Using the Active Directory command-line tools, in a Windows 2000 domain, or Windows Server 2003 domain, I have scripted OUusers.bat to modify Active Directory user attributes for all members of an OU .
The syntax for using OUusers.bat is:
OUusers OU P1a P1b \[P2a P2b ... Pna Pnb\]
Where:
OU is the OU name in your domain. Pna is a DSMOD parameter, and is always preceeded by a -. Pnb is the value of the Pna parameter that you wish to set. Example: To set all users in the "My OU" OU in your domain to have a company name of "My OU subsidiary, Your Company" and a Web page of "http://www.YourCompany.com/<UserName>.htm": Ouusers "My OU" -company "My OU subsidiary, Your Company" -webpg "http://www.YourCompany.com/$username$.htm" I have removed the detail description of the parameters that would not make sense to set from the following dsmod user /? display: Description: Modifies an existing user in the directory. Syntax: dsmod user <UserDN ...> \[-upn <UPN>\] \[-fn <FirstName>\] \[-mi <Initial>\] \[-ln <LastName>\] \[-display <DisplayName>\] \[-empid <EmployeeID>\] \[-pwd \{<Password> | *\}\] \[-desc <Description>\] \[-office <Office>\] \[-tel <Phone#>\] \[-email <Email>\] \[-hometel <HomePhone#>\] \[-pager <Pager#>\] \[-mobile <CellPhone#>\] \[-fax <Fax#>\] \[-iptel <IPPhone#>\] \[-webpg <WebPage>\] \[-title <Title>\] \[-dept <Department>\] \[-company <Company>\] \[-mgr <Manager>\] \[-hmdir <HomeDir>\] \[-hmdrv <DriveLtr>:\] \[-profile <ProfilePath>\] \[-loscr <ScriptPath>\] \[-mustchpwd \{yes | no\}\] \[-canchpwd \{yes | no\}\] \[-reversiblepwd \{yes | no\}\] \[-pwdneverexpires \{yes | no\}\] \[-acctexpires <NumDays>\] \[-disabled \{yes | no\}\] \[\{-s <Server> | -d <Domain>\}\] \[-u <UserName>\] \[-p \{<Password> | *\}\] \[-c\] \[-q\] \[\{-uc | -uco | -uci\}\] Parameters: Value Description -pwd \{<Password> | *\} Resets user password to <Password>. If *, then you are prompted for a password. -desc <Description> Sets user description to <Description>. -office <Office> Sets user office location to <Office>. -fax <Fax#> Sets user fax# to <Fax#>. -webpg <WebPage> Sets user web page URL to <WebPage>. -title <Title> Sets user title to <Title>. -dept <Department> Sets user department to <Department>. -company <Company> Sets user company info to <Company>. -mgr <Manager> Sets user's manager to <Manager>. -hmdir <HomeDir> Sets user home directory to <HomeDir>. If this is UNC path, then a drive letter to be mapped to this path must also be specified through -hmdrv. -hmdrv <DriveLtr>: Sets user home drive letter to <DriveLtr>: -profile <ProfilePath> Sets user's profile path to <ProfilePath>. -loscr <ScriptPath> Sets user's logon script path to <ScriptPath>. -mustchpwd \{yes | no\} Sets whether the user must change his password (yes) or not (no) at his next logon. -canchpwd \{yes | no\} Sets whether the user can change his password (yes) or not (no). This setting should be "yes" if the -mustchpwd setting is "yes". -reversiblepwd \{yes | no\} Sets whether the user password should be stored using reversible encryption (yes) or not (no). -pwdneverexpires \{yes | no\} Sets whether the user's password never expires (yes) or not (no). -acctexpires <NumDays> Sets user account to expire in <NumDays> days from today. A value of 0 sets expiration at the end of today. A positive value sets expiration in the future. A negative value sets expiration in the past. A string value of "never" sets the account to never expire. -disabled \{yes | no\} Sets whether the user account is disabled (yes) or not (no). \{-s <Server> | -d <Domain>\} -s <Server> connects to the domain controller (DC) with name <Server>. -d <Domain> connects to a DC in domain <Domain>. Default: a DC in the logon domain. -u <UserName> Connect as <UserName>. Default: the logged in user. User name can be: user name, domain\user name, or user principal name (UPN). -p <Password> Password for the user <UserName>. If * then prompt for password. -c Continuous operation mode. Reports errors but continues with next object in argument list when multiple target objects are specified. Without this option, the command exits on the first error. -q Quiet mode: suppress all output to standard output. Remarks: If a value that you supply contains spaces, use quotation marks around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com"). If you enter multiple values, the values must be separated by spaces (for example, a list of distinguished names). The special token $username$ (case insensitive) may be used to place the SAM account name in the value of -webpg, -profile, -hmdir, and -email parameter. For example, if the target user DN is CN=Jane Doe,CN=users,CN=microsoft,CN=com and the SAM account name attribute is "janed," the -hmdir parameter can have the following substitution: -hmdir \users\$username$\home The value of the -hmdir parameter is modified to the following value: - hmdir \users\janed\home Examples: To reset a user's password: dsmod user "CN=John Doe,CN=Users,DC=microsoft,DC=com" -pwd A1b2C3d4 -mustchpwd yes To reset multiple user passwords to a common password and force them to change their passwords the next time they logon: dsmod user "CN=John Doe,CN=Users,DC=microsoft,DC=com" "CN=Jane Doe,CN=Users,DC=microsoft,DC=com" -pwd A1b2C3d4 -mustchpwd yes To disable multiple user accounts at the same time: dsmod user "CN=John Doe,CN=Users,DC=microsoft,DC=com" "CN=Jane Doe,CN=Users,DC=microsoft,DC=com" -disabled yes To modify the profile path of multiple users to a common path using the $username$ token: dsmod user "CN=John Doe,CN=Users,DC=microsoft,DC=com" "CN=Jane Doe,CN=Users,DC=microsoft,DC=com" -profile \users\$username$\profile
OUusers.bat contains:
@echo off setlocal ENABLEDELAYEDEXPANSION if \{%3\}\{\} goto syntax set ou=%1 set ou="%ou:"=%" set params= set /a cnt=0 :ploop shift if \{%1\}
\{\} goto begin set /a cnt=%cnt% + 1 set /a p1=%cnt%%%2 if %p1% EQU 0 set params=%params% %1&goto ploop set work=%1 if "%work:~0,1%" NEQ "-" goto syntax set params=%params% %1 goto ploop :begin set /a cnt=%cnt%%%2 if %cnt% NEQ 0 goto syntax set query=dsquery user -o dn -limit 0 for /f "Skip=1 Tokens=*" %%u in ('%query%') do ( for /f "Tokens=*" %%o in ('@echo %%u^|Findstr /i /l ",OU="^|Findstr /i /l %ou%') do ( set DN=%%o @echo dsmod user !DN!%params% dsmod user !DN!%params% ) ) endlocal exit /b 0 :syntax @echo Syntax: OUusers OU P1a P1b \[P2a P2b ... Pna Pnb\] endlocal exit /b 1
2 comments
Hide comments