoding.
Step 2: Run a test export first
Before any import, export a sample of existing users from the target OU. This shows you the exact attribute format and DN structure Ldifde expects in your environment:
Open the output and compare it against your import file. Pay close attention to the DN format and attribute names.
Step 3: Strip system-managed attributes from the export
If you're using an export as the basis for an import, remove system-managed read-only attributes before re-importing.
Common attributes to remove include: objectGUID, objectSid, whenCreated, whenChanged, uSNCreated, uSNChanged, lastLogon, and memberOf.
Attempting to import these attributes will cause the operation to fail for those entries.
Step 4: Test with a single entry
Create a test LDIF file with one user and run it against a non-production OU or lab domain first:
Confirm the object appears in Active Directory Users and Computers (ADUC) before scaling up.
Step 5: Run the full import
Run the import once you are satisfied the format is correct:
Ldifde outputs the number of entries processed and the number of errors. Review the log file in C:\logs for the specific DN of any failed entries.
Step 6: Set passwords and enable accounts
Every user created by Ldifde is disabled by default with no password set. You can set passwords via a second Ldifde import pass using a changetype: modify entry with the unicodePwd attribute. The connection must be over SSL/TLS (port 636). The password must be base64-encoded UTF-16LE wrapped in quotation marks. For example, the encoded value for newPassword is "IgBuAGUAdwBQAGEAcwBzAHcAbwByAGQAIgA=: "
Run the password import with the -t 636 flag to use SSL/TLS:
Note: If you want users to change their password at first logon, set the ChangePasswordAtLogon attribute to true in the same script.
Limitations of Ldifde
Ldifde can handle bulk AD operations as efficiently as PowerShell without extensive scripting , but it has constraints that affect most production workflows.
Passwords cannot be set when creating user accounts: Ldifde can modify the unicodePwd attribute on existing accounts, but cannot assign it on account creation. This means a complete provisioning workflow requires at least two import passes: one to create the accounts and a second to set passwords. Accounts remain disabled until the password is set and the account is explicitly enabled.
Manual LDIF file creation: There is no template system. Building a file for 300 users means 300 blocks of attribute-value pairs, either written by hand or generated by a script. A single formatting error, like a missing blank line, an extra space, or a bad attribute name, can fail an entire entry or stop the import mid-file.
System-managed attributes break imports: Ldifde exports include read-only system attributes like objectGUID, objectSid, and whenCreated that cannot be written back into AD. Any export file intended for re-import must be manually scrubbed of these attributes first. Skipping this step is one of the most common causes of import failures.
No pre-import validation: Ldifde does not check your file against the AD schema before running. Errors appear entry by entry during the import, which makes debugging large files slow.
How ManageEngine ADManager Plus handles bulk AD imports
ADManager Plus, an AD management and reporting solution, provides a web-based CSV import workflow that covers everything Ldifde does for day-to-day provisioning, plus the things it can't.
Complete AD life cycle management
ADManager Plus supports not just bulk user creation, but also the modification of users, groups, contacts, computers, and organizational units (OUs). You can set initial passwords, enforce password policies, and require a password change at first logon—all as part of the same import run. Accounts come out enabled and usable without a separate post-import step to configure passwords.
For AD bulk user management, ADManager Plus adds capabilities that have no equivalent in Ldifde. User creation and modification templates that pre-fill standard attributes and simplify standardized updates and event -driven automations that trigger user provisioning automatically when a new record appears in an HR system or a life cycle event happens are notable examples.
Comprehensive AD reporting
ADManager Plus also exports reports in CSVDE format alongside CSV, PDF, HTML, and XLSX. IT teams currently using CSVDE or LDIF exports to feed data into other systems can use ADManager Plus AD reports as a direct source with scheduling and automated delivery included.
200+ dedicated reports on groups, GPOs, computers, users, and user logins make your AD audits and analysis much more effective by providing you granular details that were only accessible with PowerShell scripts.
Help desk delegation without domain admin rights
Ldifde requires the account running it to have direct AD creation rights in the target OU, which typically means domain admin credentials. ADManager Plus lets you create named help desk roles with specific permitted tasks scoped to specific OUs and assign them to technicians—no domain admin rights required and no RSAT installation needed on help desk workstations. A technician can run a bulk user creation for the sales OU without having any access to finance or IT OUs.
Identity risk assessment across your AD environment
Ldifde's raw data gives you no visibility into the security posture of the accounts it creates or the directory it writes into. ADManager Plus includes a built-in Identity Risk Assessment that assigns a numerical risk score (0-100) to your AD environment and surfaces severity-rated risk indicators—covering factors like accounts with passwords that never expire, inactive users still holding group memberships, and privilege misconfigurations that bulk-imported accounts can introduce if the source data isn't carefully controlled. You can act on findings directly from the assessment without switching tools.
FAQ
1. What does Ldifde stand for?
Ldifde stands for LDAP Data Interchange Format Data Exchange.
2. Can Ldifde modify existing AD objects?
Yes. Ldifde supports the full range of LDAP change operations. To update an existing object, use changetype: modify in the LDIF entry along with the operation type (add:, replace:, or delete:) for each attribute being changed. This is the main capability Csvde lacks.
3. Can Ldifde import AD passwords?
Yes, but not when creating new user accounts. Ldifde can write the unicodePwd attribute using a changetype: modify operation, but the connection must be over SSL/TLS (using -t 636) and the password value must be base64-encoded UTF-16LE, not plaintext. Accounts created by Ldifde are disabled by default until a password is set and the account is explicitly enabled.
4. What is the difference between Ldifde and Csvde?
Ldifde and Csvde are both built-in Windows Server tools for bulk AD operations. Csvde works with CSV files and supports add operations only—it cannot modify or delete existing objects, and it cannot extend the AD schema. Ldifde uses the LDIF format and supports add, modify, delete, and modrdn (rename) operations, plus schema extensions. If you need to update, remove, or rename existing AD objects, or perform any schema modification, Ldifde is the tool required.
5. Does Ldifde work on Windows 10 or Windows 11?
Ldifde is available on machines where Remote Server Administration Tools (RSAT) have been installed. On Windows 10 and Windows 11, install RSAT through Settings > Apps > Optional Features and add the RSAT: Active Directory Domain Services and Lightweight Directory Services Tools component. Once installed, Ldifde.exe is available from the command prompt.
6. Can ADManager Plus replace Ldifde for bulk user creation?
For bulk user creation and modification in day-to-day provisioning workflows, ADManager Plus provides a full replacement through its web-based CSV import and bulk management features. It handles password setting and account enablement in a single step, supports user creation templates for consistent provisioning, and adds an approval workflow that Ldifde has no equivalent for.
