JSI Tip 8233. AdMod freeware.

Released as a companion to AdFind freeware, AdMod takes much of the functionality of DSMOD, DSRM, and DSMOVE, and adds in undelete functionality (requires Windows Server 2003), as well as not hard coding attribute names.

NOTE: AdMod currently operates on string attributes only.

Download AdMod.

When you type admod /?, you receive:

AdMod V01.00.00cpp Joe Richards ([email protected]) July 2004

 AdMod \[switches\] \[attr-action\]

  Switches: (designated by - or /)
   -h host    Host to use, use default LDAP server
   -b basedn  RFC 2253 DN to work on. If basedn is not specified
              the program will read from stdin anything piped to it
              or if you want you can type the DNs there followed by
              a ctrl-z to terminate the pipe.
   -t xxx     Timeout value, default 120 seconds
   -p port    Port to use if other than default LDAP
   -elapsed   Display elapsed time in seconds
   -exterr    Show Extended Error info. DSID Info...
   -rm        Delete specified object(s)
   -del       Delete specified object(s)
   -undel x   Undelete specified object(s), uses lastknownparent unless
              an alternate parent is supplied in x. Requires K3+.
   -rename x  Rename object to RDN of x, only works with one object.
   -move x    Move object to parent specified by x (within domain)
   -safety x  How many objects before safety kicks in. Default 10
   -delim x   X specifies delimiter for attribute sequence. Default :
   -mvdelim x X specified delimiter for value sequence. Default ;
   -unsafe    Don't have a safety, modify objects no matter how many.
   -cont      Continue with objects even if errors.
   -treedelete  Used in combination of -rm/-del to delete branch

       Format:  attribute : operation : value(s)

    This field is broken up into three main sections. Not all
    sections are required for all operations. The three sections
    are the attribute section, operation section, and value section.
    By default the delimiter between the sections is the : character
    however you may prefer another delimiter or possibly can't use that
    as a delimiter so I added the -delim option above.

   attribute  This is the name of the attribute that needs to have
              the action done upon it. Obviously any attribute that
              is a valid attribute for the ldap directory is a valid
              value here but note that currently admod only works with
              string type values right now.

   operation  This is the operation to perform.
              Valid operations are:
                (blank) Update the attrib with the new value.
                +       Add a value to an attribute.
                -       Clear an attribute.
                ++      Add multiple values to an attribute.
                --      Remove multiple values from an attribute.

   value(s)   This specifies values to use.
              If you are doing a multivalue operation with ++ or --
              you will separate the values with ;, or alternatively
              you can specify a different MV delimiter with mvdelim.

              The +,++,-- operations all require values specified.
              The - operation doesn't take a value.
              Note that trying to add multiple values to a single
              value attribute will result in error. Also note that
              doing an update (blank op) to a multivalue will wipe
              all values and replace with the one single value specified.

    This tool could be considered dangerous, it can quickly make some
    serious changes to your directory. Use it only when you know what
    you are doing. I take no responsibility for you dorking up your
    directory. The safety option will bail the whole operation if there
    are more objects to work on than specified with the -safety option.

    This tool is exceptionally powerful when used in conjunction with
    a command line LDAP query tool such as my own adfind with the -dsq
    switch or dsquery from Microsoft.

    If you get an error updating an object, no modification is made
    to the specific object, even if say 3 changes were valid and one wasn't.

    When doing multi-DN modifications, the errorlevel will be set to the
    last error encountered. So if you go through 8 DNs and hit 3 errors,
    only the last will be passed back to you via %errorlevel%. Also note
    that the error will be an LDAP error, not a Win32 error.

    Be very very careful of treedelete option.

    admod -b dc=joehome,dc=net "description::Joe's Domain"
      Change Description of joe.com base object.

    adfind -default -f "&(objectcategory=person)(scriptpath=*)" -dsq | admod -unsafe scriptpath:-
      Removes logon script from all users in default domain.

    adfind -gc -b  -f "proxyaddresses=*" -dsq | admod -unsafe proxyaddresses:-
      Removes proxyaddresses attribute from all objects in forest.

    admod -b cn=joe,cn=users,dc=joehome,dc=net "drink:++:Coke;Mountain Dew;Labatt's;Water"
      Add some drinks to joe's user object in the directory

    admod -b cn=joe,cn=users,dc=joehome,dc=net "drink:-:Water"
      Removes water from the drink list for joe...

    admod -b cn=joe,cn=users,dc=joehome,dc=net "drink:+:Vodka"
      Adds vodka to the drink list for joe...

    admod -b cn=joe,cn=users,dc=joehome,dc=net "drink::Water"
      Replaces the entire list with just water for joe...

    adfind -b ou=badcomputers,dc=joehome,dc=net -f "objectcategory=computer" -dsq |admod -unsafe -rm
      Delete all computer objects in specified OU...

    adfind -bit -default -f useraccountcontrol:AND:=2 -dsq |admod -unsafe -move ou=disabled,dc=joehome,dc=net
      Move all disabled objects in default domain to specified OU...

    adfind -default -f "&(name=compa*)" -showdel -dsq |admod -undel
      Undelete any objects named compa* and place back in last known parent...

    adfind -default -f "&(name=compa*)" -showdel -dsq |admod -undel ou=undeleted,dc=joehome,dc=net
      Undelete any objects named compa* and place back in ou named undeleted....

 This software is Freeware. Use it as you wish at your own risk.
 If you have improvement ideas, bugs, or just wish to say Hi, I
 receive email 24x7 and read it in a semi-regular timeframe.
 You can usually find me at [email protected]

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.