Re: bulk import LDIF file to modify users' password, Windows 2003

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

Yes, agreed. If the user passwords are variable per user, or not all ou
users objects are processed.

Otherwise a simple two line dsquery | dsmod negates the ldif export \
massage \ dsmod process, and
makes it "automated" capabable. - That being the point of my questions.

--
/kj
"Al Mulnick" <amulnick_No_SPAM@xxxxxxxxxxx> wrote in message
news:%23X2cq7YWGHA.4484@xxxxxxxxxxxxxxxxxxxxxxx
Based on Scott's syntax,

type final-export-file.ldif | dsmod user -pwd newpass -mustchpwd
yes -disabled no


Every user DN that was specified in final-export-file.ldif was changed.
If he exported each from the OU, then it was all that were exported unless
something changed in between.

The password is whatever newpass was set to for each user. Was it the
same? In this case that's likely. Could it be different? Yes, if you have
a way to replace newpass with your unique password. I would argue that
script is much easier to do this with though because you would have much
finer control over the variable change.

In keeping with the unnaturalness of using grep on a Windows machine (it's
not really, but I had to ask why choose something that most of the
audience is not going to be familiar with) I would suggest perl or
vbscript or javascript be used to achieve your stated goals.

It was very nice of Scott to give you the exact details of how to do this
for all the users. I would only add to that one other way that comes to
mind which would be to use excel to create individual and unique dsmod
commands. You could set the passwords there and just copy the lines to a
batch file. Crude, but it works for what you're after. It just doesn't
offer the automation and doesn't expose you to tools like grep or sed
which you should become familiar with if administration is a normal task
for you. At the very least using Find would be helpful to you.

Al

"kj" <kj@xxxxxxxxxxx> wrote in message
news:uIYDG0YWGHA.3660@xxxxxxxxxxxxxxxxxxxxxxx
"Scott Lowe" <slowe@xxxxxxxxx> wrote in message
news:49koorFpc05uU1@xxxxxxxxxxxxxxxxx
On 2006-04-06 07:44:49 -0400, "Al Mulnick"
<amulnick_No_SPAM@xxxxxxxxxxx> said:

I'm sure there will be more from Scott later, but sed and grep?
Really? I mean, yeah it would work, but that's a bit unnatural in the
scheme of things, isn't it?

How about csvde? How about using something from csvde (dn?) and
building your command file using the columns in excel?

Scripts?

ADMOD? (http://www.joeware.net)
ADMODIFY?

Piping for dsmod can be done as well. You can search with dsquery and
pipe it to dsmod commands. So you could search for the user with your
criteria (ldap search) and pipe that to the dsmod command so that you
can bypass the whole DN cleaning in the first place.

From the dsquery help you can see where the results of a query for all
users in the Marketing OU are piped to the dsmod command to place them
in the group:

dsquery user ou=Marketing,dc=microsoft,dc=com | dsmod group
"cn=Marketing Staff,ou=Marketing,dc=microsoft,dc=com" -addmbr

Al

"Scott Lowe" <slowe@xxxxxxxxx> wrote in message
news:49g52nFo7hdcU3@xxxxxxxxxxxxxxxxx
On 2006-04-04 01:56:02 -0400, richard
<richard@xxxxxxxxxxxxxxxxxxxxxxxxx> said:

hello,

i can use dsmod now. but found that it's not easy while i've lots of
entries want to modify passwod at one time. it can't support wild
card & the condition filter seems not enough. LDIFDE is still the
best choice(i think...). could you spend some time to check it?
modify password still can't succeed for me now...

appreciate for your assistance

Richard

"Scott Lowe" wrote:

On 2006-04-02 22:28:01 -0400, richard
<richard@xxxxxxxxxxxxxxxxxxxxxxxxx> said:

Hello,

thanks for your reply. but Windows support pipe & grep???
anyway, it's a good idea to use dsmod .
thanks again

Richard

"Scott Lowe" wrote:

On 2006-03-31 04:18:01 -0500, richard
<richard@xxxxxxxxxxxxxxxxxxxxxxxxx> said:

Hello,

i follow the KB 263991 to do it but failed, is there anyone could
help me?

appreciate for your assistance

Richard

Richard, I actually had better luck using "dsmod user" in a script
to set passwords for large numbers of user accounts at once.
Create a list of the DNs for the user accounts (I used LDIFDE to
dump the user accounts, then a set of scripts with sed and grep to
get it down to the DN only), then pipe that list to dsmod to set
the passwords.

HTH.

--
Regards,
Scott Lowe
ePlus Technology, Inc.

Absolutely--you can get Win32 ports from GNU for both grep and sed,
and piping is (mostly) supported on the Windows command line.

Check the help page for dsmod user to get an idea of what can and
cannot be piped to the command and you'll see how to make this all
work.

HTH.

--
Regards,
Scott Lowe
ePlus Technology, Inc.

Richard,

Let me go back and review my documentation and I'll post more complete
information later this evening or tomorrow.

--
Regards,
Scott Lowe
ePlus Technology, Inc.

In the specific instance in which we needed to set passwords in bulk at
one time, the entire process needed to be automated. The process we
used is certainly not the ONLY process that can be followed, and I'm
sure there are any number of equally valid approaches to solving the
problem. This worked for us.

Basically, we exported an OU using LDIFDE, then automatically parsed it
down to just the DN line with appropriate formatting (for example,
having to add quotation marks because the names had spaces in them).
That parsed file was then passed to DSMOD like so:

type final-export-file.ldif | dsmod user -pwd newpass -mustchpwd
yes -disabled no

Then, in one fell swoop, we ensured that all accounts in that OU had a
new initial password, that the password must be changed upon the next
logon, and that the accounts were not disabled.

We used LDIFDE instead of CVSDE because we also had interoperability
requirements for third-party LDAP directories and other applications
(i.e., this same data was being used for other purposes as well). Other
environments would likely not need to meet those same requirements.

And why are grep and sed unnatural? :)

--
Regards,
Scott Lowe
ePlus Technology, Inc.


So my questions would be;

Are ALL user objects in the OU modified, or only selected ones?

and,

Are ALL user object passwords set to the same initial values or something
"user unique"?

--
/kj





.

Relevant Pages

  • Re: bulk import LDIF file to modify users password, Windows 2003
    ... Piping for dsmod can be done as well. ... criteria and pipe that to the dsmod command so that you ... "Scott Lowe" wrote: ... Create a list of the DNs for the user accounts (I used LDIFDE to ...
    (microsoft.public.windows.server.active_directory)
  • Re: DSMOD command question
    ... You cannot modify user passwords with dsmod group. ... command and then pipe the result to the dsmod command. ... The dsquery command find all users in the Teachers OU, ...
    (microsoft.public.windows.server.scripting)
  • Re: dsmod -u & -p problems
    ... The only time you need an SSL connection is when you change passwords, ... I am having trouble with this command running ... dsmod failed:The parameter is incorrect. ...
    (microsoft.public.windows.server.active_directory)
  • Re: bulk import LDIF file to modify users password, Windows 2003
    ... Piping for dsmod can be done as well. ... criteria and pipe that to the dsmod command so that you can ... "Scott Lowe" wrote: ... to set passwords for large numbers of user accounts at once. ...
    (microsoft.public.windows.server.active_directory)
  • Re: password policy
    ... I was referring to the new AD command line tools such as dsquery and dsmod ... which can be helpful in managing user accounts. ... >> passwords will be promted that they must change passsword to logon. ...
    (microsoft.public.win2000.general)