Using the Active Directory command-line tools, in a Windows 2000 domain, or Windows Server 2003 domain, I have scripted OUusers.bat to modify Active Directory user attributes for all members of an OU .

The syntax for using OUusers.bat is:

OUusers OU P1a P1b \[P2a P2b ... Pna Pnb\]


OU         is the OU name in your domain.                              Pna        is a DSMOD parameter, and is always preceeded by a -.                              Pnb        is the value of the Pna parameter that you wish to set.                              Example:                              To set all users in the "My OU" OU in your domain to have a company name of "My OU subsidiary, Your Company"                              and a Web page of "<UserName>.htm":                              Ouusers "My OU" -company "My OU subsidiary, Your Company" -webpg "$username$.htm"                              I have removed the detail description of the parameters that would not make sense to set                              from the following dsmod user /? display:                              Description:  Modifies an existing user in the directory.                              Syntax:     dsmod user <UserDN ...> \[-upn <UPN>\] \[-fn <FirstName>\]                                          \[-mi <Initial>\] \[-ln <LastName>\] \[-display <DisplayName>\]                                          \[-empid <EmployeeID>\] \[-pwd \{<Password> | *\}\]                                          \[-desc <Description>\] \[-office <Office>\] \[-tel <Phone#>\]                                          \[-email <Email>\] \[-hometel <HomePhone#>\] \[-pager <Pager#>\]                                          \[-mobile <CellPhone#>\] \[-fax <Fax#>\] \[-iptel <IPPhone#>\]                                          \[-webpg <WebPage>\] \[-title <Title>\] \[-dept <Department>\]                                          \[-company <Company>\] \[-mgr <Manager>\] \[-hmdir <HomeDir>\]                                          \[-hmdrv <DriveLtr>:\] \[-profile <ProfilePath>\]                                          \[-loscr <ScriptPath>\] \[-mustchpwd \{yes | no\}\]                                          \[-canchpwd \{yes | no\}\] \[-reversiblepwd \{yes | no\}\]                                          \[-pwdneverexpires \{yes | no\}\]                                          \[-acctexpires <NumDays>\] \[-disabled \{yes | no\}\]                                          \[\{-s <Server> | -d <Domain>\}\] \[-u <UserName>\]                                          \[-p \{<Password> | *\}\] \[-c\] \[-q\] \[\{-uc | -uco | -uci\}\]                              Parameters:                              Value                   Description                              -pwd \{<Password> | *\}   Resets user password to <Password>. If *, then                                                      you are prompted for a password.                              -desc <Description>     Sets user description to <Description>.                              -office <Office>        Sets user office location to <Office>.                              -fax <Fax#>             Sets user fax# to <Fax#>.                              -webpg <WebPage>        Sets user web page URL to <WebPage>.                              -title <Title>          Sets user title to <Title>.                              -dept <Department>      Sets user department to <Department>.                              -company <Company>      Sets user company info to <Company>.                              -mgr <Manager>          Sets user's manager to <Manager>.                              -hmdir <HomeDir>        Sets user home directory to <HomeDir>. If this is                                                      UNC path, then a drive letter to be mapped to                                                      this path must also be specified through -hmdrv.                              -hmdrv <DriveLtr>:      Sets user home drive letter to <DriveLtr>:                              -profile <ProfilePath>  Sets user's profile path to <ProfilePath>.                              -loscr <ScriptPath>     Sets user's logon script path to <ScriptPath>.                              -mustchpwd \{yes | no\}   Sets whether the user must change his password (yes)                                                      or not (no) at his next logon.                              -canchpwd \{yes | no\}    Sets whether the user can change his password (yes)                                                      or not (no). This setting should be "yes"                                                      if the -mustchpwd setting is "yes".                              -reversiblepwd \{yes | no\}                                                      Sets whether the user password should be stored using                                                      reversible encryption (yes) or not (no).                              -pwdneverexpires \{yes | no\}                                                      Sets whether the user's password never expires (yes)                                                      or not (no).                              -acctexpires <NumDays>  Sets user account to expire in <NumDays> days from                                                      today. A value of 0 sets expiration at the end of                                                      today.                                                      A positive value sets expiration in the future.                                                      A negative value sets expiration in the past.                                                      A string value of "never" sets the account                                                      to never expire.                              -disabled \{yes | no\}    Sets whether the user account is disabled (yes)                                                      or not (no).                              \{-s <Server> | -d <Domain>\}                                                      -s <Server> connects to the domain controller (DC)                                                      with name <Server>.                                                      -d <Domain> connects to a DC in domain <Domain>.                                                      Default: a DC in the logon domain.                              -u <UserName>           Connect as <UserName>. Default: the logged in user.                                                      User name can be: user name, domain\user name,                                                      or user principal name (UPN).                              -p <Password>           Password for the user <UserName>. If * then prompt                                                      for password.                              -c                      Continuous operation mode. Reports errors but                                                      continues with next object in argument list                                                      when multiple target objects are specified.                                                      Without this option, the command exits on the                                                      first error.                              -q                      Quiet mode: suppress all output to standard output.                              Remarks:                              If a value that you supply contains spaces, use quotation marks                              around the text (for example, "CN=John Smith,CN=Users,DC=microsoft,DC=com").                              If you enter multiple values, the values must be separated by spaces                              (for example, a list of distinguished names).                              The special token $username$ (case insensitive) may be used to place the                              SAM account name in the value of -webpg, -profile, -hmdir, and                              -email parameter.                              For example, if the target user DN is                              CN=Jane Doe,CN=users,CN=microsoft,CN=com and the SAM account name                              attribute is "janed," the -hmdir parameter can have the following                              substitution:                              -hmdir \users\$username$\home                              The value of the -hmdir parameter is modified to the following value:                              - hmdir \users\janed\home                              Examples:                              To reset a user's password:                                  dsmod user "CN=John Doe,CN=Users,DC=microsoft,DC=com"                                  -pwd A1b2C3d4 -mustchpwd yes                              To reset multiple user passwords to a common password                              and force them to change their passwords the next time they logon:                                  dsmod user "CN=John Doe,CN=Users,DC=microsoft,DC=com"                                  "CN=Jane Doe,CN=Users,DC=microsoft,DC=com" -pwd A1b2C3d4 -mustchpwd yes                              To disable multiple user accounts at the same time:                                  dsmod user "CN=John Doe,CN=Users,DC=microsoft,DC=com"                                  "CN=Jane Doe,CN=Users,DC=microsoft,DC=com" -disabled yes                              To modify the profile path of multiple users to a common path using the                              $username$ token:                              dsmod user "CN=John Doe,CN=Users,DC=microsoft,DC=com"                              "CN=Jane Doe,CN=Users,DC=microsoft,DC=com" -profile \users\$username$\profile

OUusers.bat contains:

                              @echo off                              setlocal ENABLEDELAYEDEXPANSION                              if \{%3\}

\{\} goto syntax set ou=%1 set ou="%ou:"=%" set params= set /a cnt=0 :ploop shift if \{%1\}

\{\} goto begin set /a cnt=%cnt% + 1 set /a p1=%cnt%%%2 if %p1% EQU 0 set params=%params% %1&goto ploop set work=%1 if "%work:~0,1%" NEQ "-" goto syntax set params=%params% %1 goto ploop :begin set /a cnt=%cnt%%%2 if %cnt% NEQ 0 goto syntax set query=dsquery user -o dn -limit 0 for /f "Skip=1 Tokens=*" %%u in ('%query%') do ( for /f "Tokens=*" %%o in ('@echo %%u^|Findstr /i /l ",OU="^|Findstr /i /l %ou%') do ( set DN=%%o @echo dsmod user !DN!%params% dsmod user !DN!%params% ) ) endlocal exit /b 0 :syntax @echo Syntax: OUusers OU P1a P1b \[P2a P2b ... Pna Pnb\] endlocal exit /b 1