AdMod V01.12.00cpp Joe Richards (joe@joeware.net) February 2010
-help Basic help.
-? Basic help.
-?? Advanced help.
-???? Shortcut help.
-sc? Shortcut help.
-csv? CSV / ADCSV help.
Usage:
AdMod [switches] [attr-action]
Switches: (designated by - or /)
[CONNECTION OPTIONS]
-h host:port Host and port to use. If not specified uses port 389 on
default LDAP server. Localhost can be specified as '.'.
Port can also be specified via -p.
[UPDATE OPTIONS]
-b basedn RFC 2253 DN to work on. If basedn is not specified
the program will read from stdin anything piped to it
or if you want you can type the DNs there followed by
a ctrl-z to terminate the pipe.
-safety x How many objects before safety kicks in. Default 10.
[ACTIONS]
-rm Delete specified object(s).
-del Alias for -rm.
-add Add an object. Specify DN with -b and attributes normally.
At the very least you will need to specify objectclass.
-undel x Undelete specified object(s), uses lastknownparent unless
an alternate parent is supplied in x. Requires K3+.
-rename x Rename object to RDN of x.
-move x Move object to parent specified by x (within domain)
Attr-Action
Format: attribute : operation : value(s)
This field is broken up into three main sections. Not all
sections are required for all operations. The three sections
are the attribute section, operation section, and value section.
By default the delimiter between the sections is the : character
however you may change this with the -delim option.
Type AdMod /?? for details.
Notes:
o This tool could be considered dangerous, it can quickly make some
serious changes to your directory. Use it only when you know what
you are doing. I take no responsibility for you dorking up your
directory. The safety option will bail the whole operation if there
are more objects to work on than specified with the -safety option.
o This tool was written with simple US ASCII in mind. UNICODE and special
ASCII characters such as characters with umlaut's or graphics may not
be processed correctly due to how the command prompt handles those
characters. If you see this occurring, redirect the input from a text file
with the command prompt redirection symbols and it is possible the program
will operate correctly. If not, you do not need to tell me, I know and I
am working to correct it in some future version... no timeline.
Type AdMod /?? for more notes.
Ex1:
admod -b dc=test,dc=net "description::Joe's Domain"
Change Description of test.net object.
Ex2:
admod -b cn=joe,cn=users,dc=test,dc=net "drink:++:Coke;Mountain Dew;Labatt's;Water"
Add some drinks to joe's user object in the directory
Ex3:
admod -b cn=joe,cn=users,dc=test,dc=net "drink:-:Water"
Removes water from the drink list for joe...
Ex4:
admod -b cn=joe,cn=users,dc=test,dc=net "drink:+:Vodka"
Adds vodka to the drink list for joe...
Ex5:
admod -b cn=joe,cn=users,dc=test,dc=net "drink::Water"
Replaces the entire list with just water for joe...
Ex6:
admod -b cn=joe,cn=users,dc=test,dc=net "drink:+-:Water;Lemonade"
Replaces the entire list with water and lemonade for joe...
Ex7:
admod -b cn=someuser,cn=users,dc=test,dc=net -add objectclass::user samaccountname::someuser
Create disabled user someuser.
Ex8:
admod -b cn=someuser,cn=users,dc=test,dc=net -move ou=u,dc=test,dc=com
Move user someuser to ou=u.
Ex8:
admod -b cn=someuser,cn=users,dc=test,dc=net -rm
Delete someuser.
This software is Freeware. Use at your own risk.
I do not warrant this software to be fit for any purpose or use and
I do not guarantee that it will not damage or destroy your system.
Contact joe@joeware.net via email for licensing information to package
this utility in commercial products.
See full Warranty documentation on www.joeware.net.
If you have improvement ideas, bugs, or just wish to say Hi, I
receive email 24x7 and read it in a semi-regular timeframe.
You can usually find me at joe@joeware.net
AdMod V01.12.00cpp Joe Richards (joe@joeware.net) February 2010
-help Basic help.
-? Basic help.
-?? Advanced help.
-???? Shortcut help.
-sc? Shortcut help.
-csv? CSV / ADCSV help.
Usage:
AdMod [switches] [attr-action]
Switches: (designated by - or /)
[CONNECTION OPTIONS]
-h host:port Host and port to use. If not specified uses port 389 on
default LDAP server. Localhost can be specified as '.'.
-p port Alternate method to specify port to connect to.
-hh host:port Combines -h with -arecex
-hd host:port Combines -h with -default
--------------Advanced--------------
-kerbenc Kerberos Encryption (LDAP_OPT_ENCRYPT).
-optenc Alias for -kerbenc (LDAP_OPT_ENCRYPT).
-ssl Use SSL.
-delegation Delegated bind (ISC_REQ_DELEGATE).
-arecex Hostname has the actual host name, not domain name.
[UPDATE OPTIONS]
-b basedn RFC 2253 DN to work on. If basedn is not specified
the program will read from stdin anything piped to it
or if you want you can type the DNs there followed by
a ctrl-z to terminate the pipe.
-safety x Only modify objects if <= x. Default 10.
--------------Advanced--------------
-null Use null base for base DN.
-rootdse Like -null.
-root Determine and use root partition for base DN.
-config Determine and use configuration partition for base DN.
-schema Determine and use schema partition for base DN.
-default Determine and use default partition for base DN.
-rb xx Relative Base, use with special base DN's above.
So you could specify -default and -rb cn=users.
-users Use cn=users,<default domain> for base.
-forestdns Use ForestDNS NDNC for base.
-domaindns Use DomainDNS NDNC for base.
-dcs Use Domain Controllers container of default domain for base.
-gpo Use System Policies container of default domain for base.
-psocontainer Use PSO Container of default domain for base.
-ldappolicy Use Ldap Query Policies container for base.
-xrights Use Extended Rights container for base.
-partitions Use Partitions container for base.
-sites Use Sites container for base.
-subnets Use Subnets container for base.
-exch Use Exchange Services container for base.
-fsps Use Foreign Security Principals container for base.
-displayspecifiers User Display Specifiers container in config for base.
-t xxx Timeout value for query, default 120 seconds.
-unsafe Don't have a safety, modify objects no matter how many.
-upto xx Modify up to xx objects and then stop.
-cont Continue with objects even if errors.
-treedelete Used in combination with -rm/-del to delete branch
-permissive Permissive modify. (LDAP_SERVER_PERMISSIVE_MODIFY_OID)
[ACTION OPTIONS]
-rm Delete specified object(s)
-del Alias for -rm.
-add Add an object. Specify DN with -b and attributes normally.
At the very least you will need to specify objectclass.
-undel x Undelete specified object(s), uses lastknownparent unless
an alternate parent is supplied in x. Requires K3+. Can add
additional attribute values with :+: or :++: ops.
-rename x Rename object to RDN of x.
-move x Move object to parent specified by x (within domain)
-stdinadd x Take list of quoted DNs and add to specified attribute x.
-stdinrm x Take list of quoted DNs and remove from specified attribute x.
-stdinreplace x Take list of quoted DNs and replace values of specified
attribute x.
-stdinsort x Sorts DN's that have been piped in in multi-DN mode, the
default sort is hierarchical, but can specify case-sensitive
alphabetic sort with csalpha or case-insensitive with cialpha
--------------Advanced--------------
-delim x x specifies delimiter for attribute sequence. Default :
-mvdelim x x specified delimiter for value sequence. Default ;
-xdom x Cross domain move, move to DC x. Use with -move. Must
specify FQDN of destination DC as parameter of -xdom.
The cross domain move has specified requirements which
are the same for all mechanisms used. To see the requirements
please look up IADsContainer::MoveHere in MSDN Library.
[OUTPUT OPTIONS]
-elapsed Display elapsed time in seconds
-exterr Show Extended Error info. DSID Info...
[AUTHENTICATION OPTIONS]
--------------Advanced--------------
-u userID Userid authentication. AD simple bind supports All ID
formats. Secure bind only supports ID formats 1 and 2.
Digest Bind supports ID formats 1 and 3.
No userid specified indicates anonymous authentication.
ID Formats
1. domain\userid (SAM Format / NT Format)
2. user@domain.com (userPrincipalName)
3. cn=user,ou=someou,dc=domain,dc=com (DN)
-up pwd Password for specified userid. * indicates to ask for password.
-simple Simple Bind
-digest Digest Bind (LDAP_AUTH_DIGEST). Automatically enabled if bind
string starts with 'cn='
[MISC OPTIONS]
--------------Advanced--------------
-po Print options. This switch will dump to the command line all
all switches with values and attributes specified.
-tmpobj xx For object adds, will create dynamic objects with lifetime of
xx seconds. If no value specified, will have lifetime of 7 days.
-log xxx Log information to file xx. (default admod.log).
-replacedn xxx:yyy Replaces xxx in DNs with yyy. Following special cases:
_config <CONFIG> replaced with configuration DN
_schema <SCHEMA> replaced with schema DN
_default <DEFAULTNC> replaced with default NC DN
_root <ROOT> replaced with root NC DN
_sites <SITES> replaced with sites DN
_subnets <SUBNETS> replaced with subnets DN
_exch <EXCH> replaced with Exchange services DN
-replacedndelim x Specifies delimiter to separate replacedn strings
-e xxx Load switches from environment. Will read env vars with prefix
and dash (adfind-) by default and load them in. To
specify a different prefix, specify string after -e. For
example to specify the host switch create an env var of
adfind-h. To specify a switch that doesn't take a
a value, specify a value of {~} because you can't set a
an environment variable to blank. Unfortunately it is not
currently possible to specify Attr-Action combinations with
the environment variables. By default, Admod will read any
environment variables prefixed with (joeware-default-admod-)
without specifying -e.
Ex: Modify ADAM config NC on localhost port 5000.
set adam1-h=.:5000
set adam1-config={~}
adfind -e adam1 description:: his is a test"
NOTE: The Environment switch mentions AdFind for the default names for
the environment variables, this is not a typo. You can override
if you prefer, but the idea is to use the same vars for consistency
between the two command line apps.
-ef xxx Load switches from file (default file = admod.cf), one
switch per line. Attr-Action strings are placed on multiple lines
Ex: Modify ADAM config NC on localhost port 5000.
edit file adam1.cf
-h .:5000
-config
description::this is a test
admod -ef adam1.cf
By default AdMod will process the default configuration
file 'joeware_default_admod.cf' without specifying -ef.
ENVIRONMENT NOTES
There are five levels for specifying switches, a lower level will
not override a higher level. The levels from highest to lowest:
1. Command line switches
2. Environment variable specified via -e
3. Environment file specified via -ef
4. Default environment variables prefixed with joeware-default-admod-
5. Default environment file joeware_default_admod.cf
Attr-Action
Format: attribute : operation : value(s)
This field is broken up into three main sections. Not all
sections are required for all operations. The three sections
are the attribute section, operation section, and value section.
By default the delimiter between the sections is the : character
however you may change this with the -delim option.
attribute This is the name of the attribute to be manipulated
Any attribute that is a valid attribute for the ldap
directory is a valid value here.
___BINARY ATTRIBUTES___
Some attributes do not accept text based values. The
immediate examples are GUIDs and SIDs. Binary updates are
a little different than normal string updates and
require encoding. To specify this encoding, prefix
the attribute with one of the following prefixes:
GUID## Encodes friendly format GUIDs
ex: {26C18F02-9B73-495B-9F53-8207FC72527D}
ex: 26C18F02-9B73-495B-9F53-8207FC72527D
SID## Encodes friendly format SIDs
ex: S-1-5-21-1862701446-4008382571-2198042679
HEX## Encodes even number of Hex characters. White space
is filtered out.
ex: FFEA 34FD 76DA
BIN## Alias for BIN##.
ex: FFEA 34FD 76DA
TXT## Encodes text into binary. Can embed hex characters
by escaping hex character with slash such as \0a.
Also several "standard" escape characters are
supported \a, \b, \f, \n, \r, \t, \v
ex: street address\ncity,state\nzipcode
SD## Encodes SDDL into security descriptor
ex: D:PAI(OA;;GA;;;BA)
You can also encode time values to int8 format with the following
prefixes:
UTC## Encodes UTC Time value.
LOCAL## Encodes Local Time value.
The formatting for UTC and LOCAL is:
YYYY/MM/DD-HH:MM:SS (HH:MM:SS is optional)
CURRENT## Encodes current timevalue.
CURRENT requires a delta value to be specified in the value
field of the attr-action string. Such as CURRENT##attrib::0
for no delta. Deltas can be specified in days, hours, minutes
or seconds with a string appended to the integer value:
d for days - ex: CURRENT##accountexpires::30d
h for hours - ex: CURRENT##accountexpires::24h
m for minutes - ex: CURRENT##accountexpires::300m
s for seconds - ex: CURRENT##accountexpires::900s
You can also specify the delta as dd:hh:mm:ss
operation This is the operation to perform.
Valid operations are:
(blank) Update the attrib with the new value.
+ Add a value to an attribute.
- Clear an attribute or value in an attribute.
++ Add multiple values to an attribute.
+- Replace all values with multiple new values.
-- Remove multiple values from an attribute.
value(s) This specifies values to use.
If you are doing a multivalue operation with ++, +-, or --
you will separate the values with ;, or alternatively
you can specify a different MV delimiter with -mvdelim.
__OPERATION NOTES__
o +,++,+-,-- operations all require values specified.
o - operation doesn't require a value. No value clears all
all values. Value specified clears one value.
o Trying to add multiple values to a single value attribute
will result in error.
o Doing an update operation (blank op - ::) to a multivalue
will wipe all values and replace with the one single value.
Notes:
o This tool could be considered dangerous, it can quickly make some
serious changes to your directory. Use it only when you know what
you are doing. I take no responsibility for you dorking up your
directory. The safety option will bail the whole operation if there
are more objects to work on than specified with the -safety option.
o This tool was written with simple US ASCII in mind. UNICODE and special
ASCII characters such as characters with umlaut's or graphics may not
be processed correctly due to how the command prompt handles those
characters. If you see this occurring, redirect the input from a text file
with the command prompt redirection symbols and it is possible the program
will operate correctly. If not, you do not need to tell me, I know and I
am working to correct it in some future version... no timeline.
o This tool is exceptionally powerful when used in conjunction with
a command line LDAP query tool such as my own AdFind with the -dsq
or -adcsv switches or dsquery from Microsoft.
o If you get an error in an update operation, no modification is made
to the specific object, even if say 3 changes were valid and one wasn't.
If you are clearing attributes and you aren't sure if one of the
is populated, use the -permissive switch.
o When performing multi-DN modifications, the errorlevel will be set to the
last error encountered. So if you go through 8 DNs and hit 3 errors,
only the last will be passed back to you via %errorlevel%. Also note
that the error will be an LDAP error, not a Win32 error.
o Be very very careful of treedelete option.
o There is a deprecated mechanism in AdMod that allows you to set passwords
based on the RPC based IADsUser.SetPassword method. In order to use this
mechanism, specify #setpwd# as the attribute.
ex: #setpwd#::newpassword
The proper mechanism to set the password is to either set the unicodepwd
attribute or the userpassword attribute and specify the -optenc switch
to enable encrytion of the traffic to the server.
ex: unicodepwd::newpassword
Ex1:
admod -b dc=test,dc=net "description::Joe's Domain"
Change Description of test.net object.
Ex2:
admod -b cn=joe,cn=users,dc=test,dc=net "drink:++:Coke;Mountain Dew;Labatt's;Water"
Add some drinks to joe's user object in the directory
Ex3:
admod -b cn=joe,cn=users,dc=test,dc=net "drink:-:Water"
Removes water from the drink list for joe...
Ex4:
admod -b cn=joe,cn=users,dc=test,dc=net "drink:+:Vodka"
Adds vodka to the drink list for joe...
Ex5:
admod -b cn=joe,cn=users,dc=test,dc=net "drink::Water"
Replaces the entire list with just water for joe...
Ex6:
admod -b cn=joe,cn=users,dc=test,dc=net "drink:+-:Water;Lemonade"
Replaces the entire list with water and lemonade for joe...
Ex7:
admod -b cn=someuser,cn=users,dc=test,dc=net -add objectclass::user samaccountname::someuser
Create disabled user someuser.
Ex8:
admod -b cn=someuser,cn=users,dc=test,dc=net -move ou=u,dc=test,dc=com
Move user someuser to ou=u.
Ex8:
admod -b cn=someuser,cn=users,dc=test,dc=net -rm
Delete someuser.
--------------Advanced--------------
Ex9:
admod -b cn=someuser,cn=users,dc=test,dc=net guid##guidattr::85C04D89-D68C-4785-B801-DBF980F97C5C
Sets GUID value on some guid based attrib on someuser.
Ex10:
admod -b cn=someuser,cn=users,dc=test,dc=net #setpwd#::newpass
Sets password for someuser. DEPRECATED.
Ex11:
admod -b cn=someuser,cn=users,dc=test,dc=net "bin##binattr::3f 4567 0e 69"
Sets binary blob on some binary based attrib on someuser.
------AdFind + AdMod Examples-------
Ex12:
adfind -default -f "&(objectcategory=person)(scriptpath=*)" -dsq | admod -unsafe scriptpath:-
Removes logon script from all users in default domain.
Ex13:
adfind -gc -b -f "proxyaddresses=*" -dsq | admod -unsafe proxyaddresses:-
Removes proxyaddresses attribute from all objects in forest.
Ex14:
adfind -b ou=badcomputers,dc=test,dc=net -f "objectcategory=computer" -dsq |admod -unsafe -rm
Delete all computer objects in specified OU...
Ex15:
adfind -bit -default -f useraccountcontrol:AND:=2 -dsq |admod -unsafe -move ou=disabled,dc=test,dc=net
Move all disabled objects in default domain to specified OU...
Ex16:
adfind -default -f "&(name=compa*)" -showdel -dsq |admod -undel
Undelete any objects named compa* and place back in last known parent...
Ex17:
adfind -default -f "&(name=compa*)" -showdel -dsq |admod -undel ou=undeleted,dc=test,dc=net
Undelete any objects named compa* and place back in ou named undeleted....
Ex18:
adfind -bit -default -f "&(objectcategory=computer)(useraccountcontrol:AND:32)" useraccountcontrol -adcsv
| admod useraccountcontrol::{{.:CLR:32}} -upto 1000
Clear PWD_LAST_SET flag on up to 1000 computer accounts.
Ex19:
adfind -default -rb cn=users -f "objectclass=user" -dsq
| admod -default -rb cn=theusers,cn=users -stdinadd member
Add all users in the user's container to the theusers group.
This software is Freeware. Use at your own risk.
I do not warrant this software to be fit for any purpose or use and
I do not guarantee that it will not damage or destroy your system.
Contact joe@joeware.net via email for licensing information to package
this utility in commercial products.
See full Warranty documentation on www.joeware.net.
If you have improvement ideas, bugs, or just wish to say Hi, I
receive email 24x7 and read it in a semi-regular timeframe.
You can usually find me at joe@joeware.net
AdMod V01.12.00cpp Joe Richards (joe@joeware.net) February 2010
-help Basic help.
-? Basic help.
-?? Advanced help.
-???? Shortcut help.
-sc? Shortcut help.
-csv? CSV / ADCSV help.
Usage:
AdMod [switches] [attr-action]
Switches: (designated by - or /)
AdMod Shortcuts
===============
Shortcuts are not actual commands themselves but instead are aliases for a
sequence of other commands so you do not have to recall or type the longer commands.
Shortcuts actually a combination of various other switches. To see exactly
what switches are specified on your behalf, use the -po switch in combination
with the shortcut switch and it will show you everything that is submitted.
Since these shortcuts are simply a combination of switches auto-entered for
you it means that generally you can use the other switches to add
to the query to focus it further or get output closer to what you need.
If you have an issue with any of these shortcuts, remember you can just
enter the proper combination of real switches yourself. In general the
shortcuts will work on Windows 2000-2008 AD, and ADAM/ADLDS.
Any limitations should be notated under the specific shortcut documentation.
--------------Shortcuts--------------
-sc help Display Shortcut usage
OPERATIONAL SHORTCUTS
**********************
See http://msdn.microsoft.com/en-us/library/cc223297(PROT.13).aspx for
descriptions of operational attributes and usage/caveats.
-sc refreshschema Schema cache refresh (schemaUpdateNow)
-sc defrag:xx Initiate AD DIT Online Defrag. xx is the number of
seconds to run the defrag. (doOnlineDefrag)
-sc checkphantoms Check phantoms. Run on IM. (checkPhantoms)
-sc fixlinks Fix links. Run on IM. (doLinkCleanup)
-sc igcc Invalidate GC Connection. Run on IM. (invalidateGCConnection)
-sc refreshugc Update Universal Group Cache. (updateCachedMemberships)
-sc rsc Refresh Server Certificate. (renewServerCertificate)
-sc xferallroot:xxx Transer all Root Domain Roles. xxx is domain SID.
Move Schema, Domain Naming, PDC, IM, and RID Roles.
-sc xferall:xxx Transer all Domain Roles. xxx is domain SID.
Move PDC, IM, and RID roles.
-sc xferschema Transer schema role to this machine (becomeSchemaMaster).
-sc xferdm Transer Domain Master to this machine (becomeDomainMaster).
-sc xferrid Transer Rid Master to this machine (becomeRidMaster).
-sc xferim Transer Infrastructure Master to this machine
(becomeInfrastructureMaster).
-sc xferpdc:xxx Transer PDC to this machine. xxx is domain SID (becomePdc).
-sc ddb:xx Dump Database, xx specifies space delimited list
of attributes (dumpDatabase).
-sc refreshrid:xxx Refresh RID pool. xxx is domain SID (invalidateRidPool).
-sc fi Rebuild object container ancestry during SDPROP. (fixupInheritance).
-sc rh Recalculate GAL/NSPI Hierarchy. (recalcHierarchy).
-sc gc Start garbage collection (doGarbageCollection).
-sc phantomgc Start phantom garbage collection (doGarbageCollectionPhantomsNow).
-sc runpag Start adminSDHolder process (runProtectAdminGroupsTask).
-sc runsamupg Start SAM Upgrade tasks (runSamUpgradeTasks).
-sc rso:xxx;yyy Replicate single object DN yyy from NTDS Settings DN xxx
(replicateSingleObject).
-sc rsos:xxx;yyy Replicate secrets to RODC for single object DN yyy from NTDS
Settings DN xxx (replicateSingleObject - SECRETS_ONLY).
-sc rodcpurge:xxx RODC Purge Secrets. xxx is DN of object to purge. (rODCPurgeAccount)
(replicateSingleObject).
-sc removelo:xxx;yyy Remove lingering object. xxx is GUID of Master DC, yyy is GUID of object.
(removeLingeringObject).
OBJECT CREATION SHORTCUTS
*************************
-sc adau:x;y;z Add x users with password y and template z. If y is not
specified a random password of 15-20 characters will be generated
If - is specified for the password, a password attribute argument
will not be specified so you can specify the argument yourself.
The template should be the full DN of a user you want to create.
AdMod will rename the RDN with _x which is an autogenerated increasing
number. This shortcut is for Active Directory.
-sc adamau:x;y;z Same as -sc adau but for ADAM.
-sc adag:x;y;z Add x groups with type y and template z. Y can be an integer value that
specifies the grouptype setting or you can specify a letter for the type
of group:
u for universal
g for global
l for domain local
s appended to any of the above for a security enabled group
The template should be the full DN of a group you want to create.
AdMod will rename the RDN with _x which is an autogenerated increasing
number. This shortcut is for Active Directory.
-sc adamag:x;y;z Same as -sc adag but for ADAM.
-sc adac:x;z Add x computer objects with template z. The template should be
the full DN of a group you want to create. AdMod will rename the
RDN with _x which is an autogenerated increasing number. This
shortcut is for Active Directory.
-sc adaou:x;z Add x OU objects with template z. The template should be
the full DN of an OU you want to create. AdMod will rename the
RDN with _x which is an autogenerated increasing number. This
shortcut is for Active Directory.
-sc adamaou:x;z Same as -sc adaou but for ADAM.
-sc adacon:x;z Add x container objects with template z. The template should be
the full DN of a container you want to create. AdMod will rename the
RDN with _x which is an autogenerated increasing number. This
shortcut is for Active Directory.
-sc adamacon:x;z Same as -sc adacon but for ADAM.
MISC SHORTCUTS
**************
-sc uacset:xxx Set UAC value. Must be used in combincation with adfind -adcsv
with userAccountControl specified in outputted attributes.
-sc uacclear:xxx Clear UAC value. Must be used in combincation with adfind -adcsv
with userAccountControl specified in outputted attributes.
xxx Values:
ACCOUNTDISABLE - Disable Account (2)
PASSWD_NOTREQD - Password not required (32)
DONT_EXPIRE_PASSWORD - Don't expire password (65536)
SMARTCARD_REQUIRED - Smart card required (262144)
TRUSTED_FOR_DELEGATION - Trusted for delegation (524288)
USE_DES_KEY_ONLY - Use DES key only for Kerberos (2097152)
DONT_REQUIRE_PREAUTH - Don't require Preauthentication (4194304)
TRUSTED_TO_AUTHENTICATE_FOR_DELEGATION - Trusted to authenticate (16777216)
-sc ad-disable Shorter cut for uacset:accountdisable.
-sc ad-enable Shorter cut for uacclear:accountdisable.
-sc csh Clear sIDHistory. Must be used in combincation with adfind -adcsv
with sIDHistory specified in outputted attributes.
Examples:
Ex1: Creating 1000 enabled users w/ random passwords via template.
admod -sc adau:1000;;cn=myuser,cn=users,dc=test,dc=loc
Ex2: Clear all SidHistories on all objects with SidHistory values in domain (all one line)
adfind -default -f sidhistory=* sidhistory -adcsv | admod -sc csh -unsafe
Ex3: Clear PWD_LAST_SET flag on up to 1000 computer accounts. (all one line)
adfind -bit -default -f "&(objectcategory=computer)(useraccountcontrol:AND:32)" useraccountcontrol -adcsv
| admod -sc uacclear:32 -upto 1000
Ex4: Disable user with name joe. (all one line)
adfind -default -f "&(samaccounttype=805306368)(name=joe)" useraccountcontrol -adcsv
| admod -sc uacset:2
Ex5: Reload schema
admod -refreshschema
This software is Freeware. Use at your own risk.
I do not warrant this software to be fit for any purpose or use and
I do not guarantee that it will not damage or destroy your system.
Contact joe@joeware.net via email for licensing information to package
this utility in commercial products.
See full Warranty documentation on www.joeware.net.
If you have improvement ideas, bugs, or just wish to say Hi, I
receive email 24x7 and read it in a semi-regular timeframe.
You can usually find me at joe@joeware.net
AdMod V01.12.00cpp Joe Richards (joe@joeware.net) February 2010
-help Basic help.
-? Basic help.
-?? Advanced help.
-???? Shortcut help.
-sc? Shortcut help.
-csv? CSV / ADCSV help.
Usage:
AdMod [switches] [attr-action]
Switches: (designated by - or /)
AdMod CSV Options
=================
-csv Enable CSV input from STDIN. Add -csvfile for file.
-csvfile x Use CSV File x instead of taking info from STDIN.
-csvdelim x Delimiter to use for separating attributes in CSV input,
default (,).
-csvmvdelim x Delimiter to use for separating multiple values in input,
default (;).
-csvq x Character used for quoting attributes, default (").
-csvmodnull x Specify behavior during CSV modify operations when
there is a blank value for the field in the CSV file.
If not specified, AdMod will submit the update as
it is specified which will generate an attribute
conversion / invalid syntax error. Alternate values:
IGNORE - Ignores blank fields for object modifications
CLEAR - Clear attribute with blank field
-counterstart x Integer value to start in counter enumerator.
-bmod x Add op only. Base modification expansion string.
-autobase x:y Add op only. Autobase generation. x is count of DNs to
create and y is base value to expand for DN.
-import Import mode, pull all attributes in CSV. This works
in ADD and UPDATE mode. In UPDATE mode the values will
be inserted. Values will NOT be overwritten. If you need
to overwrite values, specify them via the standard
attribute operations. i.e. description::{{.}}
If -csv is specified but no attribute operations are
specified -import is automatically enabled.
-importexclattr x Attributes to exclude in import, semicolon delimited.
-expand Variable expansion mode. Automatically enabled when
ADCSV detected. See below for expansion details. Note
that -csv switch will be enabled as well. This switch
CAN be used in non-CSV modes however, you can't expand
values from the CSV fields because there aren't any. :)
-dotcount xx Display a dot (.) for every xx lines read. Default 1000
The CSV option only partially supports deletes and undeletes. Due to the nature of
those commands and the inherent danger, they are simply used for supplying the list
of DNs and expansion (see below) is NOT enabled.
The CSV option fully supports renames, adds, and modifications.
Something to keep in mind when pulling in CSV data is that AdMod will not
magically handle ordering for you. For instance, if you have group1 that
has a member of group2 and you are importing groups, the import will fail unless
group2 is created before group1. If you have group1 as a member of group2 and
group2 is a member of group1 (i.e. recursive nesting) then you need to create
the groups in one pass and then in a second pass populate the membership.
CSV will accept CSV input from file via -csvfile, through the PIPE (|) or
through redirection (<). If you are unfamiliar with redirection, please Google
for 'Using command redirection operators'
IMPORT
======
The -import switch will look at the CSV fields and import anything that is listed
that you haven't specified directly. If you have a CSV file with a filtered list
of attributes, it is likely you can use this directly. If you are working with
a complete CSV dump, you will most likely need to filter some attributes out of
the stream. This is done with the -importexclattr switch. When in UPDATE mode
the imported attributes are processed as value adds. That means they will NOT
overwrite existing values. This means single value attributes that are already
populated will return 'Attribute Or Value Exists'. To sidestep that, you need
to specify an attribute operation such as description::{{.}}.
The -importexclattr excludes several attributes by default even if you do not
specify any other attributes:
createTimeStamp
distinguishedName
dSCorePropagationData
lastLogonTimestamp
modifyTimeStamp
msDS-Cached-Membership
msDS-Cached-Membership-Time-Stamp
objectCategory
objectGUID
objectSid
replUpToDateVector
repsFrom
repsTo
sIDHistory
subRefs
uSNChanged
uSNCreated
whenChanged
whenCreated
CSVDE SUPPORT
=============
The CSV functionality in AdMod was not designed to interact with CSVDE. However,
it should be able to be used. One thing that can be an immediate problem is due
to how CSVDE handles escaped characters. These special characters are commas in
DNs and control characters. For some reason, CSVDE escapes these characters with
a double backslash instead of a single backslash. This is odd since the LDAP API
outputs the escaped characters and accepts the escaped characters with a single
backslash. Instead of guessing how that should be handled or writing a whole
separate module for parsing CSVDE AdMod ignores it. :). This means that you need
to clean them up yourself with some form of search and replace or parsing. Once
that is accomplished, you can feed the CSVDE generated file to AdMod with the -CSV
switch. AdMod will handle the binary formatting that CSVDE uses which is to
enclose the binary value in X' and '.
SIZE LIMITS
===========
There is no check for the size of update/add request. This means that if you try
to import a group with some large number of members it is possible and even
likely that it will fail if the update exceeds the LDAP packet size maximum.
The number of members will be limited based on the size of the DNs of the
members. Correction of this issue will occur in some future version of AdMod.
ADCSV
=====
There is also a special ADCSV submode which is automatically invoked when AdMod
detects the ADCSV header on info piped in from AdFind. You can invoke this mode
by specifying -ADCSV in the AdFind command line. The ADCSV mode sends some
additional information over from switches from AdFind including:
o CSV Delimiter
o CSV Multivalue Delimiter
o CSV Quote Character
o Host
o Port
The obvious benefit here is that if you use something other than the default
values you won't have to specify that to AdMod, it can figure it out on its own.
Also the Host and Port specified means you hit the same server and port you pulled
the information from. However, if for some reason you want to, you can override
the values with switches directly applied to the AdMod command line.
EXPANSION
=========
AdMod supports 'expansion' of strings with 'variables' to generate values on
the fly. There is both base DN and attribute level expansion that can occur.
The variables available for use are composed both of fields available in the
CSV input and some additional special values offered up by AdMod. In non-CSV
mode the DN modifier special values are not available.
Expansion Strings
-----------------
An expansion string is simply a string that has 'operations' embedded in it that
require expansion. These operations are designated by a start/end markers and can
be intermixed in the string with other operations or plain text. The start of
operation marker is '{{' and the end of operation marker is '}}'. Within the
markers you can specify values. These values can be various opcodes or field names
from the CSV input. Any CSV fields specified *must* be in the CSV data stream or
AdMod will immediately terminate.
On top of the values, you have the option to specify modifiers to 'tweak' the
values. Modifiers are specified by a colon (:) character or in a couple
of special specifically documented cases a double colon (::) following
the value. All values can have either the _lc (lowercase)or _uc (uppercase)
modifier applied. Some opcode values have additional modifiers that can be
specified.
So an operation will look something like
{{value[:modifier]}}
The brackets around the modifier indicate that it is optional.
OpCodes are differentiated from CSV fields by having a leading and trailing
asterisk in the name. So while you may have an attribute named parent, to use
the parent OpCode you would use *parent*. That way you could use both the parent
CSV field and the parent OpCode in a single Expansion string without confusion.
There are two available mechanisms to specify "the CSV field that matches the
attribute name". These are '.' and NULL. So if you needed to to do something like:
useraccountcontrol::{{useraccountcontrol:SET:32}}
you could alternately specify expansion string in these two alternate formats
useraccountcontrol::{{.:SET:32}}
useraccountcontrol::{{:SET:32}}
which obviously reduces the amount of typing and redundancy.
Available OpCodes
.................
o *cnt* - This is an enumerator. The value is incremented for every DN
processed. The counter starts at 0 by default, but this can be modified
with the -counterstart switch.
Usage: {{*cnt*}}
o *rnd* - This is a random character generator. The value is randomly
generated individually every time it is encountered. There are three
optional modifiers available for this opcode: minimum length, maximum
length, and character set specified as :min:max:char_set. The default
values for the modifiers are:
* min 15
* max 25
* char_set 0123456789abcdefghijklmnopqrstuvwxyzABCDEFGHIJK
LMNOPQRSTUVWXYZ!@#$%*_-=+:;{}[],.?|~
The following pre-constructed character sets can be specified:
__lc Lowercase English alphabet
__uc Uppercase English alphabet
__spec Special characters - !@#$%*_-=+:;{}[],.?|~
__num Numbers 0-9
__hex Hex characters 0-9 a-f
Usage: {{*rnd*}}
{{*rnd*:5:10}}
{{*rnd*:5:10:0123456789ABCDEF}}
{{*rnd*:5:10:__hex}}
{{*rnd*:5:10:__uc__lc}}
o *dn* - DN of current object.
Usage: {{*dn*}}
o *rdn* - RDN of current object.
Usage: {{*rdn*}}
o *parent* - Parent DN of current object.
Usage: {{*parent*}}
o *domain* - Domain DN of current object.
Usage: {{*dn*}}
o *ndc* - Non-Domain portion of DN of current object.
Usage: {{*ndc*}}
o *name* - Name of current object.
Usage: {{*name*}}
o *origname* - Original name of current object prior to bmod expansion.
Usage: {{*origname*}}
o *now* - Current local time in format YYYY/MM/DD-HH:MM:SS TZ String
Usage: {{*now*}}
o *now_utc* - Like *now* but UTC TZ
Usage: {{*now_utc*}}
o *now_int8* - Like *now* but in int8 integer format. There are three
optional modifiers available for this opcode: modify type, delta value
integer. The modify types are:
* +d Add delta days
* -d Subtract delta days
* +h Add delta hours
* -h Subtract delta hours
* +m Add delta minutes
* -m Subtract delta minutes
Usage: {{*now_int8*}}
{{*now_int8*:+h:6}}
o *enclocal_int8* - Encode time/date string into int8. There is a mandatory
modifier for this opcode which specifies the date/time to encode. The format
of the time to encode is YYYY/MM/DD[-HH:MM:SS]. The date aspect of the
modifier is required, the time is optional.
After the mandatory modifier you can add the same optional modifiers
mentioned for *now_int8* above. NOTE: There is a deviation from the
standard modifier notation to add this additional modifier. Instead
of using a single colon (:), you need to specify a double colon (::)
to avoid collision with the colons.
Usage: {{*enclocal_int8*:2006/11/07-08:00:00}}
{{*enclocal_int8*:2006/11/07-08:00:00::+d:10}}
o *encutc_int8* - Like *enclocal_int8* but UTC TZ.
Usage: {{*encutc_int8*:2006/11/07-08:00:00}}
{{*encutc_int8*:2006/11/07-08:00:00::+d:10}}
CSV Field Modifiers
...................
o _lc - Change string to all lowercase.
Usage: {{somecsvfield:_lc}}
o _uc - Change string to all uppercase.
Usage: {{somecsvfield:_uc}}
o enclocal_int8 - Encode time/date string into int8. This CSV Field
modifier does not have the mandatory modifier of the date/time value
from the opcode of the same name as it is passed in the CSV Field. It
does, however have the same optional modifiers as the opcode with the
same modifier specifier deviation. I.E. The double colon (::).
Usage: {{somecsvfield:enclocal_int8}}
{{somecsvfield:enclocal_int8::+d:10}}
o encutc_int8 - Like enclocal_int8 but UTC TZ.
Usage: {{somecsvfield:encutc_int8}}
{{somecsvfield:encutc_int8::+d:10}}
o allvals - Glue the multiple values in a specific attribute into a single
string. The default glue character is the semicolon (;). An alternate glue
character (or string) can be specified as a modifier. This modifier is
specified with the special double colon modifier (::) separator.
Usage: {{somecsvfield:allvals}}
{{somecsvfield:allvals::|}}
o int8+d - Takes int8 CSV field and adds days to it. It has one required
modifier, the integer value for number of days.
Usage: {{somecsvfield:int8+d:5}}
o int8-d - Takes int8 CSV field and subtracts days from it. It has one
required modifier, the integer value for number of days.
Usage: {{somecsvfield:int8-d:5}}
o int8+h - Takes int8 CSV field and adds hours to it. It has one required
modifier, the integer value for number of hours.
Usage: {{somecsvfield:int8+h:5}}
o int8-h - Takes int8 CSV field and subtracts hours from it. It has one
required modifier, the integer value for number of hours.
Usage: {{somecsvfield:int8-h:5}}
o int8+m - Takes int8 CSV field and adds minutes to it. It has one required
modifier, the integer value for number of minutes.
Usage: {{somecsvfield:int8+m:5}}
o int8-m - Takes int8 CSV field and subtracts minutes from it. It has one
required modifier, the integer value for number of minutes.
Usage: {{somecsvfield:int8-m:5}}
o Various logical/mathematical operators - This is a catch-all for several
math functions available. They all follow the same format:
somecsvfield:operator:intvalue
The intvalue field can be specified in three formats
* Binary - bnnnn where nnnn is a binary string.
* Hex - 0xnnnn where nnnn is a hex string.
* Decimal - nnnn where nnnn is a decimal string.
The list of logical/mathematical operators
* CLR - Clear bits specified by intvalue.
* SET - Set bits specified by intvalue.
* AND - Logical AND (value&=intvalue)
* OR - Logical OR (value|=intvalue)
* XOR - Logical XOR (value^=intvalue)
* + - Addition (value+=intvalue)
* - - Subtraction (value-=intvalue)
* * - Multiplication (value*=intvalue)
* / - Division (value/=intvalue)
Usage: {{somecsvfield:SET:0x02}}
{{somecsvfield:CLR:2}}
{{somecsvfield:+:500}}
o r - This is the replace modifier. It has two values that you need to
specify, string to find and the string to replace it with. It will
replace the first occurrence of the string found.
In cases where either replacement string has embedded colons, you can
specify the separate fields with $ (dollar signs) instead of colons by
prefixing the modifier with $n
Usage: {{somecsvfield:r:somestring1:somestring2}}
{{somecsvfield:$r$somestring1$somestring2}}
o r_ci - Same as r, but case-insensitive.
Usage: {{somecsvfield:r_ci:somestring1:somestring2}}
{{somecsvfield:$r_ci$somestring1$somestring2}}
o rall - This is the replace all modifier. It has two values that you need to
specify, string to find and the string to replace it with. It will replace
every instance of the string found.
Usage: {{somecsvfield:rall:somestring1:somestring2}}
{{somecsvfield:$rall$somestring1$somestring2}}
o rall_ci - Same as rall, but case-insensitive.
Usage: {{somecsvfield:rall_ci:somestring1:somestring2}}
{{somecsvfield:$rall_ci$somestring1$somestring2}}
Examples:
Ex1: Creating 1000 enabled users w/ random passwords via template. (all one line)
admod -add -autobase 1000:cn=myuser,cn=users,dc=test,dc=loc -bmod cn={{*origname*}}_{{*cnt*}},{{*parent*}}
objectclass::user -kerbenc unicodepwd::{{*rnd*:6:8}} samaccountname::{{*name*}}
useraccountcontrol::512 -exterr
Ex2: Copy OU structure from AD to ADAM (all one line)
adfind -default -f objectcategory=organizationalunit objectclass description -adcsv
| admod -h adamsrv -add -replacedn "dc=test,dc=loc:ou=mytestou" -import -unsafe -exterr
Ex3: Copy the first 25 users from AD into ADAM as userProxies (all one line)
adfind -default -f samaccounttype=805306368 -maxe 25 objectsid displayname -adcsv
| admod -h adamsrv -add -bmod {{*RDN*}},ou=userproxies,ou=import,ou=mytestou
objectclass::userproxy displayname::{{.}} objectsid::{{.}} -unsafe -exterr
Ex4: Rename user accounts to lastname,firstname (all one line)
adfind -default -f samaccounttype=805306368 sn givenname -adcsv
| admod -rename {{sn}}\,{{givenname}} -unsafe
Ex5: Export group from AD and then reimport group into AD in two passes.
Export Group
adfind -b CN=g1,OU=tmptestou,DC=test,DC=loc displayname objectclass grouptype member -csv >group.csv
Import Group w/o members
admod -csv -add -import -importexclattr member -exterr < group.csv
Import Group members
admod -csv -expand member:++:{{.}} -exterr < group.csv
Ex6: Clear all SidHistories on all objects with SidHistory values in domain (all one line)
adfind -default -f sidhistory=* sidhistory -adcsv | admod sid##sidhistory:--:{{.}} -unsafe
This software is Freeware. Use at your own risk.
I do not warrant this software to be fit for any purpose or use and
I do not guarantee that it will not damage or destroy your system.
Contact joe@joeware.net via email for licensing information to package
this utility in commercial products.
See full Warranty documentation on www.joeware.net.
If you have improvement ideas, bugs, or just wish to say Hi, I
receive email 24x7 and read it in a semi-regular timeframe.
You can usually find me at joe@joeware.net