AdMod
A recent addition to the Joeware family is AdMod. Previously, I compared AdFind to Dsquery on steroids. A similar analogy can be made between AdMod and Microsoft's Dsmod, Dsmove, and Dsrm command-line tools. Although these Microsoft tools are helpful, they have a couple of major annoyances. First, you can target only specific types of objects. For example, with Dsmod, you can modify only computer, contact, group, OU, server, user, quota, and partition objects. If you want to modify any other type of object, you're out of luck. Second, in an effort to reduce the amount of typing you have to do when using these tools, they have options such as -samid (queries or sets the samAccountName attribute) and -mgr (queries or sets the manager attribute). Although Microsoft had good intentions when it came up with these shortened option names, I don't like them because I have to mentally associate samid with samAccountName and mgr with manager. Thus, these option names might be confusing to newcomers.
AdMod doesn't have any of these limitations. With it, you can modify (the default action), move (-move option), rename (-rename option), delete (-del and -treedelete options), and undelete (-undel option) objects. The undelete functionality is available only in Windows 2003 domains.
Modifying operations takes a little getting used to, but once you do, it's amazingly easy. To modify a single object, you need to specify the base DN by using the -b option. At the end of the command, you need to include the attribute action, which follows the format
"Attribute:Operation:Value(s)"
Attribute represents the name of the attribute you want to modify. Operation represents the action to take on that attribute. There are five possible actions:
You can add a value to a single-value attribute, in which case you specify the + character.
You can clear a single-value or multivalue attribute, in which case you include the - character.
You can add multiple values to a multivalue attribute, in which case you specify the ++ character.
You can remove one or more values from a multivalue attribute, in which case you include the -- character.
You can update the value of a single-value or multivalue attribute (the default), in which case you don't include any character.
Value(s) represents the string value or string values you want to update, add, or remove. For default and + operations, you specify only one value. For ++ and -- operations, you use a semicolon-separated list to specify multiple values. For - operations, you don't need to specify any values.
For example, the following command updates the scriptpath attribute to login.vbs for the rallen user account:
If you want to modify a bunch of objects at once, you can pipe the output from AdFind to AdMod. AdFind's -dsq option returns only the DN of matching objects and places each DN on a separate line--perfect piping material. AdMod can iterate over this list and modify each object. For example, here's a command that uses AdFind and AdMod to clear the scriptpath attribute's value for all users in the default domain:
One item you might have noticed in this command is the -unsafe option. AdMod has a safety mechanism built into it so that you don't accidentally modify more objects than you intended. By default, AdMod modifies only 10 objects in one pass. You can, however, specify the -safety option along with the number of objects to modify. If you don't want any limitations, you use the -unsafe option.
OldCmp
A standard problem most AD administrators run into at some point is cleaning up old (aka inactive) computer accounts. It's not uncommon for computer accounts to be created and never used or left hanging around in the directory after a computer has been re-imaged or decommissioned. Generally, it takes a while before stale computer accounts pile up in significant numbers, but it will happen eventually.
Previously, the only way to clean up these accounts was with a script. (For an example of such a script, go to http://www.rallenhome.com/books/adcookbook/code.html and click the Perl link in item 8.8.) But now there is a much easier way. With OldCmp, you can search for, disable, or delete inactive computer accounts. Even better, you can create a simple batch script to automate the process.
So how does OldCmp determine what is an inactive computer? Computers with Windows OSs that are members of a domain automatically change their password every 30 days. A computer object's pwdLastSet attribute stores the age of the computer's password. Technically, you could write a query that searches AD for computers whose pwdLastSet value is greater than the specified number of months. Unfortunately, manually writing this query is difficult. The pwdLastSet attribute's value has the Large Integer data type, so you have to perform some special calculations to come up with the correct value to use. With OldCmp, you can avoid this hassle.
Because OldCmp and AdFind were written by the same guy (i.e., Joe), OldCmp has many of the same command-line options as AdFind. Specifically, the -b, -h, -s, and -f options I described previously all work in the same manner, except in this case, they're used as search criteria to find inactive computer accounts. To be safe, you shouldn't consider a computer inactive unless its password is more than 90 days old (which is the default in OldCmp). To be really safe, you might want to consider a computer inactive only when its password is older than 180 days. To specify an age other than the default of 90 days, you use the -age option.
When you use OldCmp to perform a search, you must specify at least one of three possible options: -report (generates an HTML report listing the inactive computer accounts), -disable (disables inactive computer accounts), or -delete (deletes inactive computer accounts). If you run OldCmp with only the -report option, it searches for all computer objects in your default domain that have a password age greater than 90 days and generates an HTML report with the results. If you have a large domain with lots of computer accounts, it might take a while for the command to complete. To reduce the amount of time it takes for OldCmp to run, you can use the -b option to target a specific OU.
Picking a favorite product from an impressive crowd of competitive offerings is never an easy task, and such was the case with our Editors' Best and Community Choice awards this year. ...
An often irreverent look at some of the week's other news, including some post-PDC some soul searching, a Google Chrome OS announcement and a Microsoft response, Windows 7 off to a supposedly strong start, the Jonas Brothers and Xbox 360, and so much more ...
Free CDs Offer Fundamental Content for IT Pros Are you up to speed on the latest technologies and solutions? Don't miss out on your chance to get up to speed quickly on fundamental, in-depth information on some of the hottest topics in our library of content.
Let Your Users Reset Their Own Passwords: Free Download Try a 30 day free trial of Desktop Authority Password Self-Service – it provides an easy-to-use, robust system for allowing users to reset their own forgotten passwords or locked accounts.
Get Windows IT Pro & Mark Minasi’s Favorite Power Tools Guide Order Windows IT Pro now and get "More of Mark Minasi's Favorite Power Tools"--a in-depth guide to the most useful Windows commands --FREE with your paid order! Subscribe today, and save 58% off the cover price!
Deep Dive into VMware vSphere, eLearning Series Join John Savill to explore the major functionality capabilities of the vSphere virtualization platform, including identification of the changes from ESX 3.5.
Register
