F:\Dev\CPP\AdMod>admod -?? AdMod V01.07.00cpp_BETA1 Joe Richards (joe@joeware.net) September 2006 -help Basic help. -? Basic help. -?? Advanced help. -???? Shortcut help. -sc? Shortcut help. -csv? CSV / ADCSV help. Usage: AdMod [switches] [attr-action] Switches: (designated by - or /) [CONNECTION OPTIONS] -h host:port Host and port to use. If not specified uses port 389 on default LDAP server. Localhost can be specified as '.'. -p port Alternate method to specify port to connect to. --------------Advanced-------------- -kerbenc Kerberos Encryption (LDAP_OPT_ENCRYPT). -ssl Use SSL. -delegation Delegated bind (ISC_REQ_DELEGATE). [UPDATE OPTIONS] -b basedn RFC 2253 DN to work on. If basedn is not specified the program will read from stdin anything piped to it or if you want you can type the DNs there followed by a ctrl-z to terminate the pipe. -safety x Only modify objects if <= x. Default 10. --------------Advanced-------------- -null Use null base for base DN. -rootdse Like -null. -root Determine and use root partition for base DN. -config Determine and use configuration partition for base DN. -schema Determine and use schema partition for base DN. -default Determine and use default partition for base DN. -rb xx Relative Base, use with special base DN's above. So you could specify -default and -rb cn=users. -t xxx Timeout value for query, default 120 seconds. -unsafe Don't have a safety, modify objects no matter how many. -upto xx Modify up to xx objects and then stop. -cont Continue with objects even if errors. -treedelete Used in combination with -rm/-del to delete branch -permissive Permissive modify [ACTION OPTIONS] -rm Delete specified object(s) -del Alias for -rm. -add Add an object. Specify DN with -b and attributes normally. At the very least you will need to specify objectclass. -undel x Undelete specified object(s), uses lastknownparent unless an alternate parent is supplied in x. Requires K3+. -rename x Rename object to RDN of x, only works with one object. -move x Move object to parent specified by x (within domain) --------------Advanced-------------- -delim x x specifies delimiter for attribute sequence. Default : -mvdelim x x specified delimiter for value sequence. Default ; -xdom x Cross domain move, move to DC x. Use with -move. [OUTPUT OPTIONS] -elapsed Display elapsed time in seconds -exterr Show Extended Error info. DSID Info... [AUTHENTICATION OPTIONS] --------------Advanced-------------- -u userdn Userid authentication. AD simple bind supports All ID formats and secure bind only supports ID formats 1 and 2. No userid specified indicates anonymous authentication. ID Formats 1. domain\userid 2. user@domain.com (userPrincipalName) 3. cn=user,ou=someou,dc=domain,dc=com (DN) -up pwd Password for specified userid. * indicates to ask for password. -simple Simple Bind [MISC OPTIONS] --------------Advanced-------------- -po Print options. This switch will dump to the command line all all switches with values and attributes specified. -replacedn xxx:yyy Replaces xxx in DNs with yyy. Following special cases: _config <CONFIG> replaced with configuration DN _schema <SCHEMA> replaced with schema DN _default <DEFAULTNC> replaced with default NC DN _root <ROOT> replaced with root NC DN _sites <SITES> replaced with sites DN _subnets <SUBNETS> replaced with subnets DN _exch <EXCH> replaced with Exchange services DN -replacedndelim x Specifies delimiter to separate replacedn strings -e xxx Load switches from environment. Will read env vars with prefix and dash (adfind-) by default and load them in. Any switches specified explicitly on the command line will override. To specify a different prefix, specify string after -e. For example to specify the host switch create an env var of adfind-h. To specify properties specify the env var adfind- or adfind-props. To specify a switch that doesn't take a a value, specify a value of {~} because you can't set a an environment variable to blank. Ex: Queries ADAM on localhost port 5000 for subnets. set adam1-h=.:5000 set adam1-config={~} set adam1-f=objectcategory=subnet set adam1-props=name siteobject adfind -e adam1 -ef xxx Load switches from file (default file = adfind.cf), one switch per line. Properties can be placed on multiple lines Ex: Queries ADAM on localhost port 5000 for subnets. adam1.cf -h .:5000 -config -f objectcategory=subnet name siteobject adfind -ef adam1.cf Attr-Action Format: attribute : operation : value(s) This field is broken up into three main sections. Not all sections are required for all operations. The three sections are the attribute section, operation section, and value section. By default the delimiter between the sections is the : character however you may change this with the -delim option. attribute This is the name of the attribute to be manipulated Any attribute that is a valid attribute for the ldap directory is a valid value here. ___BINARY ATTRIBUTES___ Some attributes do not accept text based values. The immediate examples are GUIDs and SIDs. Binary updates are a little different than normal string updates and require encoding. To specify this encoding, prefix the attribute with one of the following prefixes: GUID## Encodes friendly format GUIDs ex: {26C18F02-9B73-495B-9F53-8207FC72527D} ex: 26C18F02-9B73-495B-9F53-8207FC72527D SID## Encodes friendly format SIDs ex: S-1-5-21-1862701446-4008382571-2198042679 HEX## Encodes even number of Hex characters. White space is filtered out. ex: FFEA 34FD 76DA BIN## Alias for BIN##. ex: FFEA 34FD 76DA TXT## Encodes text into binary. Can embed hex characters by escaping hex character with slash such as \0a. Also several "standard" escape characters are supported \a, \b, \f, \n, \r, \t, \v ex: street address\ncity,state\nzipcode operation This is the operation to perform. Valid operations are: (blank) Update the attrib with the new value. + Add a value to an attribute. - Clear an attribute. ++ Add multiple values to an attribute. +- Replace all values with multiple new values. -- Remove multiple values from an attribute. value(s) This specifies values to use. If you are doing a multivalue operation with ++, +-, or -- you will separate the values with ;, or alternatively you can specify a different MV delimiter with -mvdelim. __OPERATION NOTES__ o +,++,+-,-- operations all require values specified. o - operation doesn't take a value. o Trying to add multiple values to a single value attribute will result in error. o Doing an update operation (blank op - ::) to a multivalue will wipe all values and replace with the one single value. Notes: o This tool could be considered dangerous, it can quickly make some serious changes to your directory. Use it only when you know what you are doing. I take no responsibility for you dorking up your directory. The safety option will bail the whole operation if there are more objects to work on than specified with the -safety option. o This tool is exceptionally powerful when used in conjunction with a command line LDAP query tool such as my own adfind with the -dsq switch or dsquery from Microsoft. o If you get an error in an update operation, no modification is made to the specific object, even if say 3 changes were valid and one wasn't. Keep in mind a password change to an object is considered a different update than other LDAP updates since they are done in different operations. o When doing multi-DN modifications, the errorlevel will be set to the last error encountered. So if you go through 8 DNs and hit 3 errors, only the last will be passed back to you via %errorlevel%. Also note that the error will be an LDAP error, not a Win32 error. o Be very very careful of treedelete option. o There is a deprecated mechanism in AdMod that allows you to set passwords based on the RPC based IADsUser.SetPassword method. In order to use this mechanism, specify #setpwd# as the attribute. ex: #setpwd#::newpassword The proper mechanism to set the password is to either set the unicodepwd attribute or the userpassword attribute and specify the -kerbenc switch to enable encrytion of the traffic to the server. ex: unicodepwd::newpassword Ex1: admod -b dc=test,dc=net "description::Joe's Domain" Change Description of test.net object. Ex2: admod -b cn=joe,cn=users,dc=test,dc=net "drink:++:Coke;Mountain Dew;Labatt's;Water" Add some drinks to joe's user object in the directory Ex3: admod -b cn=joe,cn=users,dc=test,dc=net "drink:-:Water" Removes water from the drink list for joe... Ex4: admod -b cn=joe,cn=users,dc=test,dc=net "drink:+:Vodka" Adds vodka to the drink list for joe... Ex5: admod -b cn=joe,cn=users,dc=test,dc=net "drink::Water" Replaces the entire list with just water for joe... Ex6: admod -b cn=joe,cn=users,dc=test,dc=net "drink:+-:Water;Lemonade" Replaces the entire list with water and lemonade for joe... Ex7: admod -b cn=someuser,cn=users,dc=test,dc=net objectclass::user samaccountname::someuser Create disabled user someuser. Ex8: admod -b cn=someuser,cn=users,dc=test,dc=net -move ou=u,dc=test,dc=com Move user someuser to ou=u. Ex8: admod -b cn=someuser,cn=users,dc=test,dc=net -rm Delete someuser. --------------Advanced-------------- Ex9: admod -b cn=someuser,cn=users,dc=test,dc=net guid##guidattr::85C04D89-D68C-4785-B801-DBF980F97C5C Sets GUID value on some guid based attrib on someuser. Ex10: admod -b cn=someuser,cn=users,dc=test,dc=net #setpwd#::newpass Sets password for someuser. DEPRECATED. Ex11: admod -b cn=someuser,cn=users,dc=test,dc=net "bin##binattr::3f 4567 0e 69" Sets binary blob on some binary based attrib on someuser. ------AdFind + AdMod Examples------- Ex12: adfind -default -f "&(objectcategory=person)(scriptpath=*)" -dsq | admod -unsafe scriptpath:- Removes logon script from all users in default domain. Ex13: adfind -gc -b -f "proxyaddresses=*" -dsq | admod -unsafe proxyaddresses:- Removes proxyaddresses attribute from all objects in forest. Ex14: adfind -b ou=badcomputers,dc=test,dc=net -f "objectcategory=computer" -dsq |admod -unsafe -rm Delete all computer objects in specified OU... Ex15: adfind -bit -default -f useraccountcontrol:AND:=2 -dsq |admod -unsafe -move ou=disabled,dc=test,dc=net Move all disabled objects in default domain to specified OU... Ex16: adfind -default -f "&(name=compa*)" -showdel -dsq |admod -undel Undelete any objects named compa* and place back in last known parent... Ex17: adfind -default -f "&(name=compa*)" -showdel -dsq |admod -undel ou=undeleted,dc=test,dc=net Undelete any objects named compa* and place back in ou named undeleted.... Ex18: adfind -bit -default -f "&(objectcategory=computer)(useraccountcontrol:AND:32)" useraccountcontrol -adcsv | admod useraccountcontrol::{{useraccountcontrol::CLR::32}} -upto 1000 Clear PWD_LAST_SET flag on up to 1000 computer accounts. This software is Freeware. Use it as you wish at your own risk. I do not warrant this software to be fit for any purpose or use and I do not guarantee that it will not damage or destroy your system. See full Warranty documentation on www.joeware.net. If you have improvement ideas, bugs, or just wish to say Hi, I receive email 24x7 and read it in a semi-regular timeframe. You can usually find me at joe@joeware.net