[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Changing AD users data using a batch file

Posted on 2012-08-22
8
Medium Priority
?
1,619 Views
Last Modified: 2012-08-27
i need to change the password of several hundreds of users in AD.

How do I do that?

This is what I did but for some students is working and for some is not and I can't figure it out why.

I created a batch file with all users like this:

dsmod user "CN=424242 ,ou=Students,dc=mycollege,dc=com"  -pwd 999999

Open in new window


Where 424242 let's say the student login and 999999 is the new password

The results are the following:
dsmod succeeded:CN=424242\ ,ou=Students,dc=mycollege,dc=com
if it when well
and:
dsmod failed:CN=424242\ ,ou=Students,dc=mycollege,dc=com:Directory object not found.
type dsmod /? for help.

I also added the following so I can read a log file and see wictch students were not changed
dsmod user "CN=424242 ,ou=Students,dc=mycollege,dc=com"  -pwd 999999 1>> Result.txt 2>&1

Open in new window


I'm using the provided student id from HR for the batch file that in AD is the User logon Name. Maybe I need to use the FQDN or something else?

And for the batch file, how do I add a \n or Enter after each output:

I get results like this:

dsmod succeeded:CN=1232293\ ,ou=Students,dc=mycollege,dc=com
dsmod failed:CN=1131610\ ,ou=Students,dc=mycollege,dc=com:Directory object not found.
type dsmod /? for help.dsmod failed:CN=1131610\ ,ou=Students,dc=mycollege,dc=com:Directory object not found.
type dsmod /? for help.
dsmod succeeded:CN=1232293\ ,ou=Students,dc=mycollege,dc=com

And want results like this:

dsmod succeeded:CN=1232293\ ,ou=Students,dc=mycollege,dc=com
dsmod failed:CN=1131610\ ,ou=Students,dc=mycollege,dc=com
dsmod failed:CN=1131610\ ,ou=Students,dc=mycollege,dc=com
dsmod succeeded:CN=1232293\ ,ou=Students,dc=mycollege,dc=com
0
Comment
Question by:SamKira
  • 5
  • 3
8 Comments
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 38322624
Here is a script which will perform the task for you...

@echo off
rem. *************************************************************************************************************************
rem.  Solution to set the same password from multiple AD users in varying OUs.
rem.
rem.  Created and posted by Giovanni Heward on Experts-Exchange.com
rem.  http://www.experts-exchange.com/OS/Microsoft_Operating_Systems/Windows/viewQuestionPrinterFriendly.jsp?qid=24571799
rem. *************************************************************************************************************************
if [%1]==[] (
	echo.
	echo useage: changepass [userlist.txt]
	echo         Where userlist.txt contains DN of each user oject, one per line.
	echo.         
	echo         Make sure each line does NOT contain quotes, for example:
	echo         CN=Testy Testerson,OU=Employees,DC=Contoso,DC=Com
	echo.
	goto :eof
)
setlocal enabledelayedexpansion
if not exist %1 (echo Active Directory user list DN file [%1] does not exist.&goto :eof)
set /p pwd=Enter new password for all user objects:
for /f "tokens=*" %%u in (%1) do (
 set user=%%u
 call :CHANGEPASS !user! !pwd!
 echo Changed password for !user!
)
goto :eof
 
:CHANGEPASS
if [!user!]==[] goto :eof
dsmod user "!user!" -canchpwd yes -pwdneverexpires no
dsmod user "!user!" -pwd "!pwd!" -mustchpwd yes

Open in new window

0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 38322641
Create the list of users by running the following command...

dsquery user -limit 0 >userlist.txt

Make sure you edit the list to remove all quotes and all users you don't intend to change the password of.
0
 
LVL 15

Accepted Solution

by:
Giovanni Heward earned 2000 total points
ID: 38322689
I wrote the script in ID: 38322624 along time ago, here is a quick revised version... does not require removing quotes from the output of dsquery nor passing the filename for the DN list if userlist.txt already exists.

@echo off
setlocal enabledelayedexpansion
rem. *************************************************************************************************************************
rem.  Solution to set the same password from multiple AD users in varying OUs.
rem.
rem.  Created and posted by Giovanni on Experts-Exchange.com
rem.  http://www.experts-exchange.com/Programming/Languages/Scripting/Shell/Batch/Q_27838812.html
rem. *************************************************************************************************************************
if [%1]==[] (
	if not exist userlist.txt (
		echo.
		echo useage: changepass [userlist.txt]
		echo         Where userlist.txt contains DN of each user oject, one per line.
		echo.         
		goto :eof
	) else (
		set list=userlist.txt
	)
) else (
	set list=%1
)
if not exist !list! (
	echo Active Directory DN userlist file [!list!] does not exist.
	goto :eof
)
set /p pwd=Enter new password for all user objects:
for /f "tokens=*" %%u in (!list!) do (
 set user=%%u
 set user=!user:"=!
 call :changepass !user! !pwd!
 echo Changed password for !user!
)
goto :eof
 
:changepass
if [!user!]==[] goto :eof
dsmod user "!user!" -canchpwd yes -pwdneverexpires no
dsmod user "!user!" -pwd "!pwd!" -mustchpwd yes

Open in new window


Regarding your question, assuming the DN path is correct, it's possible there is a space involved, in which case you'll need to enclose the DN with quotes ( automatically created for you when running dsquery user -limit 0 >userlist.txt ).   To add a new line "\n" in a batch file simply use
echo.

Open in new window

which you can see in my script as well.
0
Simplify Active Directory Administration

Administration of Active Directory does not have to be hard.  Too often what should be a simple task is made more difficult than it needs to be.The solution?  Hyena from SystemTools Software.  With ease-of-use as well as powerful importing and bulk updating capabilities.

 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 38322755
BTW, if you already have a list of all student logon ID's, then you can obtain the correct DN  by running....

dsquery user -samid 424242

or

dsquery user -samid 424242*

To use with my script try...

dsquery user -samid 424242>>userlist.txt

Of course my script above could be modified to read a text file using logon usernames only, lookup the corresponding DN, and then pass that given user object DN to the changepass function.
0
 
LVL 1

Author Comment

by:SamKira
ID: 38324677
Thank you mutch for the scripts, I would take a look at them and test them.

I notice something doing the dsquery user -samid 424242
The results are as follow:

On all the ones that my script worked their CN was like this:
"CN=424242\ ,OU=Students,DC=mycollege,DC=com"
"CN=525252\ ,OU=Students,DC=mycollege,DC=com"

Those that didn't work were like this:
"CN=626262,OU=Students,DC=mycollege,DC=com"
"CN=727272,OU=Students,DC=mycollege,DC=com"

How come they work when they have "\ " at the end and where can I see that?
Is there a way I can modify my original command to take that in consideration?
dsmod user "CN=424242 ,ou=Students,dc=mycollege,dc=com"  -pwd 999999

Thank you so much for your help and I'll take a look at those scripts you put in here.
0
 
LVL 1

Author Comment

by:SamKira
ID: 38325149
Ok I was able to run this command again:
dsmod user "CN=424242 ,ou=Students,dc=mycollege,dc=com"  -pwd 999999
but this time removing the sapce before the first ,ou= like this:
dsmod user "CN=424242,ou=Students,dc=mycollege,dc=com"  -pwd 999999

It seems that when we created the list of new students they were created with a space in their CN.

I can always delete those new students and ceate them again correctly but I was wondering if there is a way to change a CN from let's say "1111 " to "1111"?

i need to remove that space on their CN name for all those students.

Thanks
0
 
LVL 15

Expert Comment

by:Giovanni Heward
ID: 38326227
You can rename an object using LDIFDE...

This would require creating a LDF file for each object...

move-ex.ldf

dn: CN=424242\ ,OU=Students,DC=mycollege,DC=com
changeType: modrdn
newrdn: CN=424242
deleteOldRdn: 1

Then running the following command:

ldifde -i -f move-ex.ldf

As mentioned in my previous post, dsquery user -limit 0 >userlist.txt would create a list of all user objects and would include the full and correct DN of each object, regardless of whether or not a space is included.
0
 
LVL 1

Author Comment

by:SamKira
ID: 38336231
Thank you so much, you sir are an expert on this.
0

Featured Post

Free recovery tool for Microsoft Active Directory

Veeam Explorer for Microsoft Active Directory provides fast and reliable object-level recovery for Active Directory from a single-pass, agentless backup or storage snapshot — without the need to restore an entire virtual machine or use third-party tools.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…

830 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question