J
Joe Richards [MVP]
Hey guys, thought I would let you know I finally made the command line AD
Modification tool I kept saying I would make. It is the sister to ADFIND, it is
called ADMOD.
It will modify attributes (strings only right now, no binary until I figure out
a good way to specify that).
It will move objects within AD.
It will rename objects within AD.
It will delete objects within AD.
And.... it will undelete objects in AD assuming you have Windows 2003 where that
functionality was first released...
Check it out on the free win32 tools page of my site.
[Tue 07/06/2004 8:54:58.95]
F:\DEV\cpp\AdMod>admod
AdMod V01.00.00cpp Joe Richards ([email protected]) July 2004
Usage:
AdMod [switches] [attr-action]
Switches: (designated by - or /)
-h host Host to use, use default LDAP server
-b basedn RFC 2253 DN to work on. If basedn is not specified
the program will read from stdin anything piped to it
or if you want you can type the DNs there followed by
a ctrl-z to terminate the pipe.
-t xxx Timeout value, default 120 seconds
-p port Port to use if other than default LDAP
-elapsed Display elapsed time in seconds
-exterr Show Extended Error info. DSID Info...
-rm Delete specified object(s)
-del Delete specified object(s)
-undel x Undelete specified object(s), uses lastknownparent unless
an alternate parent is supplied in x. Requires K3+.
-rename x Rename object to RDN of x, only works with one object.
-move x Move object to parent specified by x (within domain)
-safety x How many objects before safety kicks in. Default 10
-delim x X specifies delimiter for attribute sequence. Default :
-mvdelim x X specified delimiter for value sequence. Default ;
-unsafe Don't have a safety, modify objects no matter how many.
-cont Continue with objects even if errors.
-treedelete Used in combination of -rm/-del to delete branch
Attr-Action
Format: attribute : operation : value(s)
This field is broken up into three main sections. Not all
sections are required for all operations. The three sections
are the attribute section, operation section, and value section.
By default the delimiter between the sections is the : character
however you may prefer another delimiter or possibly can't use that
as a delimiter so I added the -delim option above.
attribute This is the name of the attribute that needs to have
the action done upon it. Obviously any attribute that
is a valid attribute for the ldap directory is a valid
value here but note that currently admod only works with
string type values right now.
operation This is the operation to perform.
Valid operations are:
(blank) Update the attrib with the new value.
+ Add a value to an attribute.
- Clear an attribute.
++ Add multiple values to an attribute.
-- Remove multiple values from an attribute.
value(s) This specifies values to use.
If you are doing a multivalue operation with ++ or --
you will separate the values with ;, or alternatively
you can specify a different MV delimiter with mvdelim.
The +,++,-- operations all require values specified.
The - operation doesn't take a value.
Note that trying to add multiple values to a single
value attribute will result in error. Also note that
doing an update (blank op) to a multivalue will wipe
all values and replace with the one single value specified.
Notes:
This tool could be considered dangerous, it can quickly make some
serious changes to your directory. Use it only when you know what
you are doing. I take no responsibility for you dorking up your
directory. The safety option will bail the whole operation if there
are more objects to work on than specified with the -safety option.
This tool is exceptionally powerful when used in conjunction with
a command line LDAP query tool such as my own adfind with the -dsq
switch or dsquery from Microsoft.
If you get an error updating an object, no modification is made
to the specific object, even if say 3 changes were valid and one wasn't.
When doing multi-DN modifications, the errorlevel will be set to the
last error encountered. So if you go through 8 DNs and hit 3 errors,
only the last will be passed back to you via %errorlevel%. Also note
that the error will be an LDAP error, not a Win32 error.
Be very very careful of treedelete option.
Ex1:
admod -b dc=joehome,dc=net "description::Joe's Domain"
Change Description of joe.com base object.
Ex2:
adfind -default -f "&(objectcategory=person)(scriptpath=*)" -dsq | admod
-unsafe scriptpath:-
Removes logon script from all users in default domain.
Ex3:
adfind -gc -b -f "proxyaddresses=*" -dsq | admod -unsafe proxyaddresses:-
Removes proxyaddresses attribute from all objects in forest.
Ex4:
admod -b cn=joe,cn=users,dc=joehome,dc=net "drink:++:Coke;Mountain
Dew;Labatt's;Water"
Add some drinks to joe's user object in the directory
Ex5:
admod -b cn=joe,cn=users,dc=joehome,dc=net "drink:-:Water"
Removes water from the drink list for joe...
Ex6:
admod -b cn=joe,cn=users,dc=joehome,dc=net "drink:+:Vodka"
Adds vodka to the drink list for joe...
Ex7:
admod -b cn=joe,cn=users,dc=joehome,dc=net "drink::Water"
Replaces the entire list with just water for joe...
Ex8:
adfind -b ou=badcomputers,dc=joehome,dc=net -f "objectcategory=computer"
-dsq |admod -unsafe -rm
Delete all computer objects in specified OU...
Ex9:
adfind -bit -default -f useraccountcontrol:AND:=2 -dsq |admod -unsafe -move
ou=disabled,dc=joehome,dc=net
Move all disabled objects in default domain to specified OU...
Ex10:
adfind -default -f "&(name=compa*)" -showdel -dsq |admod -undel
Undelete any objects named compa* and place back in last known parent...
Ex11:
adfind -default -f "&(name=compa*)" -showdel -dsq |admod -undel
ou=undeleted,dc=joehome,dc=net
Undelete any objects named compa* and place back in ou named undeleted....
This software is Freeware. Use it as you wish at your own risk.
If you have improvement ideas, bugs, or just wish to say Hi, I
receive email 24x7 and read it in a semi-regular timeframe.
You can usually find me at (e-mail address removed)
[Tue 07/06/2004 10:21:46.48]
F:\DEV\cpp\AdMod>
Modification tool I kept saying I would make. It is the sister to ADFIND, it is
called ADMOD.
It will modify attributes (strings only right now, no binary until I figure out
a good way to specify that).
It will move objects within AD.
It will rename objects within AD.
It will delete objects within AD.
And.... it will undelete objects in AD assuming you have Windows 2003 where that
functionality was first released...
Check it out on the free win32 tools page of my site.
[Tue 07/06/2004 8:54:58.95]
F:\DEV\cpp\AdMod>admod
AdMod V01.00.00cpp Joe Richards ([email protected]) July 2004
Usage:
AdMod [switches] [attr-action]
Switches: (designated by - or /)
-h host Host to use, use default LDAP server
-b basedn RFC 2253 DN to work on. If basedn is not specified
the program will read from stdin anything piped to it
or if you want you can type the DNs there followed by
a ctrl-z to terminate the pipe.
-t xxx Timeout value, default 120 seconds
-p port Port to use if other than default LDAP
-elapsed Display elapsed time in seconds
-exterr Show Extended Error info. DSID Info...
-rm Delete specified object(s)
-del Delete specified object(s)
-undel x Undelete specified object(s), uses lastknownparent unless
an alternate parent is supplied in x. Requires K3+.
-rename x Rename object to RDN of x, only works with one object.
-move x Move object to parent specified by x (within domain)
-safety x How many objects before safety kicks in. Default 10
-delim x X specifies delimiter for attribute sequence. Default :
-mvdelim x X specified delimiter for value sequence. Default ;
-unsafe Don't have a safety, modify objects no matter how many.
-cont Continue with objects even if errors.
-treedelete Used in combination of -rm/-del to delete branch
Attr-Action
Format: attribute : operation : value(s)
This field is broken up into three main sections. Not all
sections are required for all operations. The three sections
are the attribute section, operation section, and value section.
By default the delimiter between the sections is the : character
however you may prefer another delimiter or possibly can't use that
as a delimiter so I added the -delim option above.
attribute This is the name of the attribute that needs to have
the action done upon it. Obviously any attribute that
is a valid attribute for the ldap directory is a valid
value here but note that currently admod only works with
string type values right now.
operation This is the operation to perform.
Valid operations are:
(blank) Update the attrib with the new value.
+ Add a value to an attribute.
- Clear an attribute.
++ Add multiple values to an attribute.
-- Remove multiple values from an attribute.
value(s) This specifies values to use.
If you are doing a multivalue operation with ++ or --
you will separate the values with ;, or alternatively
you can specify a different MV delimiter with mvdelim.
The +,++,-- operations all require values specified.
The - operation doesn't take a value.
Note that trying to add multiple values to a single
value attribute will result in error. Also note that
doing an update (blank op) to a multivalue will wipe
all values and replace with the one single value specified.
Notes:
This tool could be considered dangerous, it can quickly make some
serious changes to your directory. Use it only when you know what
you are doing. I take no responsibility for you dorking up your
directory. The safety option will bail the whole operation if there
are more objects to work on than specified with the -safety option.
This tool is exceptionally powerful when used in conjunction with
a command line LDAP query tool such as my own adfind with the -dsq
switch or dsquery from Microsoft.
If you get an error updating an object, no modification is made
to the specific object, even if say 3 changes were valid and one wasn't.
When doing multi-DN modifications, the errorlevel will be set to the
last error encountered. So if you go through 8 DNs and hit 3 errors,
only the last will be passed back to you via %errorlevel%. Also note
that the error will be an LDAP error, not a Win32 error.
Be very very careful of treedelete option.
Ex1:
admod -b dc=joehome,dc=net "description::Joe's Domain"
Change Description of joe.com base object.
Ex2:
adfind -default -f "&(objectcategory=person)(scriptpath=*)" -dsq | admod
-unsafe scriptpath:-
Removes logon script from all users in default domain.
Ex3:
adfind -gc -b -f "proxyaddresses=*" -dsq | admod -unsafe proxyaddresses:-
Removes proxyaddresses attribute from all objects in forest.
Ex4:
admod -b cn=joe,cn=users,dc=joehome,dc=net "drink:++:Coke;Mountain
Dew;Labatt's;Water"
Add some drinks to joe's user object in the directory
Ex5:
admod -b cn=joe,cn=users,dc=joehome,dc=net "drink:-:Water"
Removes water from the drink list for joe...
Ex6:
admod -b cn=joe,cn=users,dc=joehome,dc=net "drink:+:Vodka"
Adds vodka to the drink list for joe...
Ex7:
admod -b cn=joe,cn=users,dc=joehome,dc=net "drink::Water"
Replaces the entire list with just water for joe...
Ex8:
adfind -b ou=badcomputers,dc=joehome,dc=net -f "objectcategory=computer"
-dsq |admod -unsafe -rm
Delete all computer objects in specified OU...
Ex9:
adfind -bit -default -f useraccountcontrol:AND:=2 -dsq |admod -unsafe -move
ou=disabled,dc=joehome,dc=net
Move all disabled objects in default domain to specified OU...
Ex10:
adfind -default -f "&(name=compa*)" -showdel -dsq |admod -undel
Undelete any objects named compa* and place back in last known parent...
Ex11:
adfind -default -f "&(name=compa*)" -showdel -dsq |admod -undel
ou=undeleted,dc=joehome,dc=net
Undelete any objects named compa* and place back in ou named undeleted....
This software is Freeware. Use it as you wish at your own risk.
If you have improvement ideas, bugs, or just wish to say Hi, I
receive email 24x7 and read it in a semi-regular timeframe.
You can usually find me at (e-mail address removed)
[Tue 07/06/2004 10:21:46.48]
F:\DEV\cpp\AdMod>