Re: bulk import LDIF file to modify users' password, Windows 2003

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Based on Scott's syntax,

type final-export-file.ldif | dsmod user -pwd newpass -mustchpwd
yes -disabled no


Every user DN that was specified in final-export-file.ldif was changed. If
he exported each from the OU, then it was all that were exported unless
something changed in between.

The password is whatever newpass was set to for each user. Was it the same?
In this case that's likely. Could it be different? Yes, if you have a way
to replace newpass with your unique password. I would argue that script is
much easier to do this with though because you would have much finer control
over the variable change.

In keeping with the unnaturalness of using grep on a Windows machine (it's
not really, but I had to ask why choose something that most of the audience
is not going to be familiar with) I would suggest perl or vbscript or
javascript be used to achieve your stated goals.

It was very nice of Scott to give you the exact details of how to do this
for all the users. I would only add to that one other way that comes to
mind which would be to use excel to create individual and unique dsmod
commands. You could set the passwords there and just copy the lines to a
batch file. Crude, but it works for what you're after. It just doesn't offer
the automation and doesn't expose you to tools like grep or sed which you
should become familiar with if administration is a normal task for you. At
the very least using Find would be helpful to you.

Al

"kj" <kj@xxxxxxxxxxx> wrote in message
news:uIYDG0YWGHA.3660@xxxxxxxxxxxxxxxxxxxxxxx
"Scott Lowe" <slowe@xxxxxxxxx> wrote in message
news:49koorFpc05uU1@xxxxxxxxxxxxxxxxx
On 2006-04-06 07:44:49 -0400, "Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx>
said:

I'm sure there will be more from Scott later, but sed and grep?
Really? I mean, yeah it would work, but that's a bit unnatural in the
scheme of things, isn't it?

How about csvde? How about using something from csvde (dn?) and building
your command file using the columns in excel?

Scripts?

ADMOD? (http://www.joeware.net)
ADMODIFY?

Piping for dsmod can be done as well. You can search with dsquery and
pipe it to dsmod commands. So you could search for the user with your
criteria (ldap search) and pipe that to the dsmod command so that you
can bypass the whole DN cleaning in the first place.

From the dsquery help you can see where the results of a query for all
users in the Marketing OU are piped to the dsmod command to place them
in the group:

dsquery user ou=Marketing,dc=microsoft,dc=com | dsmod group
"cn=Marketing Staff,ou=Marketing,dc=microsoft,dc=com" -addmbr

Al

"Scott Lowe" <slowe@xxxxxxxxx> wrote in message
news:49g52nFo7hdcU3@xxxxxxxxxxxxxxxxx
On 2006-04-04 01:56:02 -0400, richard
<richard@xxxxxxxxxxxxxxxxxxxxxxxxx> said:

hello,

i can use dsmod now. but found that it's not easy while i've lots of
entries want to modify passwod at one time. it can't support wild card
& the condition filter seems not enough. LDIFDE is still the best
choice(i think...). could you spend some time to check it? modify
password still can't succeed for me now...

appreciate for your assistance

Richard

"Scott Lowe" wrote:

On 2006-04-02 22:28:01 -0400, richard
<richard@xxxxxxxxxxxxxxxxxxxxxxxxx> said:

Hello,

thanks for your reply. but Windows support pipe & grep???
anyway, it's a good idea to use dsmod .
thanks again

Richard

"Scott Lowe" wrote:

On 2006-03-31 04:18:01 -0500, richard
<richard@xxxxxxxxxxxxxxxxxxxxxxxxx> said:

Hello,

i follow the KB 263991 to do it but failed, is there anyone could
help me?

appreciate for your assistance

Richard

Richard, I actually had better luck using "dsmod user" in a script
to set passwords for large numbers of user accounts at once.
Create a list of the DNs for the user accounts (I used LDIFDE to
dump the user accounts, then a set of scripts with sed and grep to
get it down to the DN only), then pipe that list to dsmod to set
the passwords.

HTH.

--
Regards,
Scott Lowe
ePlus Technology, Inc.

Absolutely--you can get Win32 ports from GNU for both grep and sed,
and piping is (mostly) supported on the Windows command line.

Check the help page for dsmod user to get an idea of what can and
cannot be piped to the command and you'll see how to make this all
work.

HTH.

--
Regards,
Scott Lowe
ePlus Technology, Inc.

Richard,

Let me go back and review my documentation and I'll post more complete
information later this evening or tomorrow.

--
Regards,
Scott Lowe
ePlus Technology, Inc.

In the specific instance in which we needed to set passwords in bulk at
one time, the entire process needed to be automated. The process we used
is certainly not the ONLY process that can be followed, and I'm sure
there are any number of equally valid approaches to solving the problem.
This worked for us.

Basically, we exported an OU using LDIFDE, then automatically parsed it
down to just the DN line with appropriate formatting (for example, having
to add quotation marks because the names had spaces in them). That
parsed file was then passed to DSMOD like so:

type final-export-file.ldif | dsmod user -pwd newpass -mustchpwd
yes -disabled no

Then, in one fell swoop, we ensured that all accounts in that OU had a
new initial password, that the password must be changed upon the next
logon, and that the accounts were not disabled.

We used LDIFDE instead of CVSDE because we also had interoperability
requirements for third-party LDAP directories and other applications
(i.e., this same data was being used for other purposes as well). Other
environments would likely not need to meet those same requirements.

And why are grep and sed unnatural? :)

--
Regards,
Scott Lowe
ePlus Technology, Inc.


So my questions would be;

Are ALL user objects in the OU modified, or only selected ones?

and,

Are ALL user object passwords set to the same initial values or something
"user unique"?

--
/kj



.

Relevant Pages

  • Re: bulk import LDIF file to modify users password, Windows 2003
    ... You can search with dsquery and pipe it to dsmod commands. ... So you could search for the user with your criteria and pipe that to the dsmod command so that you can bypass the whole DN cleaning in the first place. ... "Scott Lowe" wrote in message ... Create a list of the DNs for the user accounts, then pipe that list to dsmod to set the passwords. ...
    (microsoft.public.windows.server.active_directory)
  • Re: bulk import LDIF file to modify users password, Windows 2003
    ... but Windows support pipe & grep??? ... "Scott Lowe" wrote: ... Create a list of the DNs for the user accounts, then pipe that list to dsmod to set the passwords. ...
    (microsoft.public.windows.server.active_directory)
  • Re: bulk import LDIF file to modify users password, Windows 2003
    ... If the user passwords are variable per user, ... Otherwise a simple two line dsquery | dsmod negates the ldif export \ ... criteria and pipe that to the dsmod command so that you ... "Scott Lowe" wrote: ...
    (microsoft.public.windows.server.active_directory)
  • Re: bulk import LDIF file to modify users password, Windows 2003
    ... I'm sure there will be more from Scott later, but sed and grep? ... Piping for dsmod can be done as well. ... in the Marketing OU are piped to the dsmod command to place them in the ... "Scott Lowe" wrote: ...
    (microsoft.public.windows.server.active_directory)
  • Re: bulk import LDIF file to modify users password, Windows 2003
    ... Piping for dsmod can be done as well. ... criteria and pipe that to the dsmod command so that you can ... "Scott Lowe" wrote: ... to set passwords for large numbers of user accounts at once. ...
    (microsoft.public.windows.server.active_directory)