AdMod Usage

admod /?

AdMod V01.18.00cpp Joe Richards (joe@joeware.net) March 2012

-help         Basic help.
-?            Basic help.
-??           Advanced help.
-????         Shortcut help.
-sc?          Shortcut help.
-csv?         CSV / ADCSV help.

Usage:
 AdMod [switches] [attr-action]

  Switches: (designated by - or /)

           [CONNECTION OPTIONS]
   -h host:port  Host and port to use. If not specified uses port 389 on
                 default LDAP server. Localhost can be specified as '.'.
                 Port can also be specified via -p.


           [UPDATE OPTIONS]
   -b basedn     RFC 2253 DN to work on. If basedn is not specified
                 the program will read from stdin anything piped to it
                 or if you want you can type the DNs there followed by
                 a ctrl-z to terminate the pipe.
   -safety x     How many objects before safety kicks in. Default 10.


           [ACTIONS]
   -rm           Delete specified object(s).
   -del          Alias for -rm.
   -add          Add an object. Specify DN with -b and attributes normally.
                 At the very least you will need to specify objectclass.
   -undel x      Undelete specified object(s), uses lastknownparent unless
                 an alternate parent is supplied in x. Requires K3+.
   -rename x     Rename object to RDN of x.
   -move x       Move object to parent specified by x (within domain)



  Attr-Action
       Format:  attribute : operation : value(s)

    This field is broken up into three main sections. Not all
    sections are required for all operations. The three sections
    are the attribute section, operation section, and value section.
    By default the delimiter between the sections is the : character
    however you may change this with the -delim option.

    Type AdMod /?? for details.


  Notes:
    o This tool could be considered dangerous, it can quickly make some
      serious changes to your directory. Use it only when you know what
      you are doing. I take no responsibility for you dorking up your
      directory. The safety option will bail the whole operation if there
      are more objects to work on than specified with the -safety option.

    o This tool was written with simple US ASCII in mind. UNICODE and special
      ASCII characters such as characters with umlaut's or graphics may not
      be processed correctly due to how the command prompt handles those
      characters. If you see this occurring, redirect the input from a text file
      with the command prompt redirection symbols and it is possible the program
      will operate correctly. If not, you do not need to tell me, I know and I
      am working to correct it in some future version... no timeline.

    Type AdMod /?? for more notes.


  Ex1:
    admod -b dc=test,dc=net "description::Joe's Domain"
      Change Description of test.net object.

  Ex2:
    admod -b cn=joe,cn=users,dc=test,dc=net "drink:++:Coke;Mountain Dew;Labatt's;Water"
      Add some drinks to joe's user object in the directory

  Ex3:
    admod -b cn=joe,cn=users,dc=test,dc=net "drink:-:Water"
      Removes water from the drink list for joe... 

  Ex4:
    admod -b cn=joe,cn=users,dc=test,dc=net "drink:+:Vodka"
      Adds vodka to the drink list for joe... 

  Ex5:
    admod -b cn=joe,cn=users,dc=test,dc=net "drink::Water"
      Replaces the entire list with just water for joe... 

  Ex6:
    admod -b cn=joe,cn=users,dc=test,dc=net "drink:+-:Water;Lemonade"
      Replaces the entire list with water and lemonade for joe... 

  Ex7:
    admod -b cn=someuser,cn=users,dc=test,dc=net -add objectclass::user samaccountname::someuser
      Create disabled user someuser.

  Ex8:
    admod -b cn=someuser,cn=users,dc=test,dc=net -move ou=u,dc=test,dc=com
      Move user someuser to ou=u.

  Ex9:
    admod -b cn=someuser,cn=users,dc=test,dc=net -rm
      Delete someuser.

  Ex10:
    admod -users -rb cn=someuser unicodepwd::newpassword -optenc
      Administrative password reset for user named someuser.

  Ex11:
    admod -users -rb cn=someuser unicodepwd:-:oldpassword unicodepwd::newpassword -optenc
      Change password for user named someuser.



 This software is Freeware. Use at your own risk.
 I do not warrant this software to be fit for any purpose or use and
 I do not guarantee that it will not damage or destroy your system.
 Contact joe@joeware.net via email for licensing information to package
 this utility in commercial products.

 See full Warranty documentation or download the latest version
 on http://www.joeware.net.

 If you have improvement ideas, bugs, or just wish to say Hi, I
 receive email 24x7 and read it in a semi-regular timeframe.
 You can usually find me at joe@joeware.net

admod /??

AdMod V01.18.00cpp Joe Richards (joe@joeware.net) March 2012

-help         Basic help.
-?            Basic help.
-??           Advanced help.
-????         Shortcut help.
-sc?          Shortcut help.
-csv?         CSV / ADCSV help.

Usage:
 AdMod [switches] [attr-action]

  Switches: (designated by - or /)

           [CONNECTION OPTIONS]
   -h host:port  Host and port to use. If not specified uses port 389 on
                 default LDAP server. Localhost can be specified as '.'.
   -p port       Alternate method to specify port to connect to.
   -hh host:port Combines -h with -arecex
   -hd host:port Combines -h with -default
   --------------Advanced--------------
   -kerbenc      Kerberos Encryption (LDAP_OPT_ENCRYPT).
   -optenc       Alias for -kerbenc (LDAP_OPT_ENCRYPT).
   -ssl          Use SSL.
   -delegation   Delegated bind (ISC_REQ_DELEGATE).
   -arecex       Hostname has the actual host name, not domain name.


           [UPDATE OPTIONS]
   -b basedn     RFC 2253 DN to work on. If basedn is not specified
                 the program will read from stdin anything piped to it
                 or if you want you can type the DNs there followed by
                 a ctrl-z to terminate the pipe.
   -safety x     Only modify objects if <= x. Default 10.
   --------------Advanced--------------
   -null         Use null base for base DN.
   -rootdse      Like -null.
   -root         Determine and use root partition for base DN.
   -config       Determine and use configuration partition for base DN.
   -schema       Determine and use schema partition for base DN.
   -default      Determine and use default partition for base DN.
   -rb xx        Relative Base, use with special base DN's above.
                     So you could specify -default and -rb cn=users.
   -users        Use cn=users,<default domain> for base.
   -forestdns    Use ForestDNS NDNC for base.
   -domaindns    Use DomainDNS NDNC for base.
   -dcs          Use Domain Controllers container of default domain for base.
   -gpo          Use System Policies container of default domain for base.
   -psocontainer Use PSO Container of default domain for base.
   -ldappolicy   Use Ldap Query Policies container for base.
   -xrights      Use Extended Rights container for base.
   -partitions   Use Partitions container for base.
   -sites        Use Sites container for base.
   -subnets      Use Subnets container for base.
   -exch         Use Exchange Services container for base.
   -fsps         Use Foreign Security Principals container for base.
   -displayspecifiers User Display Specifiers container in config for base.
   -t xxx        Timeout value for query, default 120 seconds.
   -unsafe       Don't have a safety, modify objects no matter how many.
   -upto xx      Modify up to xx objects and then stop.
   -cont         Continue with objects even if errors.
   -treedelete   Used in combination with -rm/-del to delete branch
   -treenuke     Used in combination with -rm/-del to delete everything
                 in a branch. Like -treedelete but works for >16k objects.
   -recycle      Allow forced recycle of deleted objects.
   -permissive   Permissive modify. (LDAP_SERVER_PERMISSIVE_MODIFY_OID)
   -policyhints  Enable LDAP_SERVER_POLICY_HINTS_OID. (KB2443871)

           [ACTION OPTIONS]
   -rm           Delete specified object(s)
   -del          Alias for -rm.
   -add          Add an object. Specify DN with -b and attributes normally.
                 At the very least you will need to specify objectclass.
   -undel x      Undelete specified object(s), uses lastknownparent unless
                 an alternate parent is supplied in x. Requires K3+. Can add
                 additional attribute values with :+: or :++: ops.
   -rename x     Rename object to RDN of x.
   -move x       Move object to parent specified by x (within domain)
   -stdinadd x   Take list of quoted DNs and add to specified attribute x.
   -stdinrm x    Take list of quoted DNs and remove from specified attribute x.
   -stdinreplace x  Take list of quoted DNs and replace values of specified
                    attribute x.
   -stdinsort x  Sorts DN's that have been piped in in multi-DN mode, the
                 default sort is hierarchical, but can specify case-sensitive
                 alphabetic sort with csalpha or case-insensitive with cialpha
   --------------Advanced--------------
   -delim x      x specifies delimiter for attribute sequence. Default :
   -mvdelim x    x specified delimiter for value sequence. Default ;
   -xdom x       Cross domain move, move to DC x. Use with -move. Must
                 specify FQDN of destination DC as parameter of -xdom.
                 The cross domain move has specified requirements which
                 are the same for all mechanisms used. To see the requirements
                 please look up IADsContainer::MoveHere in MSDN Library.


           [OUTPUT OPTIONS]
   -elapsed      Display elapsed time in seconds
   -exterr       Show Extended Error info. DSID Info...


           [AUTHENTICATION OPTIONS]
   --------------Advanced--------------
   -u userID     Userid authentication. AD simple bind supports All ID
                 formats. Secure bind only supports ID formats 1 and 2.
                 Digest Bind supports ID formats 1 and 3.
                 No userid specified indicates anonymous authentication.
                     ID Formats
                     1. domain\userid (SAM Format / NT Format)
                     2. user@domain.com (userPrincipalName)
                     3. cn=user,ou=someou,dc=domain,dc=com (DN)
   -up pwd       Password for specified userid. * indicates to ask for password.
                 Password can be clear text password or ENCPWD:xxx format as
                 created by the adfind -encpwd switch
   -simple       Simple Bind
   -digest       Digest Bind (LDAP_AUTH_DIGEST). Automatically enabled if bind
                 string starts with 'cn='


           [MISC OPTIONS]
   --------------Advanced--------------
   -po           Print options. This switch will dump to the command line all
                 all switches with values and attributes specified.
   -tmpobj xx    For object adds, will create dynamic objects with lifetime of
                 xx seconds. If no value specified, will have lifetime of 7 days.
   -log xxx      Log information to file xx. (default admod.log).

   -replacedn xxx:yyy  Replaces xxx in DNs with yyy. Following special cases:
                     _all         replaces all of the following:
                     _config      <CONFIG> replaced with configuration DN
                     _schema      <SCHEMA> replaced with schema DN
                     _default     <DEFAULTNC> replaced with default NC DN
                     _root        <ROOT> replaced with root NC DN
                     _sites       <SITES> replaced with sites DN
                     _subnets     <SUBNETS> replaced with subnets DN
                     _exch        <EXCH> replaced with Exchange services DN
   -replacedndelim x   Specifies delimiter to separate replacedn strings

   -e xxx        Load switches from environment. Will read env vars with prefix
                 and dash (adfind-) by default and load them in. To
                 specify a different prefix, specify string after -e. For
                 example to specify the host switch create an env var of 
                 adfind-h. To specify a switch that doesn't take a
                 a value, specify a value of {~} because you can't set a
                 an environment variable to blank. Unfortunately it is not
                 currently possible to specify Attr-Action combinations with
                 the environment variables. By default, Admod will read any
                 environment variables prefixed with (joeware-default-admod-)
                 without specifying -e.
                    Ex: Modify ADAM config NC on localhost port 5000.
                       set adam1-h=.:5000
                       set adam1-config={~}
                       set adam1-u=thispc\myid
                       set adam1-up=ENCPWD:EhfEeD0ZVyV9O2AdWzoNyXzYrQwVJm9cN1
                       adfind -e adam1 description::	his is a test"

      NOTE: The Environment switch mentions AdFind for the default names for
            the environment variables, this is not a typo. You can override
            if you prefer, but the idea is to use the same vars for consistency
            between the two command line apps.

   -ef xxx       Load switches from file (default file = admod.cf), one 
                 switch per line. Attr-Action strings are placed on multiple lines
                    Ex: Modify ADAM config NC on localhost port 5000.
                       edit file adam1.cf
                         -h .:5000
                         -config
                         description::this is a test
                       admod -ef adam1.cf

                 By default AdMod will process the default configuration
                 file 'joeware_default_admod.cf' without specifying -ef.

      ENVIRONMENT NOTES
         There are five levels for specifying switches, a lower level will
         not override a higher level. The levels from highest to lowest:
            1. Command line switches
            2. Environment variable specified via -e
            3. Environment file specified via -ef
            4. Default environment variables prefixed with joeware-default-admod-
            5. Default environment file joeware_default_admod.cf



  Attr-Action
       Format:  attribute : operation : value(s)

    This field is broken up into three main sections. Not all
    sections are required for all operations. The three sections
    are the attribute section, operation section, and value section.
    By default the delimiter between the sections is the : character
    however you may change this with the -delim option.

   attribute  This is the name of the attribute to be manipulated
              Any attribute that is a valid attribute for the ldap
              directory is a valid value here.

              ___BINARY ATTRIBUTES___
              Some attributes do not accept text based values. The
              immediate examples are GUIDs and SIDs. Binary updates are
              a little different than normal string updates and
              require encoding. To specify this encoding, prefix
              the attribute with one of the following prefixes:
                GUID##   Encodes friendly format GUIDs
                           ex: {26C18F02-9B73-495B-9F53-8207FC72527D}
                           ex: 26C18F02-9B73-495B-9F53-8207FC72527D
                SID##   Encodes friendly format SIDs
                           ex: S-1-5-21-1862701446-4008382571-2198042679
                HEX##   Encodes even number of Hex characters. White space
                        is filtered out.
                           ex: FFEA 34FD 76DA
                BIN##   Alias for BIN##.
                           ex: FFEA 34FD 76DA
                TXT##   Encodes text into binary. Can embed hex characters
                        by escaping hex character with slash such as \0a.
                        Also several "standard" escape characters are
                        supported \a, \b, \f, \n, \r, \t, \v
                           ex: street address\ncity,state\nzipcode
                SD##    Encodes SDDL into security descriptor
                           ex: D:PAI(OA;;GA;;;BA)
                IMPORTFILE##  Encodes a file into binary.
                           ex: IMPORTFILE##jpegphoto::c:	empmypic.jpg

              You can also encode time values to int8 format with the following
              prefixes:
                UTC##   Encodes UTC Time value.
                LOCAL## Encodes Local Time value.
                        The formatting for UTC and LOCAL is:
                             YYYY/MM/DD-HH:MM:SS (HH:MM:SS is optional)
                CURRENT## Encodes current timevalue.
                   CURRENT requires a delta value to be specified in the value
                   field of the attr-action string. Such as CURRENT##attrib::0
                   for no delta. Deltas can be specified in days, hours, minutes
                   or seconds with a string appended to the integer value:
                      d for days   - ex: CURRENT##accountexpires::30d
                      h for hours  - ex: CURRENT##accountexpires::24h
                      m for minutes - ex: CURRENT##accountexpires::300m
                      s for seconds - ex: CURRENT##accountexpires::900s
                   You can also specify the delta as dd:hh:mm:ss

   operation  This is the operation to perform.
              Valid operations are:
                (blank) Update the attrib with the new value.
                +       Add a value to an attribute.
                -       Clear an attribute or value in an attribute.
                ++      Add multiple values to an attribute.
                +-      Replace all values with multiple new values.
                --      Remove multiple values from an attribute.

   value(s)   This specifies values to use.
              If you are doing a multivalue operation with ++, +-, or --
              you will separate the values with ;, or alternatively
              you can specify a different MV delimiter with -mvdelim.

              __OPERATION NOTES__
              o +,++,+-,-- operations all require values specified.
              o - operation doesn't require a value. No value clears all
                all values. Value specified clears one value.
              o Trying to add multiple values to a single value attribute
                will result in error.
              o Doing an update operation (blank op - ::) to a multivalue
                 will wipe all values and replace with the one single value.


  Notes:
    o This tool could be considered dangerous, it can quickly make some
      serious changes to your directory. Use it only when you know what
      you are doing. I take no responsibility for you dorking up your
      directory. The safety option will bail the whole operation if there
      are more objects to work on than specified with the -safety option.

    o This tool was written with simple US ASCII in mind. UNICODE and special
      ASCII characters such as characters with umlaut's or graphics may not
      be processed correctly due to how the command prompt handles those
      characters. If you see this occurring, redirect the input from a text file
      with the command prompt redirection symbols and it is possible the program
      will operate correctly. If not, you do not need to tell me, I know and I
      am working to correct it in some future version... no timeline.

    o This tool is exceptionally powerful when used in conjunction with
      a command line LDAP query tool such as my own AdFind with the -dsq
      or -adcsv switches or dsquery from Microsoft.

    o If you get an error in an update operation, no modification is made
      to the specific object, even if say 3 changes were valid and one wasn't.
      If you are clearing attributes and you aren't sure if one of the
      is populated, use the -permissive switch.

    o When performing multi-DN modifications, the errorlevel will be set to the
      last error encountered. So if you go through 8 DNs and hit 3 errors,
      only the last will be passed back to you via %errorlevel%. Also note
      that the error will be an LDAP error, not a Win32 error.

    o Be very very careful of treedelete option.

    o There is a deprecated mechanism in AdMod that allows you to set passwords
      based on the RPC based IADsUser.SetPassword method. In order to use this
      mechanism, specify #setpwd# as the attribute.
         ex:  #setpwd#::newpassword
      The proper mechanism to set the password is to either set the unicodepwd
      attribute or the userpassword attribute and specify the -optenc switch
      to enable encrytion of the traffic to the server.
         ex: unicodepwd::newpassword


  Ex1:
    admod -b dc=test,dc=net "description::Joe's Domain"
      Change Description of test.net object.

  Ex2:
    admod -b cn=joe,cn=users,dc=test,dc=net "drink:++:Coke;Mountain Dew;Labatt's;Water"
      Add some drinks to joe's user object in the directory

  Ex3:
    admod -b cn=joe,cn=users,dc=test,dc=net "drink:-:Water"
      Removes water from the drink list for joe... 

  Ex4:
    admod -b cn=joe,cn=users,dc=test,dc=net "drink:+:Vodka"
      Adds vodka to the drink list for joe... 

  Ex5:
    admod -b cn=joe,cn=users,dc=test,dc=net "drink::Water"
      Replaces the entire list with just water for joe... 

  Ex6:
    admod -b cn=joe,cn=users,dc=test,dc=net "drink:+-:Water;Lemonade"
      Replaces the entire list with water and lemonade for joe... 

  Ex7:
    admod -b cn=someuser,cn=users,dc=test,dc=net -add objectclass::user samaccountname::someuser
      Create disabled user someuser.

  Ex8:
    admod -b cn=someuser,cn=users,dc=test,dc=net -move ou=u,dc=test,dc=com
      Move user someuser to ou=u.

  Ex9:
    admod -b cn=someuser,cn=users,dc=test,dc=net -rm
      Delete someuser.

  Ex10:
    admod -users -rb cn=someuser unicodepwd::newpassword -optenc
      Administrative password reset for user named someuser.

  Ex11:
    admod -users -rb cn=someuser unicodepwd:-:oldpassword unicodepwd::newpassword -optenc
      Change password for user named someuser.

   --------------Advanced--------------
  Ex12:
    admod -b cn=someuser,cn=users,dc=test,dc=net guid##guidattr::85C04D89-D68C-4785-B801-DBF980F97C5C
      Sets GUID value on some guid based attrib on someuser.

  Ex13:
    admod -b cn=someuser,cn=users,dc=test,dc=net #setpwd#::newpass
      Sets password for someuser. DEPRECATED.

  Ex14:
    admod -b cn=someuser,cn=users,dc=test,dc=net "bin##binattr::3f 4567 0e 69"
      Sets binary blob on some binary based attrib on someuser.

   ------AdFind + AdMod Examples-------
  Ex15:
    adfind -default -f "&(objectcategory=person)(scriptpath=*)" -dsq | admod -unsafe scriptpath:-
      Removes logon script from all users in default domain.

  Ex16:
    adfind -gc -b  -f "proxyaddresses=*" -dsq | admod -unsafe proxyaddresses:-
      Removes proxyaddresses attribute from all objects in forest.

  Ex17:
    adfind -b ou=badcomputers,dc=test,dc=net -f "objectcategory=computer" -dsq |admod -unsafe -rm
      Delete all computer objects in specified OU... 

  Ex18:
    adfind -bit -default -f useraccountcontrol:AND:=2 -dsq |admod -unsafe -move ou=disabled,dc=test,dc=net
      Move all disabled objects in default domain to specified OU... 

  Ex19:
    adfind -default -f "&(name=compa*)" -showdel -dsq |admod -undel
      Undelete any objects named compa* and place back in last known parent...

  Ex20:
    adfind -default -f "&(name=compa*)" -showdel -dsq |admod -undel ou=undeleted,dc=test,dc=net
      Undelete any objects named compa* and place back in ou named undeleted....

  Ex21:
    adfind -bit -default -f "&(objectcategory=computer)(useraccountcontrol:AND:=32)" useraccountcontrol -adcsv
          | admod useraccountcontrol::{{.:CLR:32}} -upto 1000
      Clear PWD_NOTREQD flag on up to 1000 computer accounts.

  Ex22:
    adfind -default -rb cn=users -f "objectclass=user" -dsq
          | admod -default -rb cn=theusers,cn=users -stdinadd member
      Add all users in the user's container to the theusers group.



 This software is Freeware. Use at your own risk.
 I do not warrant this software to be fit for any purpose or use and
 I do not guarantee that it will not damage or destroy your system.
 Contact joe@joeware.net via email for licensing information to package
 this utility in commercial products.

 See full Warranty documentation or download the latest version
 on http://www.joeware.net.

 If you have improvement ideas, bugs, or just wish to say Hi, I
 receive email 24x7 and read it in a semi-regular timeframe.
 You can usually find me at joe@joeware.net


admod /sc?

AdMod V01.18.00cpp Joe Richards (joe@joeware.net) March 2012

-help         Basic help.
-?            Basic help.
-??           Advanced help.
-????         Shortcut help.
-sc?          Shortcut help.
-csv?         CSV / ADCSV help.

Usage:
 AdMod [switches] [attr-action]

  Switches: (designated by - or /)


   AdMod Shortcuts
   ===============
   Shortcuts are not actual commands themselves but instead are aliases for a
   sequence of other commands so you do not have to recall or type the longer commands.
   Shortcuts actually a combination of various other switches. To see exactly
   what switches are specified on your behalf, use the -po switch in combination
   with the shortcut switch and it will show you everything that is submitted.

   Since these shortcuts are simply a combination of switches auto-entered for
   you it means that generally you can use the other switches to add
   to the query to focus it further or get output closer to what you need.

   If you have an issue with any of these shortcuts, remember you can just 
   enter the proper combination of real switches yourself. In general the 
   shortcuts will work on Windows 2000-2008 AD, and ADAM/ADLDS.
   Any limitations should be notated under the specific shortcut documentation.

   --------------Shortcuts--------------
   -sc help                Display Shortcut usage

   OPERATIONAL  SHORTCUTS
   **********************
      See http://msdn.microsoft.com/en-us/library/cc223297(PROT.13).aspx for
      descriptions of operational attributes and usage/caveats.
   -sc refreshschema       Schema cache refresh (schemaUpdateNow)

   -sc defrag:xx           Initiate AD DIT Online Defrag. xx is the number of
                           seconds to run the defrag. (doOnlineDefrag)

   -sc checkphantoms       Check phantoms. Run on IM. (checkPhantoms)

   -sc fixlinks            Fix links. Run on IM. (doLinkCleanup)

   -sc igcc                Invalidate GC Connection. Run on IM. (invalidateGCConnection)

   -sc refreshugc          Update Universal Group Cache. (updateCachedMemberships)

   -sc rsc                 Refresh Server Certificate. (renewServerCertificate)

   -sc xferallroot:xxx     Transer all Root Domain Roles. xxx is domain SID.
                           Move Schema, Domain Naming, PDC, IM, and RID Roles.

   -sc xferall:xxx         Transer all Domain Roles. xxx is domain SID.
                           Move PDC, IM, and RID roles.

   -sc xferschema          Transer schema role to this machine (becomeSchemaMaster).

   -sc xferdm              Transer Domain Master to this machine (becomeDomainMaster).

   -sc xferrid             Transer Rid Master to this machine (becomeRidMaster).

   -sc xferim              Transer Infrastructure Master to this machine
                           (becomeInfrastructureMaster).

   -sc xferpdc:xxx         Transer PDC to this machine. xxx is domain SID (becomePdc).

   -sc ddb:xx              Dump Database, xx specifies space delimited list
                           of attributes (dumpDatabase).

   -sc refreshrid:xxx      Refresh RID pool. xxx is domain SID (invalidateRidPool).

   -sc fi                  Rebuild object container ancestry during SDPROP. (fixupInheritance).

   -sc rh                  Recalculate GAL/NSPI Hierarchy. (recalcHierarchy).

   -sc gc                  Start garbage collection (doGarbageCollection).

   -sc phantomgc           Start phantom garbage collection (doGarbageCollectionPhantomsNow).

   -sc runpag              Start adminSDHolder process (runProtectAdminGroupsTask).

   -sc runsamupg           Start SAM Upgrade tasks (runSamUpgradeTasks).

   -sc rso:xxx;yyy         Replicate single object DN yyy from NTDS Settings DN xxx
                           (replicateSingleObject).

   -sc rsos:xxx;yyy        Replicate secrets to RODC for single object DN yyy from NTDS
                            Settings DN xxx  (replicateSingleObject - SECRETS_ONLY).

   -sc rodcpurge:xxx       RODC Purge Secrets. xxx is DN of object to purge. (rODCPurgeAccount)
                           (replicateSingleObject).

   -sc removelo:xxx;yyy    Remove lingering object. xxx is GUID of Master DC, yyy is GUID of object.
                           (removeLingeringObject).

   OBJECT CREATION SHORTCUTS
   *************************
   -sc adau:x;y;z          Add x users with password y and template z. If y is not
                           specified a random password of 15-20 characters will be generated
                           If - is specified for the password, a password attribute argument
                           will not be specified so you can specify the argument yourself.
                           The template should be the full DN of a user you want to create.
                           AdMod will rename the RDN with _x which is an autogenerated increasing
                           number. This shortcut is for Active Directory.

   -sc adamau:x;y;z        Same as -sc adau but for ADAM.

   -sc adag:x;y;z          Add x groups with type y and template z. Y can be an integer value that
                           specifies the grouptype setting or you can specify a letter for the type
                           of group:
                                     u for universal
                                     g for global
                                     l for domain local
                                     s appended to any of the above for a security enabled group
                           The template should be the full DN of a group you want to create.
                           AdMod will rename the RDN with _x which is an autogenerated increasing
                           number. This shortcut is for Active Directory.

   -sc adamag:x;y;z        Same as -sc adag but for ADAM.

   -sc adac:x;z            Add x computer objects with template z. The template should be
                           the full DN of a group you want to create. AdMod will rename the
                           RDN with _x which is an autogenerated increasing number. This
                           shortcut is for Active Directory.

   -sc adaou:x;z           Add x OU objects with template z. The template should be
                           the full DN of an OU you want to create. AdMod will rename the
                           RDN with _x which is an autogenerated increasing number. This
                           shortcut is for Active Directory.

   -sc adamaou:x;z         Same as -sc adaou but for ADAM.

   -sc adacon:x;z          Add x container objects with template z. The template should be
                           the full DN of a container you want to create. AdMod will rename the
                           RDN with _x which is an autogenerated increasing number. This
                           shortcut is for Active Directory.

   -sc adamacon:x;z         Same as -sc adacon but for ADAM.

   MISC SHORTCUTS
   **************
   -sc uacset:xxx          Set UAC value. Must be used in combincation with adfind -adcsv
                           with userAccountControl specified in outputted attributes.
   -sc uacclear:xxx        Clear UAC value. Must be used in combincation with adfind -adcsv
                           with userAccountControl specified in outputted attributes.
            xxx Values:
              ACCOUNTDISABLE - Disable Account (2)
              PASSWD_NOTREQD - Password not required (32)
              DONT_EXPIRE_PASSWD - Don't expire password (65536)
              SMARTCARD_REQUIRED - Smart card required (262144)
              TRUSTED_FOR_DELEGATION - Trusted for delegation (524288)
              USE_DES_KEY_ONLY - Use DES key only for Kerberos (2097152)
              DONT_REQUIRE_PREAUTH - Don't require Preauthentication (4194304)
              TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION - Trusted to authenticate (16777216)

   -sc ad-disable          Shorter cut for uacset:accountdisable.

   -sc ad-enable           Shorter cut for uacclear:accountdisable.

   -sc csh                 Clear sIDHistory. Must be used in combincation with adfind -adcsv
                           with sIDHistory specified in outputted attributes.

   -sc importschema:xx     Imports schema mods from CSV file xx.


Examples:
Ex1: Creating 1000 enabled users w/ random passwords via template.
    admod -sc adau:1000;;cn=myuser,cn=users,dc=test,dc=loc

Ex2: Clear all SidHistories on all objects with SidHistory values in domain (all one line)
    adfind -default -f sidhistory=* sidhistory -adcsv | admod -sc csh -unsafe

Ex3: Clear PWD_NOTREQD flag on up to 1000 computer accounts. (all one line)
    adfind -bit -default -f "&(objectcategory=computer)(useraccountcontrol:AND:32)" useraccountcontrol -adcsv
          | admod -sc uacclear:32 -upto 1000

Ex4: Disable user with name joe. (all one line)
    adfind -default -f "&(samaccounttype=805306368)(name=joe)" useraccountcontrol -adcsv
          | admod -sc uacset:2

Ex5: Reload schema
    admod -sc refreshschema



 This software is Freeware. Use at your own risk.
 I do not warrant this software to be fit for any purpose or use and
 I do not guarantee that it will not damage or destroy your system.
 Contact joe@joeware.net via email for licensing information to package
 this utility in commercial products.

 See full Warranty documentation or download the latest version
 on http://www.joeware.net.

 If you have improvement ideas, bugs, or just wish to say Hi, I
 receive email 24x7 and read it in a semi-regular timeframe.
 You can usually find me at joe@joeware.net

admod /csv?

AdMod V01.18.00cpp Joe Richards (joe@joeware.net) March 2012

-help         Basic help.
-?            Basic help.
-??           Advanced help.
-????         Shortcut help.
-sc?          Shortcut help.
-csv?         CSV / ADCSV help.

Usage:
 AdMod [switches] [attr-action]

  Switches: (designated by - or /)


   AdMod CSV Options
   =================
   -csv                   Enable CSV input from STDIN. Add -csvfile for file.
   -csvfile x             Use CSV File x instead of taking info from STDIN.
   -csvdelim x            Delimiter to use for separating attributes in CSV input,
                          default (,).
   -csvmvdelim x          Delimiter to use for separating multiple values in input,
                          default (;).
   -csvq x                Character used for quoting attributes, default (").
   -csvmodnull x          Specify behavior during CSV modify operations when
                          there is a blank value for the field in the CSV file.
                          If not specified, AdMod will submit the update as
                          it is specified which will generate an attribute
                          conversion / invalid syntax error. Alternate values:
                             IGNORE - Ignores blank fields for object modifications
                             CLEAR  - Clear attribute with blank field
   -counterstart x        Integer value to start in counter enumerator.
   -bmod x                Add op only. Base modification expansion string.
   -autobase x:y          Add op only. Autobase generation. x is count of DNs to
                          create and y is base value to expand for DN.
   -import                Import mode, pull all attributes in CSV. This works
                          in ADD and UPDATE mode. In UPDATE mode the values will
                          be inserted. Values will NOT be overwritten. If you need
                          to overwrite values, specify them via the standard
                          attribute operations. i.e. description::{{.}}
                          As of V01.17.00 AdMod will filter out attributes from
                          being imported that do not exist in the Windows based
                          destination directory.
                          If -csv is specified but no attribute operations are
                          specified -import is automatically enabled. If -import
                          is specified but -csv isn't, -csv is enabled. -import will
                          also automatically enable -stdinsort and -replacen _all.
   -importpass1           Special import mode. Used for -add only, filters out the
                          DN based attributes that could cause an import failure
                          because they don't exist yet in the directory.
   -importpass2           Special import mode. Used for modify only, filters out all
                          non-DN based attributes that can't be added in the initial
                          pass.
   -importexclattr x      Attributes to exclude in import, semicolon delimited.
   -expand                Variable expansion mode. Automatically enabled when
                          ADCSV detected. See below for expansion details. Note
                          that -csv switch will be enabled as well. This switch
                          CAN be used in non-CSV modes however, you can't expand
                          values from the CSV fields because there aren't any. :)
   -dotcount xx           Display a dot (.) for every xx lines read. Default 1000


The CSV option only partially supports deletes and undeletes. Due to the nature of
those commands and the inherent danger, they are simply used for supplying the list
of DNs and expansion (see below) is NOT enabled.

The CSV option fully supports renames, adds, and modifications.

Something to keep in mind when pulling in CSV data is that AdMod will not
magically handle ordering for you. For instance, if you have group1 that
has a member of group2 and you are importing groups, the import will fail unless
group2 is created before group1. If you have group1 as a member of group2 and
group2 is a member of group1 (i.e. recursive nesting) then you need to create
the groups in one pass and then in a second pass populate the membership.

CSV will accept CSV input from file via -csvfile, through the PIPE (|) or 
through redirection (<). If you are unfamiliar with redirection, please Google
for 'Using command redirection operators'

IMPORT
======
The -import switch will look at the CSV fields and import anything that is listed
that you haven't specified directly. If you have a CSV file with a filtered list
of attributes, it is likely you can use this directly. If you are working with
a complete CSV dump, you will most likely need to filter some attributes out of
the stream. This is done with the -importexclattr switch. When in UPDATE mode
the imported attributes are processed as value adds. That means they will NOT
overwrite existing values. This means single value attributes that are already
populated will return 'Attribute Or Value Exists'. To sidestep that, you need
to specify an attribute operation such as description::{{.}}.

The -importexclattr excludes several attributes by default even if you do not
specify any other attributes:
    createTimeStamp
    distinguishedName
    dSCorePropagationData
    lastLogonTimestamp
    logonHours
    modifyTimeStamp
    msDS-Cached-Membership
    msDS-Cached-Membership-Time-Stamp
    objectCategory
    objectGUID
    objectSid
    replUpToDateVector
    repsFrom
    repsTo
    sIDHistory
    subRefs
    uSNChanged
    uSNCreated
    whenChanged
    whenCreated

As of V01.17.00 if you would like to remove one of those attributes from the
filter list, you can specify the switch with the attribute with an appended dash
such as -importexcladdr objectsid-
CSVDE SUPPORT
=============
The CSV functionality in AdMod was not designed to interact with CSVDE. However,
it should be able to be used. One thing that can be an immediate problem is due
to how CSVDE handles escaped characters. These special characters are commas in
DNs and control characters. For some reason, CSVDE escapes these characters with
a double backslash instead of a single backslash. This is odd since the LDAP API
outputs the escaped characters and accepts the escaped characters with a single
backslash. Instead of guessing how that should be handled or writing a whole
separate module for parsing CSVDE AdMod ignores it. :). This means that you need
to clean them up yourself with some form of search and replace or parsing. Once
that is accomplished, you can feed the CSVDE generated file to AdMod with the -CSV
switch. AdMod will handle the binary formatting that CSVDE uses which is to
enclose the binary value in X' and '.

SIZE LIMITS
===========
There is no check for the size of update/add request. This means that if you try
to import a group with some large number of members it is possible and even
likely that it will fail if the update exceeds the LDAP packet size maximum.
The number of members will be limited based on the size of the DNs of the
members. Correction of this issue will occur in some future version of AdMod.

ADCSV
=====
There is also a special ADCSV submode which is automatically invoked when AdMod
detects the ADCSV header on info piped in from AdFind. You can invoke this mode
by specifying -ADCSV in the AdFind command line. The ADCSV mode sends some
additional information over from switches from AdFind including:
      o CSV Delimiter
      o CSV Multivalue Delimiter
      o CSV Quote Character
      o Host
      o Port
The obvious benefit here is that if you use something other than the default
values you won't have to specify that to AdMod, it can figure it out on its own.
Also the Host and Port specified means you hit the same server and port you pulled
the information from. However, if for some reason you want to, you can override
the values with switches directly applied to the AdMod command line.

EXPANSION
=========
AdMod supports 'expansion' of strings with 'variables' to generate values on
the fly. There is both base DN and attribute level expansion that can occur.
The variables available for use are composed both of fields available in the
CSV input and some additional special values offered up by AdMod. In non-CSV
mode the DN modifier special values are not available.

Expansion Strings
-----------------
An expansion string is simply a string that has 'operations' embedded in it that
require expansion. These operations are designated by a start/end markers and can
be intermixed in the string with other operations or plain text. The  start of
operation marker is '{{' and the end of operation marker is '}}'. Within the
markers you can specify values. These values can be various opcodes or field names
from the CSV input. Any CSV fields specified *must* be in the CSV data stream or
AdMod will immediately terminate.

On top of the values, you have the option to specify modifiers to 'tweak' the
values. Modifiers are specified by a colon (:) character or in a couple 
of special specifically documented cases a double colon (::) following
the value. All values can have either the _lc (lowercase)or _uc (uppercase)
modifier applied. Some opcode values have additional modifiers that can be
specified.

So an operation will look something like

{{value[:modifier]}}

The brackets around the modifier indicate that it is optional.


OpCodes are differentiated from CSV fields by having a leading and trailing
asterisk in the name. So while you may have an attribute named parent, to use
the parent OpCode you would use *parent*. That way you could use both the parent
CSV field and the parent OpCode in a single Expansion string without confusion.

There are two available mechanisms to specify "the CSV field that matches the
attribute name". These are '.' and NULL. So if you needed to to do something like:
       useraccountcontrol::{{useraccountcontrol:SET:32}}
 you could alternately specify expansion string in these two alternate formats
       useraccountcontrol::{{.:SET:32}}
       useraccountcontrol::{{:SET:32}}
 which obviously reduces the amount of typing and redundancy.

Available OpCodes
.................

    o *cnt* - This is an enumerator. The value is incremented for every DN
      processed. The counter starts at 0 by default, but this can be modified
      with the -counterstart switch.

      Usage: {{*cnt*}}


    o *rnd* - This is a random character generator. The value is randomly
      generated individually every time it is encountered. There are three
      optional modifiers available for this opcode: minimum length, maximum
      length, and character set specified as :min:max:char_set. The default
      values for the modifiers are:
         * min       15
         * max       25
         * char_set  0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJK
                     LMNOPQRSTUVWXYZ!@#$%*_-=+:;{}[],.?|~
      The following pre-constructed character sets can be specified:
         __lc        Lowercase English alphabet
         __uc        Uppercase English alphabet
         __spec      Special characters - !@#$%*_-=+:;{}[],.?|~
         __num       Numbers 0-9
         __hex       Hex characters 0-9 a-f

      Usage: {{*rnd*}}
             {{*rnd*:5:10}}
             {{*rnd*:5:10:0123456789ABCDEF}}
             {{*rnd*:5:10:__hex}}
             {{*rnd*:5:10:__uc__lc}}


    o *dn* - DN of current object.

      Usage: {{*dn*}}


    o *rdn* - RDN of current object.

      Usage: {{*rdn*}}


    o *parent* - Parent DN of current object.

      Usage: {{*parent*}}


    o *domain* - Domain DN of current object.

      Usage: {{*dn*}}


    o *ndc* - Non-Domain portion of DN of current object.

      Usage: {{*ndc*}}


    o *name* - Name of current object.

      Usage: {{*name*}}


    o *origname* - Original name of current object prior to bmod expansion.

      Usage: {{*origname*}}


    o *now* - Current local time in format YYYY/MM/DD-HH:MM:SS TZ String

      Usage: {{*now*}}


    o *now_utc* - Like *now* but UTC TZ

      Usage: {{*now_utc*}}


    o *now_int8* - Like *now* but in int8 integer format. There are three
      optional modifiers available for this opcode: modify type, delta value
      integer. The modify types are:
         * +d    Add delta days
         * -d    Subtract delta days
         * +h    Add delta hours
         * -h    Subtract delta hours
         * +m    Add delta minutes
         * -m    Subtract delta minutes

      Usage: {{*now_int8*}}
             {{*now_int8*:+h:6}}


    o *enclocal_int8* - Encode time/date string into int8. There is a mandatory
       modifier for this opcode which specifies the date/time to encode. The format
       of the time to encode is YYYY/MM/DD[-HH:MM:SS]. The date aspect of the
       modifier is required, the time is optional.

       After the mandatory modifier you can add the same optional modifiers
       mentioned for *now_int8* above. NOTE: There is a deviation from the
       standard modifier notation to add this additional modifier. Instead
       of using a single colon (:), you need to specify a double colon (::)
       to avoid collision with the colons.


      Usage: {{*enclocal_int8*:2006/11/07-08:00:00}}
             {{*enclocal_int8*:2006/11/07-08:00:00::+d:10}}


    o *encutc_int8* - Like *enclocal_int8* but UTC TZ.

      Usage: {{*encutc_int8*:2006/11/07-08:00:00}}
             {{*encutc_int8*:2006/11/07-08:00:00::+d:10}}


CSV Field Modifiers
...................

    o _lc - Change string to all lowercase.

      Usage: {{somecsvfield:_lc}}


    o _uc - Change string to all uppercase.

      Usage: {{somecsvfield:_uc}}


    o enclocal_int8 - Encode time/date string into int8. This CSV Field
      modifier does not have the mandatory modifier of the date/time value
      from the opcode of the same name as it is passed in the CSV Field. It
      does, however have the same optional modifiers as the opcode with the
      same modifier specifier deviation. I.E. The double colon (::).

      Usage: {{somecsvfield:enclocal_int8}}
             {{somecsvfield:enclocal_int8::+d:10}}


    o encutc_int8 - Like enclocal_int8 but UTC TZ.

      Usage: {{somecsvfield:encutc_int8}}
             {{somecsvfield:encutc_int8::+d:10}}


    o allvals - Glue the multiple values in a specific attribute into a single
      string. The default glue character is the semicolon (;). An alternate glue
      character (or string) can be specified as a modifier. This modifier is
      specified with the special double colon modifier (::) separator.

      Usage: {{somecsvfield:allvals}}
             {{somecsvfield:allvals::|}}


    o int8+d - Takes int8 CSV field and adds days to it. It has one required
      modifier, the integer value for number of days.

      Usage: {{somecsvfield:int8+d:5}}


    o int8-d - Takes int8 CSV field and subtracts days from it. It has one
      required modifier, the integer value for number of days.

      Usage: {{somecsvfield:int8-d:5}}


    o int8+h - Takes int8 CSV field and adds hours to it. It has one required
      modifier, the integer value for number of hours.

      Usage: {{somecsvfield:int8+h:5}}


    o int8-h - Takes int8 CSV field and subtracts hours from it. It has one
      required modifier, the integer value for number of hours.

      Usage: {{somecsvfield:int8-h:5}}


    o int8+m - Takes int8 CSV field and adds minutes to it. It has one required
      modifier, the integer value for number of minutes.

      Usage: {{somecsvfield:int8+m:5}}


    o int8-m - Takes int8 CSV field and subtracts minutes from it. It has one
      required modifier, the integer value for number of minutes.

      Usage: {{somecsvfield:int8-m:5}}


    o Various logical/mathematical operators - This is a catch-all for several
      math functions available. They all follow the same format:

               somecsvfield:operator:intvalue

      The intvalue field can be specified in three formats
               * Binary  - bnnnn where nnnn is a binary string.
               * Hex     - 0xnnnn where nnnn is a hex string.
               * Decimal - nnnn where nnnn is a decimal string.

      The list of logical/mathematical operators
               * CLR - Clear bits specified by intvalue.
               * SET - Set bits specified by intvalue.
               * AND - Logical AND (value&=intvalue)
               * OR  - Logical OR  (value|=intvalue)
               * XOR - Logical XOR (value^=intvalue)
               *  +  - Addition (value+=intvalue)
               *  -  - Subtraction (value-=intvalue)
               *  *  - Multiplication (value*=intvalue)
               *  /  - Division (value/=intvalue)

      Usage: {{somecsvfield:SET:0x02}}
             {{somecsvfield:CLR:2}}
             {{somecsvfield:+:500}}


    o r - This is the replace modifier. It has two values that you need to
      specify, string to find and the string to replace it with. It will
      replace the first occurrence of the string found.
      In cases where either replacement string has embedded colons, you can
      specify the separate fields with $ (dollar signs) instead of colons by
      prefixing the modifier with $n
      Usage: {{somecsvfield:r:somestring1:somestring2}}
             {{somecsvfield:$r$somestring1$somestring2}}


    o r_ci - Same as r, but case-insensitive.

      Usage: {{somecsvfield:r_ci:somestring1:somestring2}}
             {{somecsvfield:$r_ci$somestring1$somestring2}}


    o rall - This is the replace all modifier. It has two values that you need to
      specify, string to find and the string to replace it with. It will replace
      every instance of the string found.

      Usage: {{somecsvfield:rall:somestring1:somestring2}}
             {{somecsvfield:$rall$somestring1$somestring2}}


    o rall_ci - Same as rall, but case-insensitive.

      Usage: {{somecsvfield:rall_ci:somestring1:somestring2}}
             {{somecsvfield:$rall_ci$somestring1$somestring2}}


Examples:
Ex1: Creating 1000 enabled users w/ random passwords via template. (all one line)
    admod -add -autobase 1000:cn=myuser,cn=users,dc=test,dc=loc -bmod cn={{*origname*}}_{{*cnt*}},{{*parent*}}
         objectclass::user -kerbenc unicodepwd::{{*rnd*:6:8}} samaccountname::{{*name*}}
                                                           useraccountcontrol::512 -exterr

Ex2: Copy OU structure from AD to ADAM (all one line)
    adfind -default -f objectcategory=organizationalunit objectclass description -adcsv
         | admod -h adamsrv -add -replacedn "dc=test,dc=loc:ou=mytestou" -import -unsafe -exterr

Ex3: Copy the first 25 users from AD into ADAM as userProxies (all one line)
    adfind -default -f samaccounttype=805306368 -maxe 25 objectsid displayname -adcsv
         | admod -h adamsrv -add -bmod {{*RDN*}},ou=userproxies,ou=import,ou=mytestou
              objectclass::userproxy displayname::{{.}} objectsid::{{.}} -unsafe -exterr

Ex4: Rename user accounts to lastname,firstname (all one line)
    adfind -default -f samaccounttype=805306368 sn givenname -adcsv
         | admod -rename {{sn}}\,{{givenname}} -unsafe

Ex5: Export group from AD and then reimport group into AD in two passes.
  Export Group
     adfind -b CN=g1,OU=tmptestou,DC=test,DC=loc displayname objectclass grouptype member -csv >group.csv
  Import Group w/o members
     admod -csv -add -import -importexclattr member -exterr < group.csv
  Import Group members
     admod -csv -expand member:++:{{.}} -exterr < group.csv

Ex6: Clear all SidHistories on all objects with SidHistory values in domain (all one line)
    adfind -default -f sidhistory=* sidhistory -adcsv | admod sid##sidhistory:--:{{.}} -unsafe


 This software is Freeware. Use at your own risk.
 I do not warrant this software to be fit for any purpose or use and
 I do not guarantee that it will not damage or destroy your system.
 Contact joe@joeware.net via email for licensing information to package
 this utility in commercial products.

 See full Warranty documentation or download the latest version
 on http://www.joeware.net.

 If you have improvement ideas, bugs, or just wish to say Hi, I
 receive email 24x7 and read it in a semi-regular timeframe.
 You can usually find me at joe@joeware.net