AD Object Attributes

  • Thread starter Thread starter jc
  • Start date Start date
J

jc

I need to modify AD attributes by using scripts. Where can I find a list
of all the attributes and the Display Attributes they correspond to ?


i.e For a user the display attribute is 'First Name' and to modify this the
attribute is 'givenName'


I specifically need to find exchange attributes, i.e what attributes do I
modify to set 'Exchange General > Storage Limits'

TIA
 
JC,

There are several ways to doing this generally.

One way is to use ldifde. Granted, this is not really scripting but it
would be a great thing for you to get to learn. It will help your general
knowledge of Active Directory.

Another way is to make use of the newer ds* tools. These are available with
WIN2003. However, you can use them in WIN2000 SP3 ( I think, know that SP4
works ). But, there is a little bit of functionality that does not work so
well ( and I have not played with this enough in a WIN2000 environment to
tell you what exactly does not work so well. I am simply going from what
others have posted. maybe I should not do that, but.... ).

There is also ADModify. This is a nice little utility that does a whole lot
of things. There are now two versions: 1.6 and .net. Here is the link:

ftp://ftp.microsoft.com/PSS/Tools/Exchange%20Support%20Tools/ADModify/

You will fall in love with this tool! I know that I have.

Another great web site ( that has recently gone under some serious
updates! ) is Joe's web site at http://www.joeware.net. He has a lot of
tools that really help Admins. I have not yet used adfind ( sorry, Joe )
but am thinking that his tool might be able to help you - to some degree!
You will definitely want to take a look at oldcmp. It helps you manage your
computer account objects. And, it can be modified to be used on user
account objects.

I can not help you with the scripting solution as I am still a non-scripter
( but that will change eventually ). There are a ton of scripting web sites
that can help you do this. Check out Technet and check out Richard
Mueller's web site ( http://www.rlmueller.net ) as well as doing a google.
Someone in this newsgroup will be able to point you to the correct web site.

Now, to get to your question: I would consider looking into a policy for
Exchange that sets the size limits. You can create the policy and apply it
to a store. If there are certain individuals to whom this size limit policy
should not apply then all you would need to do is to open up the ADUC MMC
and go to those specific user account objects and change it there. I bet
that this is what you are doing.

Anyway, hope that this helps you a little bit.

Cary
 
Thanks a lot for the reply. ADModify is exactly what I was looking for! I
was trying to modify the attributes of multiple users using scripts because
I thought this couldn't be done through a GUI. Using ADModify it can
though...

You were correct. I had set up a mailbox store policy for exchange that set
the size limits and then I had to set limits on specific user accounts.
Unfortunately, there were hundreds of them, so it wasnt viable to use the
ADUC MMC.

Will check out the other links and things, thanks again, much appreciated.
JC
 
JC,

Glad to hear that things worked for you. ADModify is a seriously awesome
tool ( unless, of course, you can script! But even then it is really nice ).
Just in case you were interested, you can also do the limits with ldifde.
You would just need to make sure that you change four attributes and their
values for each user account object:

mDBUseDefaults: FALSE
mDBStorageQuota: xxxxx ( This is the 'Issue Warning' entry )
mDBOverQuotaLimit: xxxxx ( This is the 'Prohibit Send' entry )
mDBOverHardQuotaLimit: xxxxx ( This is the 'Prohibit Send and Receive'
entry )

But, if you are using ADModify then you do not need to worry about this. It
does this behind the scenes for you.

Now, my only remaining question for you is this: why are you doing this for
hundreds of user account objects? Are you making the same changes to all
of these 'hundreds'? If so, it sounds like you might want to consider
creating another Store. But, based on only this little bit of info I might
hold off on that.

Cary
 
Thanks. The problem I have is that we only have Exchange Standard Edition
and do not have the ability to create more than one store....

I cant find much info on Idifde, a google search brings back very little,
how do I get it?

I have a similar problem now in that I need to change the logon hours for a
couple of hundred users. ADModify does not include logon hours, not sure
about Idifde, and ADUC MMC seems to let you change the attributes for
multiple users but then just does nothing (I presume this is because we only
have a 2000 server dc). So I may try to script it, but I'm not sure if I
fancy it much as it's a binary array.... I shall look into it though

Thanks for all your help though
 
The problem, JC, is that it is LDIFDE, not Idifde.

Were you going to use ldifde to do this ( but you do not have to as ADModify
does it for you ) the following example might help you. LDIFDE has a rather
unforgiving syntax - but that is a good thing. You would need to create an
..ldf file - WITH NOTEPAD - so that it looked like this:


DN: CN=Cary Shultz,OU=Admin,DC=nkdsolutions,DC=com
changetype: modify
replace: mDBUseDefaults
mDBUseDefaults: FALSE
-
replace: mDBStorageQuota
mDBStorageQuota: 500
-
replace: mDBOverQuotaLimit
mDBOverQuotaLimit: 575
-
replace: mDBOverHardQuotaLimit
mDBOverHardQuotaLimit: 600
-

DN: CN=Jesse Conners,OU=Admin,DC=nkdsolutions,DC=com
changetype: modify
replace: mDBUseDefaults
mDBUseDefaults: FALSE
-
replace: mDBStorageQuota
mDBStorageQuota: 500
-
replace: mDBOverQuotaLimit
mDBOverQuotaLimit: 575
-
replace: mDBOverHardQuotaLimit
mDBOverHardQuotaLimit: 600
-

You would save it as 'storagelimits.ldf' to C:\ and then open up the command
prompt and enter the following: ldifde -i -f storagelimits.ldf

You would then be given the confirmation that two records were changed.

The little dash ( "-" ) is very important when you are changing the value to
multiple attributes for one user account object.

Now, to answer your question about the logon hours: I think that you are
going to have to script this. I can not come up with a way for ldifde to do
this. That is to say, that I can not remember off of the top of my head!

HTH,

Cary
 
Back
Top