AdMod

Summary

Command line Active Directory modification tool. This is the natural extension to AdFind. I was primarily prompted by dsmod, dsmove, dsrm.exe not being what I wanted them to be when I wanted them to be.

Warranty

See warranty.

PlatForms

• Windows 7 / 2008 R2 or newer against any version of Active Directory, ADAM/ADLDS, and other LDAP directories

Current Version

Version 1.28.00 - October 8, 2023

Modification(s) from previous version

• BUGFIXES:
  • Fixed usage for -rbmove
• Switches:
  • Added nothing new
• Shortcuts:
  • Added nothing new
• Misc:
  • Strip out ***INVALID_ACCESSMASK from SD strings
  • Removed bailout validation for SD checks
  • Added UTCGT, LOCALGT, CURRENTGT for binenc
  • Added *nowgt* and *now_gt* for expansion
  • Check for combination of -b and special base and bailout

Security Requirements

There are no local security requirements for running AdMod  other than the ability to launch executables. Ability to modify objects in Active Directory and ADAM/ADLDS will be dependent on the security configured for the directory.

The -undel option will require permissions to see into the cn=Deleted Objects container if that is where the object is.... By default, this requires administrator permissions.

Language

C++. Compiled with Visual Studio 2022

Source Code Availability

None

Story

AdFind had been around for some time and I kept thinking and hearing, well what about modifying the directory? My main problem besides free time to think about it was how do I properly set up the input for the modifications. I needed something fairly easy. That is a lot tougher than you think unless you do what the ds* folks did in terms of hard coding for specific attributes which I specifically did not want to do.

Finally I got a brainstorm on how to handle the input of the data. So voila, here it is. Note I did think that the ability for the ds* tools to take a feed from the dsquery tool was very cool and I specifically added that capability in AdMod. This way you can search from adfind (with -dsq option) or from dsquery to generate the list of objects to be updated.

In V01.07.00 I added CSV functionality. Quite honestly, this blows CSVDE out of the water because it can do updates to existing objects as well as add new objects. However, this is complicated stuff, you need to fully read the usage given to you when you type admod /csv? and understand it before running with it. Again, any tool that modifies AD or ADAM should be considered dangerous, including this one. I try to protect people from cutting themselves wherever I can but I can't block every possible thing that someone may do that could hurt themselves and honestly, it isn't my job to. So... understand what you are doing before you do it. If you aren't sure, test it in on a test lab AD or ADAM first.

In V01.21.00, a highly delayed update, over 8 years,  I added a bunch of functionality around modifying Security Descriptors. I have long disliked DSACLS and for outputting ACLs I set up AdFind years ago to do it in a much more, IMO, readable format. Now with AdMod I have put together what I think is an easier update model than DSACLS and is definitely faster than DSACLS especially when updating multiple objects which DSACLS doesn't do at all. Another big difference from DSACLS is that it allows to strip off specific ACEs instead of outright revoking ALL access for a given security principal. This security descriptor functionality is exceptionally dangerous, test test test before using in production. Understand what you are doing. AdMod will NOT protect you from doing something stupid.

Download

You do not have to supply the email address. I would like you to fill that in though so that I have an idea on how popular a tool really is. If I see 1000 downloads with 900 different email addresses I know it is more widespread than one that has 1000 downloads and 200 different email addresses because the same person needed to keep downloading it for some reason.

Version History

• Update: Version 1.00.00 - 07/05/2004 - Original
• Update: Version 1.01.00 - 07/14/2004 - Added -rootdse option
• Update: Version 1.02.00 - 07/30/2004 - Corrected a parameter bug
• Update: Version 1.03.00 - 02/23/2005 - Corrected bugs in parsing and STDIN reading.
• Update: Version 1.04.00 - 04/03/2005 - Corrected parsing bug, added -add switch.
• Update: Version 1.05.00 - 05/19/2005 - Corrected move bug, added -kerbenc, added binary updates
• Update: Version 1.06.00 - 06/03/2005 - Corrected undelete bug
• Update: Version 1.07.00 - 10/01/2006 - Fixed some memory leaks,  added +- operation, remove all values of multivalue and replace with specified values,  added switches -permissive, -xdom, -delegation, -u, -up, -simple, -ssl, -rootdse, -null, -schema, -root, -config, -default, -rb, -upto, -counterstart, -expand, -bmod, -autobase, -po, -e, -ef, -import, -importexclattr, -replacedn, -replacedndelim, -dotcount, added TXT## to binary encode, added CSV functionality, see admod /sc?, broke usage screens into sections, output directory type/port info, added shortcuts
• Update: Version 1.08.00 - 10/30/2006 - Updated usage docs, added {{.}} and {{}} in expansion strings, fixed some CSV add/modify bugs, added ability to add attributes when undeleting object, added -csvmodnull
• Update: Version 1.08.01 - 11/01/2006 - Fixed output bug on "using server" line when using -h server:port switch.
• Update: Version 1.08.02 - 11/06/2006 - Fixed usage typo
• Update: Version 1.09.00 - 01/15/2007 - Fixed bug in tokenization routine, Fixed bug, -p not in allowed switches list, Allow -sc adau single add to specify sAMAccountName, Fixed usage typo
• Update: Version 1.10.00 - 02/24/2007 - Fixed bug in Binary handling of CSV routine, Removed a hidden test switch
• Update: Version 1.11.00 - Never publicly released.
• Update: Version 1.12.00 - 02/13/2010 - Converted to CodeGear C++ Builder 2009. Multiple bug fixes, switches, logic, shortcuts, and docs. Added CSV var expansion modifiers: __lc, __uc, __spec, __hex, __num, *origdn*. Added SD## encoding for SDDL for binary attribute encoding. Added UTC##, LOCAL##, CURRENT## for time for binary attribute encoding. Additional work on the Environment (-e and -ef) functionality. Warn if no redirect and no base specified.
  Error out if bad DN specified in multidn mode. Allow non-csv -expand mode. -import now works for updates, adds values, no overwrite. -csv with no args specified enables -import. Added new switches: -log, -forestdns, -domaindns, -dcs, -fsps, -gpo, -ldappolicy, -psocontainer, -xrights, -partitions, -sites, -subnets, -exch, -stdinadd, -stdinrm, -stdinreplace, -csvfile, -arecex, -digest, -tmpobj, -hh, -hd, -users, -displayspecifiers, -optenc. Added new shortcuts: -sc phantomgc, -sc igcc, -sc rsc, -sc rodcpurge, -sc runpag, -sc runsamupg, -sc rsos.
• Update: Version 1.13.00 - 04/26/2010 - Fixed an ugly bug with :+: and fixed Doc typo.
• Update: Version 1.14.00 - 02/13/2011 - Fixed several crash bugs in shortcuts.Fixed doc typo Attempted to fix Outlook/Word cut and paste bug for doublequote and dash. Warn on setting unicodepwd without proper encryption. Added ENCPWD: format for -up. Allow CHANGE password along with SET password. Fixed bug in -stdinsort. Added _all for -replacedn
•  Update: Version 1.15.00 - 03/03/2011 - Fixed bug with GUID## and braces. Fixed multiple bugs with -csv and -import modes. Added auto-binary encode of schemaID and attributeSecurityGUID in import modes. In import modes, filter out attributes that don't exist in destination DSA. Added -importpass1, -importpass2 switches. Added -stdinsort, -replacedn _all, -csv to -import switch. Added shortcut -sc importschema. Fixed bug with -hd switch.
• Update: Version 1.16.00 - 03/22/2011 - Added additional string filtering for SD##
• Update: Version 1.17.00 - 03/30/2011 - Fixed bug with HEX## CSV functionality
• Update: Version 1.18.00 - 03/19/2012 - Fixed bug with quotes in inbound DNs. Fixed bug with -import and binary values. Fixed bug with \xx in inbound DNs. Detect Unicode input and bail with error. Fixed some usage typoes. Added switches -treenuke, -policyhints,-recycle. Added importfile## binary operation.
• Update: Version 1.19.00 - Not publically released.
• Update: Version 1.20.00 - Not publically released.
• Update: Version 1.21.00 01/01/2021 - Converted to Visual Studio 2019 and added lots of fun goodness and fixes.
• Update: Version 1.21.01 01/15/2021 - Usage typo fixes
• Update: Version 1.22.00 03/14/2021 - Bug fixes
• Update: Version 1.23.00 04/24/2021 - Bug fixes and some random other things
• Update: Version 1.24.00 11/12/2021 - Bug fixes and some random other things
• Update: Version 1.25.00 06/05/2022 - Not released to public
• Update: Version 1.26.00 05/06/2023 - Bug fixes, usage fixes, a few switches added
• Update: Version 1.27.00 05/06/2023 - Private build
• Update: Version 1.18.00 10/08/2023 - Misc updates