JSI Tip 7785. How do I modify Active Directory attributes for all members of an Organizational Unit in my domain?

Using the Active Directory command-line tools, in a Windows 2000 domain, or Windows Server 2003 domain, I have scripted OUusers.bat to modify Active Directory user attributes for all members of an OU .

The syntax for using OUusers.bat is:

OUusers OU P1a P1b \[P2a P2b ... Pna Pnb\]

Where:

OU         is the OU name in your domain.

Pna        is a DSMOD parameter, and is always preceeded by a -.

Pnb        is the value of the Pna parameter that you wish to set.

Example:

To set all users in the "My OU" OU in your domain to have a company name of "My OU subsidiary, Your Company"
and a Web page of "http://www.YourCompany.com/<UserName>.htm":

Ouusers "My OU" -company "My OU subsidiary, Your Company" -webpg "http://www.YourCompany.com/$username$.htm"

I have removed the detail description of the parameters that would not make sense to set
from the following dsmod user /? display:

Description:  Modifies an existing user in the directory.

Syntax:     dsmod user <UserDN ...> \[-upn <UPN>\] \[-fn <FirstName>\]
            \[-mi <Initial>\] \[-ln <LastName>\] \[-display <DisplayName>\]
            \[-empid <EmployeeID>\] \[-pwd \{<Password> | *\}\]
            \[-desc <Description>\] \[-office <Office>\] \[-tel <Phone#>\]
            \[-email <Email>\] \[-hometel <HomePhone#>\] \[-pager <Pager#>\]
            \[-mobile <CellPhone#>\] \[-fax <Fax#>\] \[-iptel <IPPhone#>\]
            \[-webpg <WebPage>\] \[-title <Title>\] \[-dept <Department>\]
            \[-company <Company>\] \[-mgr <Manager>\] \[-hmdir <HomeDir>\]
            \[-hmdrv <DriveLtr>:\] \[-profile <ProfilePath>\]
            \[-loscr <ScriptPath>\] \[-mustchpwd \{yes | no\}\]
            \[-canchpwd \{yes | no\}\] \[-reversiblepwd \{yes | no\}\]
            \[-pwdneverexpires \{yes | no\}\]
            \[-acctexpires <NumDays>\] \[-disabled \{yes | no\}\]
            \[\{-s <Server> | -d <Domain>\}\] \[-u <UserName>\]
            \[-p \{<Password> | *\}\] \[-c\] \[-q\] \[\{-uc | -uco | -uci\}\]

Parameters:

Value                   Description
-pwd \{<Password> | *\}   Resets user password to <Password>. If *, then
                        you are prompted for a password.
-desc <Description>     Sets user description to <Description>.
-office <Office>        Sets user office location to <Office>.
-fax <Fax#>             Sets user fax# to <Fax#>.
-webpg <WebPage>        Sets user web page URL to <WebPage>.
-title <Title>          Sets user title to <Title>.
-dept <Department>      Sets user department to <Department>.
-company <Company>      Sets user company info to <Company>.
-mgr <Manager>          Sets user's manager to <Manager>.
-hmdir <HomeDir>        Sets user home directory to <HomeDir>. If this is
                        UNC path, then a drive letter to be mapped to
                        this path must also be specified through -hmdrv.
-hmdrv <DriveLtr>:      Sets user home drive letter to <DriveLtr>:
-profile <ProfilePath>  Sets user's profile path to <ProfilePath>.
-loscr <ScriptPath>     Sets user's logon script path to <ScriptPath>.
-mustchpwd \{yes | no\}   Sets whether the user must change his password (yes)
                        or not (no) at his next logon.
-canchpwd \{yes | no\}    Sets whether the user can change his password (yes)
                        or not (no). This setting should be "yes"
                        if the -mustchpwd setting is "yes".
-reversiblepwd \{yes | no\}
                        Sets whether the user password should be stored using
                        reversible encryption (yes) or not (no).
-pwdneverexpires \{yes | no\}
                        Sets whether the user's password never expires (yes)
                        or not (no).
-acctexpires <NumDays>  Sets user account to expire in <NumDays> days from
                        today. A value of 0 sets expiration at the end of
                        today.
                        A positive value sets expiration in the future.
                        A negative value sets expiration in the past.
                        A string value of "never" sets the account
                        to never expire.
-disabled \{yes | no\}    Sets whether the user account is disabled (yes)
                        or not (no).
\{-s <Server> | -d <Domain>\}
                        -s <Server> connects to the domain controller (DC)
                        with name <Server>.
                        -d <Domain> connects to a DC in domain <Domain>.
                        Default: a DC in the logon domain.
-u <UserName>           Connect as <UserName>. Default: the logged in user.
                        User name can be: user name, domain\user name,
                        or user principal name (UPN).
-p <Password>           Password for the user <UserName>. If * then prompt
                        for password.
-c                      Continuous operation mode. Reports errors but
                        continues with next object in argument list
                        when multiple target objects are specified.
                        Without this option, the command exits on the
                        first error.
-q                      Quiet mode: suppress all output to standard output.

Remarks:
If a value that you supply contains spaces, use quotation marks
around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").
If you enter multiple values, the values must be separated by spaces
(for example, a list of distinguished names).

The special token $username$ (case insensitive) may be used to place the
SAM account name in the value of -webpg, -profile, -hmdir, and
-email parameter.
For example, if the target user DN is
CN=Jane Doe,CN=users,CN=microsoft,CN=com and the SAM account name
attribute is "janed," the -hmdir parameter can have the following
substitution:

-hmdir \users\$username$\home

The value of the -hmdir parameter is modified to the following value:

- hmdir \users\janed\home

Examples:
To reset a user's password:

    dsmod user "CN=John Doe,CN=Users,DC=microsoft,DC=com"
    -pwd A1b2C3d4 -mustchpwd yes

To reset multiple user passwords to a common password
and force them to change their passwords the next time they logon:

    dsmod user "CN=John Doe,CN=Users,DC=microsoft,DC=com"
    "CN=Jane Doe,CN=Users,DC=microsoft,DC=com" -pwd A1b2C3d4 -mustchpwd yes

To disable multiple user accounts at the same time:

    dsmod user "CN=John Doe,CN=Users,DC=microsoft,DC=com"
    "CN=Jane Doe,CN=Users,DC=microsoft,DC=com" -disabled yes

To modify the profile path of multiple users to a common path using the
$username$ token:

dsmod user "CN=John Doe,CN=Users,DC=microsoft,DC=com"
"CN=Jane Doe,CN=Users,DC=microsoft,DC=com" -profile \users\$username$\profile

OUusers.bat contains:

@echo off
setlocal ENABLEDELAYEDEXPANSION
if \{%3\}\{\} goto syntax
set ou=%1
set ou="%ou:"=%"
set params=
set /a cnt=0
:ploop
shift
if \{%1\}\{\} goto begin
set /a cnt=%cnt% + 1
set /a p1=%cnt%%%2
if %p1% EQU 0 set params=%params% %1&goto ploop
set work=%1
if "%work:~0,1%" NEQ "-" goto syntax
set params=%params% %1
goto ploop
:begin
set /a cnt=%cnt%%%2
if %cnt% NEQ 0 goto syntax
set query=dsquery user -o dn -limit 0
for /f "Skip=1 Tokens=*" %%u in ('%query%') do (
 for /f "Tokens=*" %%o in ('@echo %%u^|Findstr /i /l ",OU="^|Findstr /i /l %ou%') do (
  set DN=%%o
  @echo dsmod user !DN!%params%
  dsmod user !DN!%params%
 )
)
endlocal
exit /b 0
:syntax
@echo Syntax: OUusers OU P1a P1b \[P2a P2b ... Pna Pnb\]
endlocal
exit /b 1

Comments

Plain text