Today on Microsoft.public.windows.server.active_directory simple question was asked:
Is possible clean all logon scripts from a OU at the same time. This OU
contains others sub-OUs.
Sure it is :), thanks to joe we have updated versions of ADFind and ADMod in our toolbox.
First we need a filter which is simple:
(&(objectClass=user)(objectCategory=person)(scriptPath=*))
which should give us users with some value for logon script set.
Than we have to invoke adfind with our OU as a search base and subtree as a scope … and here comes a fun part – with -adcsv switch. This switch will give us a result of a query in CSV format, which may be consumed by admod. What we need in a result is also current value for scriptpath (You will notice reason for this later). So this command will look like this:
adfind -b "OU=Employees OU,DC=W2k,DC=PL" -s subtree -f
"(&(objectClass=user)(objectCategory=person)(scriptPath=*))"
scriptPath -adcsv
Next … ADMod part. It is simple, admod allows You to modify attribute value with following syntax <attribute>:-:<value> which just clears value from attribute. Our attribute is scriptPath and our value will come with CSV data from adfind, so we can specify this like that:
admod scriptPath:-:{{scriptPath}}
And both together gives us:
adfind -b "OU=Employees OU,DC=W2k,DC=PL" -s subtree -f
"(&(objectClass=user)(objectCategory=person)(scriptPath=*))"
scriptPath -adcsv | admod scriptPath:-:{{scriptPath}}
Which will result in following output:
================
AdMod V01.07.00cpp Joe Richards (joe@joeware.net) October 2006
DN Count: 2
Using server: ROOTDC.w2k.pl:389
Directory: Windows Server 2003
Modifying specified objects…
DN: CN=jan tomaszwesk,OU=a,OU=Employees OU,DC=w2k,DC=pl…
DN: CN=jan wisniewski,OU=Employees OU,DC=w2k,DC=pl…
The command completed successfully
================
Quick and simple, and as Paul Williams wrote on a group:
Ha ha. Show off.
You use the one of the fancy new features just to clear a value
Yes … I'm using this fancy feature to do simple thing – because it is simple with them.