Life of a Sysadmin

The occassional trials and tribulations of a jack of all tr ades sysadmin in a startup in Silicon Valley

archives

October 2008 (2)
September 2008 (3)
June 2008 (1)
April 2008 (1)
March 2008 (6)
December 2007 (6)
October 2007 (1)
September 2007 (1)
August 2007 (2)
July 2007 (1)
June 2007 (5)
May 2007 (5)
April 2007 (3)
March 2007 (7)
February 2007 (2)
January 2007 (3)
December 2006 (4)
November 2006 (3)
October 2006 (3)
August 2006 (3)
July 2006 (1)
June 2006 (2)
May 2006 (4)
April 2006 (2)
March 2006 (5)
February 2006 (5)
January 2006 (7)
December 2005 (2)
November 2005 (6)
October 2005 (4)
September 2005 (4)
August 2005 (1)
July 2005 (2)
June 2005 (3)
May 2005 (4)
April 2005 (1)
March 2005 (2)

June 2005

Making bulk changes in AD, or my windows has some icky command lines

I have an Active Directory with about 900 users. The vast majority (all but about 15) have a single mandatory roaming profile. Because of some inconsistencies in the creation of user accounts over the years, how the profile location is specified in an account varies. Some accounts have "\\servername\profiles\normal\" some have "%logonserver%\profiles\normal". I needed to standardize these to "\\newservername\profiles\normal\".

The easy way would be with the graphical tools. Select multiple users in Active Directory Users and Computers, right click, and select Properties.

With this form it is relatively trivial to change a huge number of accounts. While I changed nearly the profile path listing to "\\newservername\profiles\normal\", I changed some (those accounts that have their own profiles) to "\\newservername\profiles\%username%". There are a variety of other environment variables available.

The hard way would use the Directory Service command-line tools from Microsoft that were included with Windows 2003 Server. They are quite powerful tools that allow you to query, modify, add, or whatnot.

The command I ended up with, after a great deal of experimentation (most of it was simply getting comfortable with the tools and toying with examples provided in Microsoft's documentation), was

the dsget command returns one per line a list of users that belong to the group "groupname". dsmod takes that output and changes the profile setting.

This will get you a list of all members (recursively expanded if you have nested groups) of group groupname.

Much of my experimentation with the DS tools was done with thoughts of finally scripting account creation floating through my head. Let me just slide this into a slot near the top of to do list.